Security researchers are warning of a relatively new malware loader, that they track as Verblecon, which is sufficiently complex and powerful for ransomware and espionage attacks, although it is currently used for low-reward attacks. Verblecon was spotted earlier this year and the known samples enjoy a low detection rate due to the polymorphic nature of the code.
Researchers from Symantec, a division of Broadcom Software, discovered Verblecon in January this year and observed it being used in attacks that installed cryptocurrency miners on compromised machines.
Some clues also point to the attacker being interested in stealing access tokens for the Discord chat app, the researchers say, adding that these goals are in contrast with Verblecon’s realistic potential for far more damaging attacks. The malware is Java-based and its polymorphic nature is what allows it to slip into compromised systems, in many cases undetected.
“The fact that the file is polymorphic means that, due to encryption and obfuscation, the code of the malware payload looks different each time it is downloaded. Attackers generally pack malware in this way in an effort to evade detection by security software” - Symantec, a division of Broadcom Software
symantec-enterprise-blogs.security.com
