Wouldn’t it be nice if life were like a movie where we had the rugged handsomeness of a neo-noir hero, it was easy to tell the good guys from the bad and malware announced itself as soon as it entered your network? Alas, cyberattacks don’t reveal themselves in blaring lines of identifiable code that ignite a room of perfectly coifed forensics analysts into action. Well, the last part is true with enough money and enough concern, but the first part is sheer Hollywood fiction.

Crippling malcode now lies in wait: a dormant dweller that you’ll never be able to identify without smart (not well-coifed) IT professionals and analytic algorithms that expect the unexpected. Remember the “Blade Runner” Replicants of the far-off future, with androids becoming more than machine? It was an android so sophisticated that Harrison Ford’s Decker could only see behind the veil by breaking down the very root of the being’s logic and semblance of awareness with a sophisticated bio-response lie detector. Malware is smart, and it’s getting Replicant-smarter every day.

But you can be a Decker in days with the right endpoint protection.

We’ve Seen Things You Wouldn’t Believe

The security researchers at IBM X-Force have seen a multitude of malware samples. With 270 million monitored endpoints sending in data, that’s a lot of malcode to wade through. Although there are many variants, advanced persistent threats (APTs) share some common traits.

Successful malware is highly evasive. It can remain stealthy on the machine for long periods of time until certain criteria are met, using sophisticated techniques to bypass detection. It is not engineered to stroll into a noodle bar and announce itself in Cityspeak; rather, it sidles into the network through vectors such as sophisticated phishing or social engineering schemes. For advanced malware that is massively distributed, the threats are even greater: Off-the-shelf malware campaigns can be purchased by attackers with a comprehensive menu of functions and repurposable config files.

These new capabilities use a mix of techniques that can include keystroke logging, RAM scraping, browser hooking to get one-time passwords (OTPs), man-in-the-browser capabilities, dynamic webinjection, persistent rootkits and even virtual network computing (VNC) to launch a connection to the target site from an infected machine. These APT kits are made to be reusable and adaptable to the target environment.

The Voight-Kampff for Advanced Malware

Since real-life malcode doesn’t announce itself with distinguishing red lettering on your screen like in the movies, you have to watch for more subtle signs, or the equivalent of bio-response micro-tells. Here are a couple things to watch for to indicate if you’ve been infected on an endpoint:

  • Sluggish performance: Even with no resource-heavy applications running, random system crashes or constantly churning CPUs can be a sign of infection. If you also hear the CPU fan running at full speed for sustained periods as soon as the computer is booted, it is another indication of potential compromise.
  • Unexpected email activity: Perhaps your emails are being received or sent erratically, you are hearing from colleagues that they received emails from you that you did not send or you are getting out-of-office notices for emails you did not send. It’s possible your email password was stolen or your system was infiltrated.
  • Strange windows or messages: If programs are starting or stopping without your intervention, you’re getting notification pop-ups like a sea of billboards in a dystopian future, new programs are attempting to access the Internet or you open a PDF and it instantly disappears, you could be infected with malcode.
  • Sudden endpoint protection disablement: Advanced malware will often disable traditional antivirus protection to save itself from certain death. If you notice your antivirus or endpoint protection is suddenly disabled, this is most certainly a sign of trouble.

Do Hackers Dream of Electric Sheep?

Recently, the security researchers at IBM Security X-Force have discovered several particularly potent malware samples in the wild, including the Tinba Trojan and new variants of Dyre. The creators of this type of malcode work together in an ecosystem, collaborating on penetration and evasion strategies to maximize their investment in the code creation. Their best hope is to lull the target system into a sense of complacency — to be the virtual wolf in electric sheep’s clothing, waiting for the right time to expand and gather sensitive data.

Although potentially highly entertaining, the “Hollywood O/S” does not exist. Clumsy malware does not last long in the wild, and we are left to fight insidious malcode that snakes through networks and hides itself in plain sight like a Nexus-6 replicant. There is no four-year expiration date on this code either, as it continues to be reinvented, reinvigorated and rebuilt to attack more and better targets.

Advanced malware protection solutions can help stop exploits by focusing on and stopping the behavior of malware. By blocking malicious communication channels between the malware and the attacker, stopping anomalous activity caused by exploits and protecting credentials against reuse or submission on phishing sites, these solutions can help stop attackers from stealing your data.

To learn more about advanced malware protection, watch this video from IBM Security Trusteer Apex — flying cars sold separately.

https://www.youtube.com/watch?v=c2qZcHuK-jI&list=PL875ACE56207037A4

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today