Researchers have discovered a new malware sample capable of hiding from more than 50 antivirus products (opens in a new tab) currently available on the market.

The malware was discovered by cybersecurity researchers from Unit 42, Palo Alto Networks' threat intelligence team. The team first spotted the strain in May, when they discovered that it had been constructed using the Brute Ratel (BRC4) tool.

The developers of BRC4 claim that they have even reverse-engineered popular antivirus products to ensure that their tool evades detection.

The quality of the design and the speed with which it was distributed to victims' terminals convinced investigators that a state-sponsored actor was behind the campaign.

russian methods

Although the tool itself is dangerous, the researchers were more interested in its distribution route, which indicates that a state-sponsored actor is involved.

The malware is distributed in the form of a fake CV document. The CV is an ISO file that, when mounted to a virtual drive, displays something like a Microsoft Word document.

While researchers are not yet able to pinpoint exactly who the threat actor behind BRC4 is, they suspect that Russia-based APT29 (also known as Cozy Bear) has used ISOs as weapons in the past.

Another clue that suggests a state-sponsored actor is at play is the speed at which BRC4 was mined. The ISO was created on the same day that the latest version of BRC4 was released.

"Analysis of the two samples described in this blog, along with the advanced crafting used to package these payloads, clearly shows that malicious cyber actors have begun to adopt this capability," Unit 42 wrote in a blog post.

"We believe it is imperative that all security vendors create protections to detect BRC4 and that all organizations take proactive steps to defend against this tool."

Via: The Registry (Opens in a new tab)

Share This