Dangerous new malware dances past more than 50 antivirus services

The threat actor leverages a weaponized ISO file

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers have discovered a newmalwaresample capable of hiding from more than 50antivirusproducts available on the market right now.

The malware was discovered by cybersecurity researchers from Unit 42, the threat intelligence team at Palo Alto Networks. The team first spotted the strain in May, when it discovered that it was built using the Brute Ratel (BRC4) tool.

BRC4’s developers claim to have even reverse-engineered popular antivirus products, to make sure their tool avoids detection.

The quality of the design and the speed at which it was distributed between the victims’endpointshas convinced the researchers that a state-sponsored actor is behind the campaign.

Russian methods

While the tool itself is dangerous, the researchers were more interested in its distribution path, which indicates a state-sponsored actor is in play.

The malware is being distributed in the form of a fake CV document. The CV is an ISO file that, once mounted onto a virtual drive, displays something resembling aMicrosoftWord document.

“Russian hackers” target coronavirus vaccine research>Best Windows 10 antivirus for 2022>US government, thousands of businesses now thought to have been affected by SolarWinds security attack

While the researchers still can’t pinpoint exactly who the threat actor behind BRC4 is, they suspect Russian-based APT29 (AKA Cozy Bear), which has used weaponized ISOs in the past.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Another hint suggesting that a state-sponsored actor is in play is the speed at which BRC4 was leveraged. The ISO was created the same day the latest version of BRC4 was published.

“The analysis of the two samples described in this blog, as well as the advanced tradecraft used to package these payloads, make it clear that malicious cyber actors have begun to adopt this capability,” Unit 42 wrote in a blog post.

“We believe it is imperative that all security vendors create protections to detect BRC4 and that all organizations take proactive measures to defend against this tool.”

Via:The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call