Cisco analyzes the latest version of the LokiBot malware for stealing credentials, finding that its developers have added more misdirection and anti-analysis features.
The developers of attack tools continue to make headway in hobbling defenders from detecting and analyzing their malware, creating more complex infection chains to stymy defenses, an analysis by the Cisco Talos research team stated this week.
The researchers analyzed the latest attack techniques associated with an information-stealing campaign, known as LokiBit, and found that its developers have added a third stage to its process of compromising systems — along with more encryption — as a way to escape detection. The attacks also use a variety of other attack techniques, such as socially engineering users to enable macros on Microsoft Office, using images to hide code, and widespread encryption of resources.
While attackers will do the minimum necessary to successfully compromise systems, they need to do more because defenders are getting better, says Holder Unterbrink, a threat researcher with Cisco Talos.
“Operating systems got much more secure than they were a few years ago, [so] attackers need to adapt,” he says. “Malware is a business [and so they have to build] malware which is good enough to bypass security measures on a reasonable number of devices.”
The LokiBot malware is not alone in its growing sophistication to prevent analysis and detection. In October, Facebook revealed that adware used session cookies, geolocation spoofing, and changing of security settings to keep persistence on its platform, resulting in charges of more than $4 million. In general, attackers are more likely to use the one-off Web addresses to fool blocklists, focus on reconnaissance of targeted networks, and use credential harvesting to gain access, according to Microsoft’s “Digital Defense Report,” published in September.
The attack trends underscore that a multilayered approach to defenses is necessary to detect these attacks. While adversaries may manage to bypass one or more security measures, more potential points of detection will mean a greater chance of detecting intrusions before they become breaches.
“Attackers will do what works,” Unterbrink says. “If we would prepare ourselves for a certain new bypass technique, they would just use a different one. It is more important to track, find, and detect new techniques used in the wild as soon as possible.”
In total, the LokiBot dropper uses three stages, each with a layer of encryption, to attempt to hide the eventual source of code. The LokiBot example shows that threat actors are adopting more complex infection chains and using more sophisticated techniques to install their code and compromise systems.
Distributing malicious actions over a number of stages is a good way to hide, says Unterbrink.
“Due to increased operation system security and endpoint and network protection, malware needs to distribute the malicious infection stages over different techniques,” he says. “In some cases, multiple stages are also necessary because of a complex commercial malware distribution system used by the adversaries to sell their malware in the underground as a service.”
Phishing attacks conducted through an online cybercrime service, for example, may limit how much an attacker can do in that first stage.
The increase in sophistication of the attack tools does not necessarily mean that attackers are becoming more sophisticated as well. A variety of cybercrimes services are available to allow even unskilled attackers to conduct relatively sophisticated attacks.
Many attacks continue to use Microsoft Word and Excel files as a way to hide the initial stage. In the LokiBot case, the attackers used an Excel file.
Defenders should continually look out for intelligence on new campaigns and how attackers are refining the techniques, technology and procedures being used to fool users and compromise system, Cisco Talos stated.
“Companies should expect that a few percentages of new malware may bypass their security systems,” Unterbrink says. “Some users may always be tricked into opening malware.”
Because attackers often spend days to weeks in a network to determine the most valuable data — often as a prelude to a ransomware attacks — detecting lateral movement, and not just the initial compromise, is important.
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio