Magic malware was detected by Seculert when a suspicious customer uploaded a sample to the Seculert Swamp – the company’s cloud-based malware analysis service. It turns out to be classic APT malware. “This ‘magic malware’ — as we’ve dubbed it [after a line of code the sample contains] — is active, persistent and had remained undetected on the targeted machines for the past 11 months”, wrote Aviv Raff, Seculert’s co-founder and CTO, in the company blog yesterday. “Since then the attackers were able to target several thousands of different entities, most of them located in the United Kingdom.”
Evasive techniques are a hallmark of today’s advanced malware. “The whole industry has thought for over twenty years that if your Anti-Virus/Firewall/IDS/IPS/DLP saw no problems then there were none – when it fact it turns out that while these defenses are all good, they are not good enough when it comes to APTs,” Damballa’s Adrian Culley explained to Infosecurity. While only limited details of the magic malware have yet been released, he pointed to its “custom communication protocol, sidestepping much monitoring of regular communication protocols.”
The ultimate purpose of the malware is not yet known, and Seculert notes that it seems to be still under development. “We have seen several indications of features which are not yet implemented, and functions which are not yet used by the malware,” wrote Raff. For example, if the attacker wants to open a browser session, the malware returns an error: “TODO:Start browser!”. For the moment it seems primarily geared to stealing data, but since it can download additional malware it could ultimately be geared for any purpose.
However, it does seem to be targeted as well as evasive. 78% of the ‘high thousands’ of infections are located in the UK. Raff gave a few more details to TechWeekEurope: “Throughout the one year activity of this campaign, the servers are moving their location between France, Germany and the Netherlands. We have seen several industries being targeted – including finance, education and telecoms.”
It was only last week that MI5 chief Sir Jonathan Evans warned UK universities to be on their guard against the theft of research, with graphene, quantum photonics and aerospace considered to be prime targets. There is no current indication that magic malware is connected, but Damballa’s Culley believes that “there will be many more long term targeted and evasive attacks uncovered going forward – particularly,” he told Infosecurity, “given the clash between IPv4 and IPv6 security tools.” He pointed to Topera, a tool released this week that describes itself as ‘a brand new TCP port scanner under IPv6, with the particularity that these scans are not detected by Snort.’