It is one thing to have a piece of malware that can focus on targeted attacks, but it is quite another to have it also be nearly invisible.
That is just what a variant of the Exforel backdoor malware, VirTool:WinNT/Exforel.A, is able to do, said researchers at Microsoft’s Malware Protection Center. That is what makes it different from other malicious elements of this kind because the backdoor opens up at the Network Driver Interface Specification (NDIS) level.
Since Exforel.A implements a private TCP/IP stack and hooks NDIS_OPEN_BLOCK for the TCP/IP protocol, the backdoor TCP traffic diverts to the private TCP/IP stack and then delivered to the backdoor, researchers said.
This makes this variant of the malware more low-level and stealthy because there is no connecting or listening port. In addition, the backdoor traffic is invisible to user-mode applications.
This version of Exforel – which can download, upload, and execute files, and rout TCP/IP packets – can see use in a targeted attack against a particular organization, the researchers said.