Everyone knows bad guys are very resourceful when it comes to security, but now they are taking it to a new level as they are absconding with malware originally developed for government espionage and installing it in rootkits and ransomware.
The malware, called Gyges, first came to light in March, said researchers at Sentinel Labs.
Sentinel discovered Gyges with on-device heuristic sensors, but the catch is quite a few intrusion prevention systems would miss it. The report said Gyges’ evasion techniques are “significantly more sophisticated” than the payloads attached. It includes anti-detection, anti-tampering, anti-debugging, and anti-reverse-engineering capabilities.
Because of this, the researchers concluded although Gyges attached to ransomware and bot code, it had been originally created as a “carrier” for a much more sophisticated attack — something like what a government agency would use to collect intelligence data.
Certain components of the code matched that of known malware used before in targeted attacks for an espionage campaign originating in Russia, researchers said.
“This code is really hard to replicate,” said Udi Shamir, Sentinel’s head of research in a blog post, “so it would be hard to believe that it was created by a different group.”
The following technical details explain how this type of malware is able to remain invisible to most, if not all, common-day security measures:
• Gyges malware targets Microsoft Windows 7 and 8 platforms and is designed for both the x86 and x64 CPU architectures.
• The malware uses heavily modified Yoda protector, which provides polymorphic encryption and anti-debugging. It exhibits similarities to Russian espionage malware discovered earlier this year and shares the same crypto engine (first spotted in March).
• The Gyges malware uses API redirection in order to prevent import table rebuilding. The malware API code redirects to an allocated memory region.
• It rebuilds the import address table (IAT) when the decrpytor finishes its task.
• Anti-debugging uses the NtQueryInformationProcess Native API with DebugPort parameter.
• Anti-debugging, using the NtSetInformationThread with ThreadInformationClass to 0x11 (ThreadHideFromDebugger), the thread will be detached from the debugger.
The malware saw action by government agencies to gather information — eavesdropping, keylogging, capturing screens, and stealing identities and intellectual property, the researchers said. Now bad guys are using it for committing online banking fraud, encrypting hard drives to collect ransoms, installing rootkits and Trojans, creating botnets, and targeting critical infrastructures.
For the technical details, click here to download the complete report.