If a recent wily cyber-espionage campaign against Middle Eastern government entities is any indication, cyber defenders will need to upgrade their malware detection capabilities soon.
Cybersecurity, the trope goes, is a cat-and-mouse game. Companies move to Linux and macOS, so attackers follow them there. Attackers deliver malware in phishing attachments, so Microsoft blocks Internet macros, so attackers adjust. As cybersecurity tooling grows stronger, attackers’ methods for circumventing them grow more creative and effective.
So it was that in February, Kaspersky researchers discovered a threat actor spying on a Middle Eastern government organization. By the time Kaspersky reached the attack, at least 30 infections had already been recorded against other organizations, primarily around the Middle East. Despite that, the campaign — dubbed “DuneQuixote” — had managed to remain obscured for at least a year, thanks in large part to a combination of classic and novel stealth techniques.
As experts are quick to point out, cyberattackers across the board have been upgrading their stealth. Perhaps they’re once again gaining the edge?
“It’s absolutely trivial to create new malware that evades anti-malware detection,” says David Brumley, cybersecurity professor at Carnegie Mellon and CEO of ForAllSecure. “Even ‘advanced’ behavioral analysis is pretty easy to fool with a few tricks. That means there is a huge volume of malware that would need manual analysis to really figure out what is happening. And of course, with all the custom tricks, that makes it really hard to do.”
DuneQuixote and Spanish Poetry
The DuneQuixote campaign consists of two separate malware droppers and two separate payloads.
One dropper mimics the Total Commander software installer, packaging the legitimate software with its malicious contribution. Once inside a targeted machine, it runs through a series of anti-analysis checks, including, for example, whether any known security software is present on the device. Should any of its checks fail, the malware will return a value of “1,” which has a coded meaning. When it comes time to decrypt the attackers’ command-and-control (C2) server address, the 1 value will remove the “h” from “https,” so that the C2 URL will begin with only “ttps,” and no connection will be made at all.
The second DuneQuixote dropper is even more clever. When executed, its first act is to make a series of application programming interface (API) calls which at first appear to serve no actual purpose. Instead they contain strings with snippets from Spanish poems, which have a secret effect. Each instance of the dropper contains different lines of poetry, which earns each instance its own, unique signature. This makes things difficult for simple detection solutions, which rely on common signatures to identify new instances of known malware.
Like the first dropper, this second one also has a method for concealing its infrastructure from analysts. It takes the malicious file name plus a line from a Spanish poem, combines them, and runs them through the MD5 algorithm. The resulting hash acts as a key that decrypts the C2 address.
As for payloads: The two in this campaign are straightforward-enough backdoors that facilitate uploading and downloading files, executing commands, and modifying files. To avoid leaving a footprint, each is written directly into memory.
“Among emerging techniques, fileless malware [is worrying],” says Callie Guenther, senior manager of cyber-threat research at Critical Start. “This form of malware significantly reduces the digital footprint and evades traditional antivirus solutions that scan for file-based signatures, complicating post-breach analysis and forensics. It is particularly concerning due to its stealth and effectiveness, making it a likely candidate to become increasingly prevalent.”
How to Thwart Advanced Stealth Tactics
Besides malware in-memory, “The most notable [stealth tactics] I’ve seen were tricks used in supply chain attacks, where malicious code blended with the legitimate code of comprehensive applications. Tough to identify,” says Sergey Lozhkin, principal security researcher with Kaspersky’s Global Research and Analysis Team.
As much as any individual tricks, threat actors have mastered how to adapt to their targeted environments — staggering at which points they drop their various tools, under what conditions, and to what ends. “At the highest level, you can’t analyze what you don’t have. Malware authors use this idea and incrementally download new components, perhaps only when given a specific command by the author. Until those components are downloaded, we don’t know what they do,” Brumley says.
“Beyond that,” he adds, “the problem isn’t one single anti-analysis technique; it’s the sheer number and ability to mix and match them. They may embed ‘weird machines,’ where the malware has a custom language interpreter and the malware logic runs on top of it. This is hard to analyze because when you try to analyze it, you see the weird machine, not the malware logic itself. Malware authors may encrypt and pack components of the malware, and only incrementally decrypt them. And some parts of the malware may be encrypted with a key that isn’t in the malware itself, but is part of the C2 command. Or they could mix all of the above.”
To combat all of the stealth tactics and techniques at attackers’ disposal, Guenther and Lozhkin recommend layered security: endpoint detection and response (EDR), behavioral analytics and anomaly detection technologies, and a broader zero-trust approach to system access.
For his part, Brumley is less optimistic. “Throughout the ages people have proposed whitelist-only. This means locking down machines hard, and then making sure they only install approved apps (or apps from approved vendors that are signed). Apple is the most famous for taking this approach, at least on mobile, with their walled garden approach,” he says.
“Beyond that, this is a place where the attacker just has an asymmetric advantage,” Brumley adds. “That’s why most effort isn’t put on malware analysis, but good hygiene to try and limit what gets installed.”
https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt5a9ef5ee51d273a3/663282ead08a2ab13c1a27db/Windmills_incamerastock_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop
