Russia's Cozy Bear linked to nearly undetectable malware
The distribution mechanism is similar to previous attacks by the Russian group.
The Unit 42 threat intelligence team at Palo Alto Networks has found a new malware sample that can evade detection by more than 50 commercially available antivirus programmes.
The researchers spotted the strain in May and found that it included a payload linked to Brute Ratel C4 (BRc4), a relatively new red team toolkit 'designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities.'
Brute Ratel C4 was developed by Indian security researcher Chetan Nayak, and is owned by Dark Vortex. The tool is similar to the commercial attack simulation tool Cobalt Strike, which IT departments use to test defences and train employees - and which has also been used in attacks previously.
BRc4's creators claim they reverse-engineered well-known antivirus programmes to ensure it remains undetectable.
Since its release in late 2020, BRc4 has amassed approximately 480 licences among 350 clients. Each annual licence costs $2,500 per user, and can be renewed for $2,250.
Despite the fact that the tool itself has some inherent dangers, Palo Alto's researchers were more interested in how it could be used to distribute malware, suggesting that a state-sponsored actor might be involved.
In the case they examined the team found malware uploaded from Sri Lanka, which presented itself as the CV of a person called Roshan Bandara. The CV is an ISO file ('Roshan CV.iso') which when double-clicked mounts itself as a Windows drive and shows what seems to be a safe Microsoft Word document.
As soon as the user opens the file, the malware downloads and installs BRc4 on their system and establishes communication with a remote server.
It's unclear how the payload was delivered to the target environment. Unit 42 suspects spear-phishing, which is typically used to deliver packaged ISO files.
The malware's approach is similar to that of the Russian-based APT29, aka Cozy Bear, which has previously used weaponised ISO files. Additionally, the ISO file being examined was created on the same day that BRc4's creators released a new version, further indicating the involvement of a state-sponsored actor.
APT29 has predominantly targeted diplomatic, governmental, energy, and healthcare organisations in recent years. As well as Cozy Bear it is also known as The Dukes and Yttrium, and is associated with Russia's foreign intelligence service.
During the Covid-19 pandemic, security experts accused the group of stealing crucial data from companies engaged in vaccine research and development.
Unit 42 also discovered a second sample that was uploaded to VirusTotal from Ukraine the next day and which displayed code overlaps with those of a module that was responsible for loading BRc4 into memory.
'The analysis of the two samples described in this blog, as well as the advanced tradecraft used to package these payloads, make it clear that malicious cyber actors have begun to adopt this capability,' Unit 42 wrote.
The researchers recommend that IT and cybersecurity defenders working for companies be on the lookout for indications of malware that uses BRc4.
'We believe it is imperative that all security vendors create protections to detect BRC4 and that all organizations take proactive measures to defend against this tool,' they said.
Shortly after Unit 42 published its analysis, Nayak tweeted that he had taken steps against licences being sold on the black market.
He added that he is ready to work with authorities on any further investigation.