Palo Alto Networks Threat Intelligence Team Unit 42 has identified a variant of malware that is duly undetectable by approx. 56 antivirus software which is proper proof that the state-sponsored hackers have now found some fresh paths to steal the crucial databases of their prey or you can say to do a malicious activity without any knowledge of the user.
Unit 42’s Analysts claim that the malware was found in May 2022 which contained a malicious payload that was established utilizing a tool named Brute Ratel (BRC4). Moreover, as shown on its bold website, BRC4 relates to software that is “A Customized Command and Control Center for Red Team and Adversary Simulation”. It has been even claimed by the BRC4 software’s author that they have successfully reverse-engineered the antivirus software to make BRC4 highly undetectable.
The Malware Unit 42 tracked down that the payload malware pretends to be a legit CV of a person named Roshan Bandra. Generally, Bandara’s CV is offered as an ISO file that tends to be a disk image file format. Moreover, if the user clicks on that particular file that tends to be a curriculum vitae of Roshan Bandara came for a job opportunity, the ISO file would mount as a Windows drive and displays a File Manager window with a sole file: “Roshan-Bandara_CV_Dialog”.
Now, the main point to understand is that the file you have clicked pretends to be a valid CV of a person but horribly it is certainly not a CV. Whenever it is double-clicked, it triggers many malicious processes that automatically open CMD.exe and runs the OneDrive Updater leading to retrieving and installation of BRC4.
Once the malware is in action many malicious activities could happen on the compromised systems.
However, Malware Unit 42 is not concerned with those ill-intentioned procedures. This particular form of technology is utilized to get BRC4 running and doing an installation in the prey systems is the action that individually got the attention of the team. It was so brilliantly programmed that they suggested that state-sponsored entities were there behind its development after watching their cunningness.
Perhaps even after APT29 – the Moscow-linked cyber gang is also known as Cozy Bear and is assumed to be concerned with the Solar Winds attacks and numerous others. The APT29 has also used some form of poisoned ISOs in the recent past.
In addition to the exposure of this particular cyber attack, The Malware Unit 42 has also noted that the same ISO was formed on the same day on which a new version of the BRC4 came to light, stating that the government-owned attackers could possibly be watching the dark world if commercial malware and fastly operating it to function while the world is only trying to catch up what has happened!
I expect that you have liked this news, if so, kindly go through my other news articles as well. Please read Beware of this Android Malware that switches off Wi-Fi and drains the mobile wallet!