Logic dictates that the most reliable way to prevent a cyberincident is to stop malware from penetrating the corporate infrastructure. So, when developing an information security strategy, experts often focus on the most obvious attack vectors – like through e-mail. Most attacks do indeed start with an e-mail, but don’t forget that cybercriminals have many other malware delivery methods up their digital sleeve. Experts from Kaspersky’s Global Research & Analysis Team have been talking about uncommon methods used to infect and spread malware that they’ve come across while analyzing recent threats.
Typosquatting to spoof a tool
The creators of malware dubbed AdvancedIPSpyware decided to embed their code in the Advanced IP Scanner tool for system administrators. They created two websites with the exact same design as the original, plus domain names that differed by just one letter. That is, they were counting on the victim searching for a local network monitoring tool and downloading the program with a backdoor from a bogus site. Interestingly, the malicious version of Advanced IP Scanner was signed with a legitimate digital certificate, which appears to have been stolen.
Links below YouTube videos
The operators of OnionPoison tried to do something similar: they created their own malicious version of the Tor browser (only without a digital signature). But to distribute their fake browser, they put a link on a popular YouTube channel about online anonymity under a video with instructions for installing Tor. The infected version couldn’t be updated and contained a backdoor for downloading an additional malicious library. This, in turn, enabled the attackers to execute arbitrary commands in the system, as well as to get hold of the browser history and WeChat and QQ account IDs.
Malware spread through torrents
The creators of CLoader disguised their malware installers as pirated games and useful software. This method tends to be aimed more at home users, but these days – with remote working now the norm and thus blurring the corporate perimeter – malicious torrents also may pose a threat to work computers. Victims who attempted to download pirated software through torrents instead picked up malware capable of running as a proxy server on the infected machine, and installing additional malware or granting unauthorized remote access to the system.
Lateral movement through legitimate tools
The latest versions of the BlackBasta ransomware can spread over a local network using certain Microsoft technologies. After infecting a single computer, it can then connect to Active Directory by means of the LDAP library, get a list of computers in the local network, copy the malware onto them, and run it remotely using the Component Object Model (COM). This method leaves behind fewer traces in the system and makes detection more difficult.
How to stay safe
These examples show that corporate infrastructure needs comprehensive protection. Sure, a solution that scans all incoming e-mail for phishing, malicious links and attachments will likely guard against most attacks. But bear in mind that any computer with internet access should be additionally equipped with its own anti-malware protection. And to better understand what’s going on in your corporate network, it’s a good idea to deploy EDR-class solutions as well.