A new malware dubbed “Moker” has been discovered. The malware is said to be unique since it bypasses and disables security measures, achieves system privileges, can be controlled without requiring internet connectivity, and takes great measures in order to bypass posthumous research once detected. The malware was spotted as an Advanced Persistent Threat (APT) that exhibits Remote Access Trojan (RAT) capabilities. Security experts from Proofpoint, Imperva, and Lieberman Software explain how difficult this would be to deal with, what can be done and what is unique about it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Kevin Epstein, VP Advanced Security and Governance at Proofpoint :
Remote access tools enable attackers to effectively have access to the same resources as the user, which is clearly problematic. Once identified, a RAT may or may not be ‘easily’ removed; the concern is that the attacker has likely used the RAT to install many other tools on accessible systems, which can take huge amounts of effort to remediate. Based on the description offered, this appears to be a classic example of modern malware, employing a multi-stage approach to deployment, obfuscation, and injection into legitimate processes – though the addition of local access is interesting, even though it’s challenging to imagine where such a feature might be employed
See here :
- (a “live” view of an attack from a user’s eyes)
- (narrated explanation w. schematic of what happens behind the scenes)
The techniques described have been in common use by modern malware for quite a while; it’s highly likely that attackers will continue to use these tactics even as they constantly also evolve new tactics.
Modern targeted attack protection and threat response technologies have been designed to cope with such threats, leveraging ‘tells’ on the inbound vector, C&C, or other aspects of the ecosystem”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Sagie Dulce, Team Leader in ADC at Imperva :
“Moker has many features in common with other malware, such as bypassing security measures, avoiding RE by researchers etc. What was interesting to me is that it seems not to rely on any exploits. Many users are already privileged on their own machine, making bypassing UAC mechanism more trivial (it is also possible to simply ask the user for elevation). As much attention as exploits get, the trouble with them is that they are costly, complex, and once patched can potentially ruin the campaign. Not using any exploits could mean that the attack can actually go undetected for longer.
This malware proves again that standard security measures (AV, sandboxing etc) fail to address advanced threats. Companies should assume that compromise is inevitable – and focus their money on where it hurts: their data.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software :
“The hardest part in dealing with the new malware called Moker is finding it in the first place. Using advanced techniques such as breaking its install into stages and code packing to avoid signature based detection, Moker seems to be designed for stealth. It even avoids the need for calling over the network for every instruction. Moker can take commands from a built in control system, which, perhaps even more frightening, means that the attacker has a whole other route into the systems to manipulate those controls locally.
Moker isn’t ground breaking so much as it’s rare. It’s rare for attackers to put this much effort into malware these days. Since security is so poor, most attackers can buy pre-made malware or construct cheap knock offs of well-known attacks and that is more than enough to burst through the doors of any perimeter. Moker seems to be more well-constructed that most malware, and that likely points to a more sophisticated attacker with a more specific goal in mind. Someone paid good money to have this made and placed it seems.
The only reason we’re talking about Moker is that the forensics have figured it out and now the anti-malware systems are being primed to sniff it out. Of course, like antibiotic resistant bacteria, it will find some way to mutate and show up in a slightly different form to infect more systems. That’s the new normal for malware.”[/su_note]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.