What malware researchers usually encounter in their daily malware analyses is reused code. As a matter of fact, reusing code is something all developers tend to do, malicious coders inclusive. Most new malware is in fact reused, re-branded source code which has been changed to meet the needs of current malware campaigns. Security researchers often come across similarities between new attacks and old malware that has been re-written to target new victims.
One relatively recent example includes researchers from Kaspersky Lab and Kings College London who found analogy in Turla attacks from 2011 and 2017, and a very old APT from two decades ago. The researchers had taken logs of Moonlight Maze, an attack that took place in the late 90’s, from a now retired IT admin whose server had been used as a proxy to launch the attacks. While examining the logs, the researchers concluded that the same code was still being used in modern attacks.
Why do hackers generally prefer to reuse old code instead of writing their own?
As pointed out by Marc Laliberte, threat analyst at WatchGuard Technologies, the recycling of old code makes sense. Why reinvent the wheel, when another developer already did a pretty good job and provided a working solution? While code reuse in malware can make signature-based detection methods more effective in some cases, it mostly makes time for hackers to do additional work on detection avoidance and attack efficacy to create a more dangerous final product, Laliberte says.
Not only do hackers employ old code in new attacks but they also reuse other mechanisms such as spear phishing patterns, macros and other forms of social engineering.
We recently wrote about a new study that revealed how attackers tend to re-use phishing websites across multiple hosts by bundling the site resources into a phishing kit. These kits are typically uploaded to a compromised host. The files in the kit are extracted, and phishing emails are sent leading to the new phishing site. Researchers examined 66,000 URLs and more than 7,800 phishing kits. This is how they found two kits which were used on more than 30 hosts. Another interesting finding includes 200 instances of backdoored phishing kits, meaning that phishing kit authors are selling backdoored kits to other attackers so that they get access to the compromised hosts.
Another example that illustrates the implementation of old or known code in new attacks is Mirai – Reaper botnet. A couple of months ago, researchers at Qihoo 360 and Check Point explained that the Reaper IoT botnet used known exploits and security weaknesses in order to infiltrate insecure machines. Simply said, the author of the Reaper botnet used Mirai as a basis on which a much more effective way for exploitation was created. In a nutshell, Reaper added new exploitation of known IoT flaws to Mirai’s source code, as well as the use of LUA programming language which made it more sophisticated than its predecessor.
Let’s also have a look at the Silence Trojan recently uncovered by researchers at Kaspersky Lab. In these new attacks, Silence’s authors were using a very efficient hacking technique – gaining persistent access to internal banking networks, making video recordings of daily activities of the bank’s employee machines, thus acquiring knowledge on how the software is being used. This knowledge was later applied to steal as much money as possible.Researchers have previously observed this technique in Carbanak targeted operations.
More examples can be found in the way attackers used the source code leaked by the Shadow Brokers. Hackers were quick to adopt and repurpose the code to turn ransomware into ransomworm attacks like in WannaCry and NotPetya attacks.
Recycling malware is not going anywhere. Be prepared
Using old cold to build new malware and launch new campaigns is not just a trend, as apparent by reoccurring events. Hackers will surely carry on with the practice of “recycling” malware knowledge and resurrecting old code. New devastating campaigns will continue to launch and endanger users’ personal information, finances and overall online security. Since prevention is the best anti-malware measure, we have prepared some useful tips to implement in daily routines. You can also have a look at some of the best anti-ransomware tips published in our forum.
- Make sure to use additional firewall protection. Downloading a second firewall is an excellent solution for any potential intrusions.
- Make sure that your programs have less administrative power over what they read and write on your computer. Make them prompt you admin access before starting.
- Use stronger passwords. Stronger passwords (preferably ones that are not words) are harder to crack by several methods, including brute forcing since it includes pass lists with relevant words.
- Turn off AutoPlay. This protects your computer from malicious executable files on USB sticks or other external memory carriers that are immediately inserted into it.
- Disable File Sharing – recommended if you need file sharing between your computer to password protect it to restrict the threat only to yourself if infected.
- Switch off any remote services – this can be devastating for business networks since it can cause a lot of damage on a massive scale.
- If you see a service or a process that is external and not Windows critical and is being exploited by hackers (Like Flash Player) disable it until there is an update that fixes the exploit.
- Make sure to download and install the critical security patches for your software and OS.
- Configure your mail server to block out and delete suspicious file attachment containing emails.
- If you have a compromised computer in your network, make sure to isolate immediately it by powering it off and disconnecting it by hand from the network.
- Turn off Infrared ports or Bluetooth – hackers love to use them to exploit devices. In case you use Bluetooth, make sure that you monitor all of the unauthorized devices that prompt you to pair with them and decline and investigate any suspicious ones.
- Employ a powerful anti-malware solution to protect yourself from any future threats automatically.
SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter