Near-undetectable malware linked to Russia's Cozy Bear

2022-07-06 05:27

Palo Alto Networks' Unit 42 threat intelligence team has claimed that a piece of malware that 56 antivirus products were unable to detect is evidence that state-backed attackers have found new ways to go about the evil business.

Unit 42's analysts assert that the malware was spotted in May 2022 and contains a malicious payload that suggests it was created using a tool called Brute Ratel.

The malware Unit 42 observed starts life as a file that pretends to be the curriculum vitae of a chap named Roshan Bandara.

Unusually, Bandara's CV is offered as an ISO file - a disk image file format.

If users click on the ISO it mounts as a Windows drive and displays a File Manager window with a sole file: "Roshan-Bandara CV Dialog".

The file looks like a Microsoft Word file but - shockingly - is not really a CV. When double-clicked it opens CMD.EXE and runs the OneDrive Updater, which retrieves and installs BRC4. Once the malware is running, many bad things can happen to infected machines.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/07/06/brc4_state_sponsored_apt29/

#malware #russia

News URL

Related news