Undetectable NSA-linked hybrid malware hits Intel Security radar

CTB Locker ransomware attacks rose 165 per cent in the first three months of 2015.

More than a third (35 per cent) of victims were based in Europe, McAfee Labs reported. CTB Locker encrypts files and holds them hostage until the ransom is paid. As such, the crimeware is picking up the baton that dropped with the takedown of the infamous CryptoLocker ransomware scam in May last year.

The latest edition of Intel Security's report, released on Tuesday, reports attacks on firmware for the first time. More specifically, the report details "persistent and virtually undetectable attacks" by the so-called Equation Group that reprogram hard disk drives and solid state drive firmware.

McAfee Labs assessed the reprogramming modules exposed in February and found that they could be used to reprogram the firmware in SSDs in addition to the previously-reported HDD reprogramming capability.

Once reprogrammed, the HDD and SSD firmware can reload associated malware each time infected systems boot and the malware persists even if the drives are reformatted or the operating system is reinstalled.

Once infected, security software cannot detect the associated malware stored in a hidden area of the drive.

Although not identified as such by Intel Security, the Equation Group has been linked to elite units of the NSA, via confirmation by former staffers.

"We at Intel take hybrid software-hardware threats and exploits seriously," said Vincent Weafer, senior vice president, McAfee Labs. "We have closely monitored both academic proofs of concept and in-the-wild cases of malware with firmware or BIOS manipulation capabilities, and these Equation Group firmware attacks rank as some of the most sophisticated threats of their kind. While such malware has historically been deployed for highly-targeted attacks, enterprises should prepare themselves for the seemingly inevitable ‘off-the-shelf’ incarnations of such threats in the future."

Lastly, the security firm's research report flags up a flare up of Adobe Flash exploits targeting unpatched vulnerabilities. New Adobe Flash malware samples detected skyrocketed to almost 200,000 in Q1 2015, an increase of 317 per cent from the 47,000 samples detected in the last quarter of 2014.

Forty-two new Adobe Flash vulnerabilities were submitted to the National Vulnerability Database in Q1. On the same day those vulnerabilities were posted, Adobe made initial fixes available for all 42 vulnerabilities.

The full-fat, 45-page version of McAfee Labs' report can be found here (PDF). ®