Near-undetectable malware linked to Russia's Cozy Bear
The fun folk who attacked Solar Winds using a poisoned CV and tools from the murky world of commercial hackware
Palo Alto Networks' Unit 42 threat intelligence team has claimed that a piece of malware that 56 antivirus products were unable to detect is evidence that state-backed attackers have found new ways to go about the evil business.
Unit 42's analysts assert that the malware was spotted in May 2022 and contains a malicious payload that suggests it was created using a tool called Brute Ratel (BRC4). On its rather brazen website, BRC4 is described as "A Customized Command and Control Center for Red Team and Adversary Simulation". The tool's authors even claim they reverse-engineered antivirus software to make BRC4 harder to detect.
The malware Unit 42 observed starts life as a file that pretends to be the curriculum vitae of a chap named Roshan Bandara. Unusually, Bandara's CV is offered as an ISO file – a disk image file format. If users click on the ISO it mounts as a Windows drive and displays a File Manager window with a sole file: "Roshan-Bandara_CV_Dialog".
The file looks like a Microsoft Word file but – shockingly – is not really a CV. When double-clicked it opens CMD.EXE and runs the OneDrive Updater, which retrieves and installs BRC4.
- SolarWinds attacker on the move: Russia's Nobelium crew has trebled attacks targeting MSPs, cloud resellers, says Microsoft
- It was Russia wot did it: SolarWinds hack was done by Kremlin's APT29 crew, say UK and US
- Cyber-spies target Microsoft Exchange to steal M&A info
Once the malware is running, many bad things can happen to infected machines.
But Unit 42 is not concerned with those bad things. The technique used to get BRC4 running is what caught the team's eye, because it is so cunning it suggests nation-state actors were behind its development.
Maybe even APT29 – the Moscow-linked gang also known as Cozy Bear and thought to be involved in the attack on Solar Winds and many other raids. APT29 has used poisoned ISOs in the past.
Unit 42 also notes that the ISO used in this attack was created on the same day a new version of BRC4 appeared, suggesting that state-backed actors could be watching the murky world of commercial malware and quickly putting it to work while the world tries to catch up.
"The analysis of the two samples described in this blog, as well as the advanced tradecraft used to package these payloads, make it clear that malicious cyber actors have begun to adopt this capability," Unit 42's post states. "We believe it is imperative that all security vendors create protections to detect BRC4 and that all organizations take proactive measures to defend against this tool." ®