Outside-the-box malware is getting more common, security researchers warn

Most malware authors have become lazy in the past few years, copying code and techniques from each other. A few, however, “have invested in really fresh ideas,” building tools that are often difficult to detect by antivirus software and pose challenges to human researchers,” Aleksandra Doniec, malware intelligence analyst at Malwarebytes, tells CSO.

Doniec worked with Mark Lechtik, malware research team leader at Check Point, to analyze several outside-the-box samples. The two researchers presented their findings during Kaspersky Lab’s SAS 2019 conference on April 10 in Singapore to raise awareness on the rise of what they call “funky malware formats”—malware that breaks traditional rules and comes in different shapes and sizes.

In the last few years, the researchers looked at different kinds of unusual malware, from those using niche file types to malware that unusually alters the format of a binary file. “In a sense, these are a spark of creativity for those people who do malware software development, who want to be thought leaders in their own field,” Lechtik said.

Creative malware can be the work of any hacking group, not just resourceful nation-state actors, according to the researchers. “Truth is that you would also come across quite a few cases where cybercriminals would leverage [funky malware] formats to remain undetected and evade security products,” Lechtik said.

Among the victims of such attacks were probably banks, Asian companies and activists, the two researchers said in their presentation.

How are funky malware formats used?

Doniec and Lechtik presented several use cases in which malware authors leveraged outside-the-box file formats. One victim was Cosmos Bank, the second largest cooperative bank in India, which was attacked in August 2018 by a hacking group that stole $13.5 million. Several security companies believe the incident was likely the work of Lazarus, a North Korean-backed hacking group that has been posing a great threat to the financial industry and is thought to have been responsible for the notorious Bangladesh bank robbery.

In the Cosmos Bank attack, malware authors targeted the payment switch servers, which have software apps installed that authorize data and allow information transfers between a payment portal and a payment processor or a bank. “Such a payment switch was infected with malware by the Lazarus Group to whitelist particular transactions issued by certain account numbers,” Lechtik said. “Whenever you requested money from those accounts, the ATM machine would give you money regardless of the balance in the underlining account.”

The operating system used on these servers is the rare Unix-based AIX created by IBM, used mainly by financial organizations. When software developers write apps, they write English words and symbols, which need to be translated by a compiler so that the machine can understand them. When source code goes through the process of compilation and linking, the result is an executable binary that follows a standardized format: The file has a header and several other sections.

IBM uses a format called XCOFF, which although is a standard, is quite rare. This is probably the only malware that uses this format, Lechtik said. According to an analysis made by researcher Frank Boldewin, the hacking group created the XCOFF malware to inject an implant into a payment switch server where financial transactions were being intercepted.

“If you write a malware for this format, you need to be aware of the highly customized environment in which you are operating. You need to understand the purpose of this platform, all its restrictions, all its ways of launching files, the various functions that you have in that environment,” Lechtik said.

In the past few years, Lechtik and Doniec have worked on several other unusual cases. In some of them, such as the Cosmos Bank example, the malware authors have used standard, but very niche file formats. In others, they’ve cleverly broken the headers or other sections and reconstructed the files. “Malware authors are experimenting with these techniques to decrease detectability,” Doniec said.

Another recent case the researchers investigated seems to be linked to the OceanLotus hacking group, also known as APT32, which has been active since 2014 targeting companies and government networks within Asian countries. The sample Doniec and Lechtik analyzed appeared to be aimed at human rights activists in Vietnam, who received malicious email attachments.

The sample has two elements, .blob and .cab, both executables in the same unknown format. The espionage features of the malware are performed by the .blob module, which seems to have a format derived from a traditional format used by the Windows operating system, the Portable Executable (PE). The sections are, however, shuffled and the header is replaced with a custom one, said Doniec.

She also analyzed payloads related to the Hidden Bee miner found by Jérôme Segura, malware intelligence analyst at Malwarebytes. Those malicious files were marked clean by VirusTotal, a platform that aggregates dozens of antivirus products. However, the researchers suspected something was fishy and analyzed the files manually. They discovered that the authors of the malware created their own executable file format, which was complex and had a consistent structure.

How can companies protect themselves against funky malware?

Doniec and Lechtik said that the phenomenon of outside-the-box malware formats is still rare at the moment, but they have recently seen an increase in such cases. They recommend that organizations pay more attention to security.

Some of this malware can be detected by antivirus software, Doniec said. “Once a malicious file is loaded into memory, it still has to interact with the operating system by the known APIs,” she said. “Those who are monitoring the APIs can observe that something suspicious is going on, and at this level it can be detected like any normal malware.”

The process of catching such malware is not perfect, and security companies might miss crucial data that can help draw the whole picture of an attack, Doniec argued. “Antivirus products send some data related to the attack as telemetry data [that security companies can analyze], but they will usually send executable [files], not some binary blobs of data in unknown formats,” she said.

Lechtik believes that, when dealing with funky malware formats, the work of a “very solid human researcher” is needed, as tools normally used for malware analysis might not parse outside-the-box samples.

The two researchers said they have reasons to believe that some malware authors will continue to be creative in the years to come, not only because they get bored using the same ideas over and over again, but also because security products have become more advanced and more mature, gaining greater detection capabilities. “As a malware author, you always have to innovate to find your way around these products,” Lechtik said.