Home »  blog »  Cracking-the-Code--Unravelling-the-Persistence-of-Legacy-Malware---Shailendra-Shyam-Sahasrabudhe--Country-Manager--India--UAE-and-South-East-Asia--Cymulate-Ltd-

Cracking the Code: Unravelling the Persistence of Legacy Malware - Shailendra Shyam Sahasrabudhe, Country Manager, India, UAE and South East Asia, Cymulate Ltd.

Asophistication that adds to its persistence.

Employing the UPX Packer and targeting 32-bit architectures, Phobos displays typical ransomware behaviour, checking for Cyrillic alphabets to avoid attacking friendly targets, terminating specific system processes to facilitate file encryption, and taking steps to prevent system recovery. Its persistence is achieved through clever tactics, including deleting shadow copies, disabling Windows Recovery, and turning off the Windows Firewall. Once active, it encrypts files, appending a “VXUG" extension to impersonate VX-Underground, and leaves ransom notes strategically placed across directories.

The Ongoing Success of Older Attacks: Unpacking the Enigma

The question that begs an answer is why these older attacks, like Phobos, continue to be successful despite their well-documented tactics and familiar methodologies. Several factors contribute to their persistent success:

Signature-Based Malware Detection Limitations:

Many organizations rely on signature-based malware detection, a method that struggles to keep up with constantly evolving threats. Threat actors manipulate compiled code and alter signatures with each recompilation, effectively bypassing these signature-dependent systems.

Heuristic and Behavioural-Based Anti-Malware Limitations:

Heuristic or behaviour-based anti-malware systems offer improved efficacy but are not foolproof. Threat actors can employ tactics such as code element rearrangement, diverse obfuscation techniques, and reconstructing malware into distinct binaries, challenging heuristic evaluations.

Organizational Sprawl and Resulting Défense Gaps:

As organizations expand, the sprawl of infrastructure, coupled with limited security resources, leads to defines gaps. Overworked security teams may overlook potential security vulnerabilities resulting from inadequate configurations or neglecting essential security updates.

Integration of New Users and Systems:

The growing dependence on third-party services introduces new attack surfaces into existing infrastructures. The integration of third-party appliances, each with unique configurations and defines mechanisms, demands rigorous security evaluations to prevent inadvertent vulnerabilities.

The Stakes Are Higher: Regulatory Changes and Consequences

The potential impact of a breach on a business goes beyond the immediate consequences like business interruption, loss of customer trust, and mitigation costs. Regulatory changes bring forth the risk of much heavier losses, such as the non-renewal of federal contracts. A breach linked to a known issue identified by a government agency like CISA (Cybersecurity and Infrastructure Security Agency) can lead to severe consequences, making it imperative for organizations to address identified vulnerabilities promptly.

Shoring Up Defences: Strategies Against Reconditioned Attacks

Defending against revitalized attacks necessitates a multi-faceted approach, aligning with the principle of defence in depth. This involves creating and maintaining multiple layers of security controls that protect against different attack vectors.

Complement Signature-Based Detection:

Augment signature-based detection methods with behavioural analytics and heuristics. This two-pronged approach enhances detection, reduces false positives, and aligns with the defence in depth principle.

Attack Surface Management (ASM) Tools:

Utilize offensive-oriented ASM tools to test system resilience and identify security gaps. Tools like Cymulate ASM, with dual internal and external capabilities, assess not only exposed assets but also internal exploitable assets and weaknesses in attack paths.

Keep Security Controls Up to Date:

Continuously update and maintain security controls, including firewalls, antivirus software, and intrusion detection systems. Frequent validation of control effectiveness is crucial to avoid security drift, and tools like Breach and Attack Simulation (BAS) simulate real-world cyberattacks to assess control resilience.

The success of these older attacks serves as a stark reminder of the limitations of traditional signature-based detection methods. Embracing and validating more dynamic approaches, such as behavioural analytics and heuristics, is crucial in fortifying defences.

Leveraging tools like Cymulate's Attack Surface Management and Breach and Attack Simulation enables proactive identification and resolution of vulnerabilities, automating the validation process in the ongoing battle against persistent threats.