Advertisement
Subscribe to our daily newsletter.
Subscribe

New report unearths the expertise in Russian hackers’ code

​Hackers from an advanced persistent threat group linked to Russian intelligence recently created a malware tool that takes advantage of a bug in a popular security program — illustrating the care that professional hackers take to evade detection.

By

Hackers from an advanced persistent threat group linked to Russian intelligence recently created a malware tool that takes advantage of a bug in a popular security program — illustrating the care that professional hackers take to evade detection.

In a blog post Friday, researchers from cybersecurity company Palo Alto Networks said they last month found a “dropper” — malicious code hidden in an email attachment which installs itself on a victim’s machine — that was undetectable by IDA, or Interactive DisAssembler.

IDA is an industry-standard tool that shows the instructions actually executed by a computer’s processor — enabling security researchers to detect and analyze deployed malware.

It’s used by “Virtually all anti-virus companies, most vulnerability research companies, many of the large software development companies and, above everything else, three letter agencies and military organizations,” according to IDA’s maker — Belgium based Hex-Rays SA.

Advertisement

The researchers said the dropper was a tool deployed by the APT group linked to the Democratic National Committee hack this year — variously known as Cozy Bear, APT 29 or Dukes. The group has previously targeted the unclassified computer networks of the White HouseState Department, and U.S. Joint Chiefs of Staff.

Significantly, the dropper, sent on Aug. 10, concealed itself from IDA by taking advantage of a bug that Hex-Rays had found and fixed. The notice about the IDA update — noting the bug as fixed in the latest release — was distributed Aug. 8.

The threat group, conclude the researchers, “knows that malware analysts tasked with reverse engineering their tools typically use the IDA disassembler.”

The speed with which Cozy Bear were able to deliver malware that exploited the IDA bug speaks to the professionalism of their coders and the care which they take to avoid detection and analysis.

“It appears this group looks for ways to evade [security software], specifically in this case by monitoring release notes from known malware analysis tools to deploy their own countermeasures,” the researchers conclude.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email Shaun.Waterman@FedScoop.com, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at CyberScoop.com.
Advertisement
Advertisement

More Like This

Advertisement

Top Stories

Advertisement

More Scoops

PARASKOVIIVKA, UKRAINE – DECEMBER 17: An electric substation of salt mine on December 17, 2022 in Paraskoviivka, Ukraine. Now local residents remain in the village and the military of the Armed Forces of Ukraine. There is no electricity, the village is under constant shelling. Communication works only on the pedestrian bridge via the railway. The salt mines of the state enterprise “Artemsil” stopped working due to hostilities at the end of May. (Photo by Vitalii Pavlenko/Global Images Ukraine via Getty Images)

Russian hackers disrupted Ukrainian electrical grid last year

The notorious Russian hacking group known as Sandworm took down a substation that caused a brief outage, according to a new Mandiant report.
By Christian Vasquez AJ Vicens

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

The logo of the podcast Safe Mode

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics