A hard-to-spot malware package has raised alarms over its seeming ability to evade many defenders and security protections.
Security vendor Sysdig says that researchers with its Threat Research Team (TRT) uncovered a malware payload dubbed LabRat which appears to be going to extraordinary lengths in order to operate undetected.
"Compared to many of the attacks the Sysdig TRT team observes, this one fell on the more sophisticated side of the spectrum," the Sysdig TRT writes.
"Many attackers do not bother with stealth at all, but this threat actor took special care when crafting their operation. These efforts will make it more challenging for defenders to detect."
The malware itself is apparently a fairly run-of-the-mill cryptojacking and proxyjacking campaign.
In a cryptojacking campaign, the victim's machine is used to covertly mine cryptocurrency for the attacker, while a proxyjacking campaign quietly enrolls the victim's machine into a peer-to-peer bandwidth-sharing platform to the benefit of the attacker.
The TRT team reports that the attack vector is actually a known vulnerability in GitLab servers (CVE-2021-2205) which allows the attacker to achieve remote code execution and drop the payload itself on the vulnerable machine.
What sets this campaign apart, however, is the effort the malware writers have put into obfuscating their code. Additionally, the use of the TryCloudFlare service to route the traffic further helps hide the attackers from their infected systems.
"There is heavy encryption and anti-reverse engineering techniques applied to the malware, which was undetected by VirusTotal (VT) and something we don’t commonly see," Sysdig director of threat research Michael Clark told The Stack.
"The binaries used for persistence, written in Go, were also undetected in VT, as were the cryptominers."
Researchers noted that the LabRat crew appears to have gone above and beyond in its efforts to obfuscate code in order to allow the malicious payload to run undetected and thwart white hat researchers who would look to pick the malware apart in order to develop countermeasures.
"These threat actors are much more concerned with stealth than most because time equates to money. The longer they maintain their access and run the proxyjacking and cryptomining software, the more they earn," Clark explained.
"Time is especially important for proxyjacking as a non-attributable network is only as good as the amount of nodes in their network. If it becomes too few, the service can be blocked and rendered useless."
Sysdig says that administrators best hope for thwarting such attacks is early detection. Having updated and capable monitoring tools will help catch the attacks in the early phases and stop them before they can take root and deploy counter-defense tools.
