Researchers warned Tuesday the latest APTÂ to make the rounds featuresÂ a remote access Trojan that canÂ effectively mitigate security measures on machines and grant the attacker full access to the system.
Experts with the Israeli cyber security start-up enSilo discovered the RAT â€“ which they refer to as Moker â€“ lurking inside one of their customersâ€™ networks but admit they arenâ€™t sure how it got there.
In fact Yotam Gottesman, a senior security researcher with the firm, believes little was known about the malware until they stumbled upon it, pointing out that MokerÂ hasnâ€™t appeared on VirusTotal yet.
Perhaps thatâ€™s becauseÂ the RAT, which targets Windows machines, is especially skilled when it comes to notÂ getting caught.
According to researchers, Moker can bypass antivirus, sandboxing, virtual machines, and by exploitingÂ a design flaw, User Account Control, the Windows feature thatâ€™s supposed to give users a heads up when a program makes a change that requires administrator-level permission. The malware apparently even applies anti-debugging techniques after its been detected to help avoid malware dissection and to further deceive researchers.
â€ś[Mokerâ€™s] detection-evasion measures included encrypting itself and a two-step installation,â€ť Gottesman wrote on Tuesday.
â€śMeasures to protect itself from posthumous dissection included evading debugging techniques that are used by researchers, the addition of complex code and purposefully adding instructions to lead researchers in the wrong direction.â€ť
Once embedded on a system, the RAT could cause a real headache for users. An attacker could more or lessÂ take full control of the device to take screenshots, record web traffic, sniff keystrokes, and exfiltrate files. They could also leverage the malware to create new user accounts, modify system security settings, and inject malicious code during runtime on the machine.
Itâ€™s unclear exactly whoâ€™s behind the malware â€“ enSilo points out that the malware communicated with a server in Montenegro, a small Balkan nation that borders Serbia and Kosovo â€“ but admits that this was probably done to throw off researchers and law enforcement.
In addition to the measures it takes to avoid detection, another interesting thing about the malware is that it doesnâ€™t necessarily need to communicate with an external command and control server to do its bidding. The malware instead can receive commands locally via a hidden control panel.
The researchers assume the functionality was built into the RAT so an attacker could VPN into the system theyâ€™re targeting and pull strings from there, but acknowledge the feature also couldâ€™ve been inserted by the author for testing purposes.
While enSilo claimsÂ that Moker could have been a one time thing, the firmÂ wouldnâ€™t rule out the possibility that other RATs mightÂ borrowÂ similar techniques later down the line.
â€śThis case might have been a dedicated attack,â€ť Gottesman wrote, â€śHowever, we do see that malware authors adopt techniques used by other authors. We wonâ€™t be surprised if we see future APTs using similar measures that were used by Moker (such as bypassing security mechanisms and dissection techniques).â€ś