Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Malware

New dangerous threat Magic Malware hit thousands of UK firms

The Internet is full of news regarding malware more or less sophisticated that are used for various purposes, cybercrime, cyber espionage, hacktivism or cyber warfare but not all these agents demonstrated their efficiency over the time. This time thousands of UK companies have been targeted by a smart malware, dubbed “Magic Malware”,  that has gone undetected […]

New dangerous threat Magic Malware hit thousands of UK firms

The Internet is full of news regarding malware more or less sophisticated that are used for various purposes, cybercrime, cyber espionage, hacktivism or cyber warfare but not all these agents demonstrated their efficiency over the time.

This time thousands of UK companies have been targeted by a smart malware, dubbed “Magic Malware”,  that has gone undetected for at least eleven months according revelation of security firm Seculert.

 

GeoDistributionMalware

 

 

Despite there is no certainty of the real purpose of the malware security experts believe that it is designed for cyber espionage operations, what seems very likely is that malicious agent is still a work in progress probably only at the first stage of a large scale operation.

The consideration arises from the observation that the malicious code detected containing various “indications of features which are not yet implemented”, and functions which are not yet used by the malware.

“The real intention of the attackers behind this magic malware is yet to be known. As the malware is capable of setting up a backdoor, stealing information, and injecting HTML into the browser, we believe that the current phase of the attack is to monitor the activities of their targeted entities,” wrote Aviv Raff in the post on official company website.

Aviv Raff has approached the analysis of the malware as a show of prestige organized in three phases:

  • “The Pledge” – malware detection
  • “The Turn” – the particular malware behavior
  • “The Prestige – the real intention of the attackers.

“This ‘Magic Malware’ is active, persistent and had remained undetected on the targeted machines for the past 11 months. Since then the attackers were able to target several thousands of different entities, most of them located in the United Kingdom,” 

What is singular is that the malicious code adopted a sly technique to communicate with control structures after infected the victims through a specialized server communication protocol.  “The Turn” phase represents the extraordinary behavior of the malware, after a first connection to the C&C malware and control server start communicating with a custom-made protocol, and always using a magic code at the beginning of the conversation.

In the following pictures the typical handshake between the interlocutors:

“Magic” malware receives an initial response to use “some_magic_code1” as a magic code

Then “magic” malware receives an instruction from the C2 server to add a new user

 

The malware once infected the victim takes complete remote control of it waiting for orders from the command and control server (C&C) exactly as for any other botnet architecture.

The malware is capable of downloading and executing additional malicious files, probably the modularity of the agent could adapt the malicious code for further use such as sabotage.

Another element that suggests the cyber espionage intent behind the malware is the nature of the targets, there are in fact financial companies, education and also communications providers.

Security experts are convicted that in the future the malware will continue its evolution, in the meantime lets install all defense systems and keep them updated.

Pierluigi Paganini

(Security Affairs – Malware)