What malware can do to your system: 5 things to watch out for
Malware, or “malicious software,” is any application that is meant to harm your device and data. Malware of various forms, such as trojans, viruses, ransomware, spyware, and worms, can be placed on your company’s systems.
Every year, millions of people fall prey to a cyber threat, and you and your staff are no exception. However, few people understand what malware is or what happens next. Is malware capable of obtaining passwords? Should I remove programs and files? What impact does it have on your business?
Malware operates in a variety of ways, and each form has unique characteristics. We’re here to help you understand how malware impacts your computer, the symptoms of malware, and how you can protect your business against malware infestation.
What is malware capable of?
Malware, in summary, may cause havoc on a computer and its network. Hackers use it to steal passwords, erase files, and render machines unworkable. A malware infestation can cause a variety of issues that impair your company’s everyday operations as well as its long-term security. Here are five examples of what malware may accomplish.
1. Steal your personal data
In the last year alone, there have been over 1,000 data breaches. These breaches impacted a wide range of industries, from government operations to small and major organisations, and many were initiated by malware.
One of the most dangerous and costly consequences of malware is data theft. Once viruses like spyware and trojans are installed on your device, hackers might collect your personal and business information to sell to third-party sources. This data may contain surfing history, passwords, client profiles, and other sensitive information.
2. Slows your computer
When malware is activated, it begins to drain a substantial portion of your computer’s memory. Wide varieties of malware also multiply and take up space on your hard disc, leaving little capacity for genuine programs. This loss of space can result in a sluggish computer, making it difficult to do business as usual.
3. Restrict access to your files
Malware can corrupt or erase files and programs on your computer. Many of these files will be inaccessible following a cyber assault unless they are backed up on another hard drive or cloud server.
Ransomware is a sort of software that encrypts your computer’s files. Hackers who use ransomware threaten to wipe all your data unless you pay them money.
4. Spread throughout your network
Worms are a particularly damaging sort of malware for enterprises. Once infected, this virus replicates itself and travels throughout the network. Because most businesses run all of their devices on a single network, a worm might harm not just one employee’s computer but the entire corporation.
5. Interfere with daily operations
Almost every sort of malware will disrupt routine corporate activities in some way. Adware is a particular annoyance for corporate productivity. When installed on a computer, it causes frequent popups and can even reroute your search results to marketers’ websites, making it difficult for anyone to use their device.
The past week has shown us a few case studies highlighting the serious impact of malware infestation.
Hacking group hides backdoor malware inside Windows logo image
With the knowledge of what malware can do to you, your computer, or your business, it surely is terrifying to be on the receiving end of this pertinent scam. With this, you must always see to it that you are protected at all times by conducting penetration testing to check for any vulnerabilities that might be exploited by bad actors lurking, such as the ‘Witchetty’ hacker gang.
Security experts have found a harmful campaign carried out by the ‘Witchetty’ hacker gang that employs steganography to conceal backdoor malware in a Windows logo.
Witchetty is thought to have close ties to the Chinese threat actor APT10 (aka ‘Cicada.’ The gang is also thought to be part of the TA410 operatives, who have previously been linked to attacks on US energy providers.
According to Symantec, the threat group is running a new cyberespionage effort that began in February 2022 and continues to target two nations in the Middle East and an African stock market.
Making use of the Windows logo against you
The hackers in this campaign updated their toolset to target new vulnerabilities and employed steganography to mask their harmful payload from antivirus software.
Steganography is the practise of concealing data within non-secret, public information or computer files, such as an image, in order to avoid detection. A hacker, for example, can produce a functioning image file that appears normally on the computer but also contains dangerous code that can be retrieved.
In the Symantec-discovered campaign, Witchetty used steganography to conceal an XOR-encrypted backdoor Trojan in an old Windows logo bitmap image.
The file is housed on a trusted cloud service rather than the threat actor’s command and control (C2) server, which reduces the likelihood of security alerts being raised while retrieving it.
“By disguising the payload in this manner, the attackers were able to host it on a free, trustworthy service,” Symantec writes in its analysis.
“Downloads from reputable hosts like GitHub are significantly less likely to trigger red flags than downloads from an attacker-controlled command-and-control (C&C) server.”
Prilex Point-of-Sale malware has been upgraded to circumvent credit card security.
This year, security analysts have discovered three new versions of the Prilex PoS-targeting malware, indicating that its developers and operators are back in business. Prilex began as ATM-focused malware in 2014 before shifting to PoS (point-of-sale) devices in 2016. While malware creation and spread peaked in 2020, it vanished in 2021.
According to Kaspersky experts, Prilex has reappeared, and the operational pause last year appears to have been a respite to focus on producing a more sophisticated and potent version. The most recent version can generate EMV (Europay, MasterCard, and Visa) cryptograms, which VISA introduced in 2019 as a transaction validation system to help detect and block payment fraud.
It also allows threat actors to employ EMV cryptograms (encrypted messages between the card and the reader holding transaction details), as outlined in the Kaspersky study, to undertake ‘GHOST transactions’ even with credit cards protected by CHIP and PIN protection.
“In GHOST attacks done by newer versions of Prilex, it requests additional EMV cryptograms after capturing the transaction,” according to Kaspersky, to be utilised in fraudulent transactions.
Process of infection and new capacities
The infection begins with a spear phishing email impersonating a PoS vendor technician, claiming that the company’s PoS software needs to be updated. The phoney technician then physically visits the target’s location and instals a malicious upgrade on the PoS terminals.
Alternatively, the attackers instruct the victim to download the AnyDesk remote access programme and use it to replace the PoS firmware with a laced version. Following the infection, the operators will examine the machine to determine whether or not the target is prolific enough in terms of financial transaction quantities to warrant their time.
New malware backdoors VMware ESXi servers to hijack virtual machines
Hackers have discovered a new way to build persistence on VMware ESXi hypervisors in order to operate vCenter servers and virtual machines for Windows and Linux while evading discovery.
The attacker was able to install two backdoors known as VirtualPita and VirtualPie on the bare-metal hypervisor using malicious vSphere Installation Bundles.
Researchers also discovered a novel malware sample known as VirtualGate, which consists of a dropper and a payload.
Earlier this year, security researchers at cyber threat intelligence company Mandiant (bought by Google) discovered that an actor suspected of having ties to China utilised malicious vSphere Installation Bundles (VIBs) to transmit the VirtualPita and VirtualPie malware.
A VIB is a set of files used to create or manage an ESXi image. It allows the administrator to control how the ESXi installation acts by establishing startup tasks, firewall rules, or running binaries when the system restarts.
VMware (developed and tested by the firm), approved partners, or the community can produce VIBs (not a source accepted through the VMware program, such as individuals or third-party partners).
During the investigation, Mandiant determined that the threat actor, identified as UNC3886, changed the acceptance level in the XML descriptor for the VBI utilised in the attack from ‘community’ to ‘partner’ in order to trick anyone looking into it.
Malware deployment is becoming more sophisticated and stealthier as time goes by. Without taking any precautions in accessing any portals or malicious links, you and your computer might already be targeted and spied on to eventually siphon your personal data.
With this, it is necessary to be proactive in making sure that your system is secure and safe from lurking bad actors waiting for the opportunity to access your confidential data. This can be done by conducting regular penetration testing, offered by Privacy Ninja, to check if any vulnerabilities are present that can be exploited and must be patched immediately.