MALWARE IN A NEW ERA: THE INVISIBLE RAT

 

One of the deadliest cybersecurity or malware risks is a remote access trojan; it is covert, simple to copy, and extremely configurable, and the sole protection against it has mostly been the development of potent antivirus software. However, crafty cybercriminals have now developed an attack vector that gets past standard antivirus security.

The hostile meme is malware

In his book The Selfish Gene, atheist philosopher Richard Dawkins argued that while some ideas and concepts perish from a society, others thrive. A "meme" is a term used to describe this type of cultural Darwinism. something that is transmitted from one brain to another, such as an accent, a word, or a melody. It's everything you can say that has a cultural impact on the population.

At the border between software and a meme, there is malware. It is hostile and intrusive, designed to use all means required to access unauthorised systems. The way that malware spreads is crucial since its virility is at its very core. Even the first piece of "wild" virus from 1982 showed signs of this. Rich Skrenta, a 15-year-old schoolboy, created Apple II systems that were infected by Elk Cloner. Elk Cloner would display a message informing the user that the device was infected as the read/write head of the floppy disc passed over the disc. Erik copied it to a gaming floppy disc and distributed it to his buddies, which is how it "spread."

The sociotechnical environment has altered in modern times. While Rich's schoolmates were ignorant of malware and lacked antivirus software, today's executables, phishing emails, and trojans all contain malware. However, the competition between viruses and antivirus software is still fierce, and the latter has become more adept at detecting dangerous software.

 

WORKINGS OF ANTIVIRUSES

 

Most of the time, antivirus software is idle on a computer, silently examining each file you open. Before the file opens up after being clicked, the antivirus algorithm gets to work and begins looking for a file signature. Then, this is contrasted with known viral signatures.

 

This approach is particularly effective against well-known malware, and adding an additional layer of security also helps prevent the entry of new malware. Malware that uses heuristic detection examines estimated behaviours of a file rather than file signatures. The antivirus will start the quarantining process if anything seems questionable or suspicious.

 

The intention is to terminate any processes that are being used by the file, hopefully halting the malware in its tracks.

 

TRUSTED TROJAN

Some malware can reproduce itself, just like germs can. Trojans, on the other hand, are forms of malware that rely on social engineering and repetitive downloads to spread. Traditional trojans impersonate trustworthy files in an effort to trick you into downloading and running the file on your own. A Trojan can carry out the task for which it was created once it has been installed.

 

For instance, you might get an email from a reliable buddy one day. Look at this attachment, please! It could say. But you were duped. The email was sent by a cybercriminal, and the antivirus software was the only one to discover and halt the file you downloaded, opened, and clicked on.

 

Files known as remote access trojans (RATs) are designed to grant access and control to the attacker. Attackers are then given practically complete control over the infected system. A RAT can access private information like usernames, passwords, social security numbers, and credit card accounts. It can also download additional ransomware and take over the system's webcam.

 

Trojans frequently work in conjunction with other software and attack methods, contributing significantly to a comprehensive chain of assault.

 

WHAT MAKES MALWARE VISIBLE

Windows records the failure of a file to run or the operating system to load a file as an event. The activity that is occurring on your device while you browse is stored in the event viewer.

 

Unknown attackers recently downloaded a RAT using the Windows event logs, which is unprecedented. They started by sending them to a website that contained a download that was booby-trapped. Cobalt Strike and SilentBreak, two stowaway programmes used for pen testing, were hidden inside this zipped file. Both of these programmes are employed in legitimate penetration testing, which involves the deployment of beacons to find network weaknesses.

 

A DLL file is a particular kind of file that has instructions for other programmes. DLL files, in contrast to executable programmes, must be invoked by other running code in order to function.

 

 

Once they've made themselves known, Cobalt Strike and SilentBreak look through the myriad DLLs that are part of the malware package. Cobalt and Silent simply decrypt the kernel32.dll and ntdll.dll libraries that are located on the attacker's server, unlike traditional attack vectors that require a file to be downloaded. A powershell script is then dropped directly in the centre of the Windows events log by means of these DLLs.

 

A legitimate file, WerFault.exe, is used by Windows to flag occurrences. When a programme crashes, Windows records the failure in WerFault.exe. Through the use of a fake ReportEvent() function that appears to be real, malicious code is inserted into this fake event log.

 

Finally, the attacker begins adding new shellcode, directly into the Reportevent() parameter. The attacker now has full, unrestricted access to the device and its network despite the fact that each chunk is only 8Kb in size. It needs one more piece of code to reassemble these chunks into one complete script.

 

Antivirus software entirely misses this because the attacker relies on DLLs rather than simple.exe files. Because shellcode spreads so covertly across a device, it is also much more difficult to remove after it has been discovered. The client of the researcher was now totally vulnerable to additional assaults, such ransomware.

 

RATS ARE TERMINATED

A sophisticated security system is needed to defend against this new type of RAT rather than just an antimalware programme. A similarly fileless response is necessary for fileless RATs; one key defence is the capability of a business to sever communication with the attacker's server.

 

At an app's perimeter, Web Application Firewalls (WAF) keep an eye on all HTTPs traffic between the programme and the outside world. A fileless RAT can be rendered useless with a stringent whitelist protocol in place and a zero-trust architecture by cutting off contact with the attacker's C&C server.

 

Also Read:  Global Warming and Its Effects