Story image

Ransomware: Locky, TeslaCrypt and other malware families use new tool to evade detection

12 Apr 2016

Article by Palo Alto Networks

Recently, Palo Alto Networks identified slight changes in Locky detonations through the AutoFocus threat intelligence service, correlating global data to discover a new tool being used to pack multiple ransomware families. Adversaries are constantly seeking new techniques to bypass security controls, and based on data from AutoFocus, this represents a widespread update to their tradecraft. 

In their analysis, multiple malware samples stood out due to what seemed like obfuscated API calls coming from a dictionary of embedded terms to resolve system functions and hide their true capabilities from commonly used static analysis tools.

(Oddly named variables passed to API calls)

Tampering with the API calls takes away the ability to classify based on key names, thus increasing the likelihood that the malware will go undetected. This, however, is where it gets interesting, as it appears this was just the first in a series of misdirections designed to throw off analysts.

When looking at the new samples, the import tables for libraries to load on execution would differ significantly and not actually be used at all during execution. This prevented any sort of meaningful detection by import hashing. Additionally, looking at the executable version information showed varying information per sample but a clear pattern that can be used for future identification.

Palo Alto Networks has identified this technique being picked up recently by the Locky ransomware, but they have also identified samples of TeslaCrypt and Andromeda malware families, dating back to March 14, 2016 that exhibit the technique.

Article by Palo Alto Networks

For more details, read the full blog here.

Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Deakin Uni scores double win with Exabeam partnership
Australia’s Deakin University is partnering with SIEM security company Exabeam in an effort to boost the university’s cybersecurity degree program and strengthen its SIEM capabilities.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Voter vulnerabilities: Cybersecurity risks impact national elections
The outcome of elections have an enormous impact on the political and cultural landscape of any democratic society. 
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."