sb-au logo
Story image

Ransomware: Locky, TeslaCrypt and other malware families use new tool to evade detection

12 Apr 2016

Article by Palo Alto Networks

Recently, Palo Alto Networks identified slight changes in Locky detonations through the AutoFocus threat intelligence service, correlating global data to discover a new tool being used to pack multiple ransomware families. Adversaries are constantly seeking new techniques to bypass security controls, and based on data from AutoFocus, this represents a widespread update to their tradecraft. 

In their analysis, multiple malware samples stood out due to what seemed like obfuscated API calls coming from a dictionary of embedded terms to resolve system functions and hide their true capabilities from commonly used static analysis tools.

(Oddly named variables passed to API calls)

Tampering with the API calls takes away the ability to classify based on key names, thus increasing the likelihood that the malware will go undetected. This, however, is where it gets interesting, as it appears this was just the first in a series of misdirections designed to throw off analysts.

When looking at the new samples, the import tables for libraries to load on execution would differ significantly and not actually be used at all during execution. This prevented any sort of meaningful detection by import hashing. Additionally, looking at the executable version information showed varying information per sample but a clear pattern that can be used for future identification.

Palo Alto Networks has identified this technique being picked up recently by the Locky ransomware, but they have also identified samples of TeslaCrypt and Andromeda malware families, dating back to March 14, 2016 that exhibit the technique.

Article by Palo Alto Networks

For more details, read the full blog here.

Story image
Fortinet resolves to help communities through new Corporate Foundation
“Through the establishment of a Corporate Foundation, we are extending investments in security training and education, employee community engagement and disaster relief efforts to empower and protect our communities, as well as positively impact our business, employees, customers and shareholders.”More
Story image
How to choose a secure plagiarism checker for your school
Choosing a secure plagiarism checker for your school is important for building a comprehensive privacy protection ecosystem and protecting user data from leaks.More
Link image
Don't be fooled: Cyber risks haven't slowed down
Cyber attackers become smarter and more efficient every day. Here's why it's more important than ever to invest in remote security tools.More
Story image
Cyber attacks keeping business leaders up at night, new research finds
Data breaches and insider threats are keeping organisations up at night, according to new research from KnowBe4, the security awareness training and simulated phishing platform.More
Story image
Former Salesforce, Microsoft security exec to lead Zoom security team
Zoom has announced the appointment of former Microsoft and Salesforce executive Jason Lee as its new chief information security officer. More
Story image
APAC parents hide internet activity from children more than cyber attackers
A new report from Kaspersky has turned a modern trope - that teens have things to hide in their internet history - on its head, by proving the opposite is also true.More