A piece of malware used in targeted attacks aimed at South Korea and Japan is inflated with junk data in an effort to avoid detection. While the technique is not exactly new, researchers at Kaspersky Lab believe this particular malware is noteworthy.
The security firm came across the malware while analyzing attacks involving a malware toolkit dubbed “XXMM.” The threat, disguised as a file named srvhost.exe in an effort to avoid raising suspicion, had a size of more than 100 Mb.
Kaspersky’s investigation has revealed that the malware is a Trojan loader designed to activate a backdoor called “wali” by its author. The backdoor module is injected into the iexplore.exe process by the loader.
The size of malware samples typically ranges between a few kilobytes and a few megabytes, depending on how they are packaged. Cybercriminals have also been known to hide malware in movie or ISO files, which can result in malware that has a size of hundreds of megabytes or even a few gigabytes.
What makes Wali interesting is the fact that it’s not delivered as a 100 Mb file. The initial loader is roughly 1 Mb in size, but its two dropper components append tens of megabytes of garbage data to the final malware executable file.
Since the junk data is created dynamically by the droppers, the size of the malware file can vary. Kaspersky has seen both 50 Mb and 100 Mb samples in real world attacks, but experts have also observed a 200 Mb sample generated using the same technique.
Researchers believe this is also a noteworthy threat due to the fact that it has been used in targeted attacks.
“While this technique may seem inefficient in its primitive approach to bypass detection, we believe that in certain cases this malware may stay below the radar of incident responders and forensic analysts who use YARA rules to scan hard drives,” explained Kaspersky’s Suguru Ishimaru.
“The reason is that one of the common practices for YARA rule authors is to limit the size of scanned files, which is aimed mainly at improving performance of the scanning process. Large files, like the ones produced by XXMM malware, may become invisible for such rules, which is why we would like to recommend security researchers to consider this when creating rules for dropped malwares,” the expert added.