A piece of malware used in targeted attacks aimed at South Korea and Japan is inflated with junk data in an effort to avoid detection. While the technique is not exactly new, researchers at Kaspersky Lab believe this particular malware is noteworthy.
The security firm came across the malware while analyzing attacks involving a malware toolkit dubbed “XXMM.” The threat, disguised as a file named srvhost.exe in an effort to avoid raising suspicion, had a size of more than 100 Mb.
Kaspersky’s investigation has revealed that the malware is a Trojan loader designed to activate a backdoor called “wali” by its author. The backdoor module is injected into the iexplore.exe process by the loader.
The size of malware samples typically ranges between a few kilobytes and a few megabytes, depending on how they are packaged. Cybercriminals have also been known to hide malware in movie or ISO files, which can result in malware that has a size of hundreds of megabytes or even a few gigabytes.
What makes Wali interesting is the fact that it’s not delivered as a 100 Mb file. The initial loader is roughly 1 Mb in size, but its two dropper components append tens of megabytes of garbage data to the final malware executable file.
Since the junk data is created dynamically by the droppers, the size of the malware file can vary. Kaspersky has seen both 50 Mb and 100 Mb samples in real world attacks, but experts have also observed a 200 Mb sample generated using the same technique.
Researchers believe this is also a noteworthy threat due to the fact that it has been used in targeted attacks.
“While this technique may seem inefficient in its primitive approach to bypass detection, we believe that in certain cases this malware may stay below the radar of incident responders and forensic analysts who use YARA rules to scan hard drives,” explained Kaspersky’s Suguru Ishimaru.
“The reason is that one of the common practices for YARA rule authors is to limit the size of scanned files, which is aimed mainly at improving performance of the scanning process. Large files, like the ones produced by XXMM malware, may become invisible for such rules, which is why we would like to recommend security researchers to consider this when creating rules for dropped malwares,” the expert added.
Related: Targeted Malware Campaign Uses HWP Documents
Related: China-Linked Group Uses New Malware in Japan Attacks
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
Latest News
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Google Patches Third Chrome Zero-Day of 2023
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
