Connect with us

Hi, what are you looking for?


Malware & Threats

Targeted Malware Inflated With Junk Data to Avoid Detection

A piece of malware used in targeted attacks aimed at South Korea and Japan is inflated with junk data in an effort to avoid detection. While the technique is not exactly new, researchers at Kaspersky Lab believe this particular malware is noteworthy.

A piece of malware used in targeted attacks aimed at South Korea and Japan is inflated with junk data in an effort to avoid detection. While the technique is not exactly new, researchers at Kaspersky Lab believe this particular malware is noteworthy.

The security firm came across the malware while analyzing attacks involving a malware toolkit dubbed “XXMM.” The threat, disguised as a file named srvhost.exe in an effort to avoid raising suspicion, had a size of more than 100 Mb.

Kaspersky’s investigation has revealed that the malware is a Trojan loader designed to activate a backdoor called “wali” by its author. The backdoor module is injected into the iexplore.exe process by the loader.

The size of malware samples typically ranges between a few kilobytes and a few megabytes, depending on how they are packaged. Cybercriminals have also been known to hide malware in movie or ISO files, which can result in malware that has a size of hundreds of megabytes or even a few gigabytes.

What makes Wali interesting is the fact that it’s not delivered as a 100 Mb file. The initial loader is roughly 1 Mb in size, but its two dropper components append tens of megabytes of garbage data to the final malware executable file.

Since the junk data is created dynamically by the droppers, the size of the malware file can vary. Kaspersky has seen both 50 Mb and 100 Mb samples in real world attacks, but experts have also observed a 200 Mb sample generated using the same technique.

Researchers believe this is also a noteworthy threat due to the fact that it has been used in targeted attacks.

Advertisement. Scroll to continue reading.

“While this technique may seem inefficient in its primitive approach to bypass detection, we believe that in certain cases this malware may stay below the radar of incident responders and forensic analysts who use YARA rules to scan hard drives,” explained Kaspersky’s Suguru Ishimaru.

“The reason is that one of the common practices for YARA rule authors is to limit the size of scanned files, which is aimed mainly at improving performance of the scanning process. Large files, like the ones produced by XXMM malware, may become invisible for such rules, which is why we would like to recommend security researchers to consider this when creating rules for dropped malwares,” the expert added.

Related: Targeted Malware Campaign Uses HWP Documents

Related: China-Linked Group Uses New Malware in Japan Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...