Hackers from an advanced persistent threat group linked to Russian intelligence recently created a malware tool that takes advantage of a bug in a popular security program — illustrating the care that professional hackers take to evade detection.
In a blog post Friday, researchers from cybersecurity company Palo Alto Networks said they last month found a “dropper” — malicious code hidden in an email attachment which installs itself on a victim’s machine — that was undetectable by IDA, or Interactive DisAssembler.
IDA is an industry-standard tool that shows the instructions actually executed by a computer’s processor — enabling security researchers to detect and analyze deployed malware.
It’s used by “Virtually all anti-virus companies, most vulnerability research companies, many of the large software development companies and, above everything else, three letter agencies and military organizations,” according to IDA’s maker — Belgium based Hex-Rays SA.
The researchers said the dropper was a tool deployed by the APT group linked to the Democratic National Committee hack this year — variously known as Cozy Bear, APT 29 or Dukes. The group has previously targeted the unclassified computer networks of the White House, State Department, and U.S. Joint Chiefs of Staff.
Significantly, the dropper, sent on Aug. 10, concealed itself from IDA by taking advantage of a bug that Hex-Rays had found and fixed. The notice about the IDA update — noting the bug as fixed in the latest release — was distributed Aug. 8.
The threat group, conclude the researchers, “knows that malware analysts tasked with reverse engineering their tools typically use the IDA disassembler.”
The speed with which Cozy Bear were able to deliver malware that exploited the IDA bug speaks to the professionalism of their coders and the care which they take to avoid detection and analysis.
“It appears this group looks for ways to evade [security software], specifically in this case by monitoring release notes from known malware analysis tools to deploy their own countermeasures,” the researchers conclude.