Mutating Malware Targeting Vaccine Manufacturing Industries

By Author: Robort
Total Articles: 20
Comment this article

A new type of Windows malware can constantly adopt new codes to avoid getting detected. According to security researchers, this new ‘Mutating Malware’ is targeting multiple biotech industries, including institutes manufacturing various vaccines.

BIO-ISAC, which is a non-profit firm, warned about this new malware. It has been named ‘Tardigrade,’ as it has the ability to adapt and persist in different types of conditions.

It doesn’t work as a regular polymorphic malware. A polymorphic malware rewrites some of its code to avoid detection, but this new threat goes even further by changing its whole code during new infections when it is first connected to the internet.

Malware Architecture and Capabilities
Metamorphic
While many malware systems are polymorphic, this system seems to be able to recompile the loader from memory without leaving a consistent signature.
Recompiling occurs after a network connection in the wild that could be a call to a command and control (CnC).
Allows the system to change the portion/all the functions based on CnC like a normal loader system but with ...
... a level of autonomy that is unexpected.
Minimum Supported Systems for Functions Performed
Minimum supported client – Windows 2000 Professional (desktop apps only)
Minimum supported server – Windows 2000 Server (desktop apps only)
Target Platform – Windows
Header – winbase.h (includes Windows.h)
Library – Advapi32.lib
DLL – Advapi32.dll
The malware’s metamorphic abilities help avoid leaving a consistent signature, making it very hard to spot antiviruses. One security researcher reported that he tested the malware 100 times and “every time it built itself in a different way and communicated differently.”

Due to this behavior, BIO-ISAC has named the malware ‘Tardigrade,’ which is a reference to the micro-organism which can survive extreme hot and cold temperatures and even outer space vacuum.

This mutating malware hijacks a system to access its files and steals them. The files are then mutated. It can be spread through normal phishing emails and USB devices.

Background Information on ‘Tardigrade’
Tagged Bulz.Method:253748 Ransomware Trojans
First Variant: SmokeLoader
Suspected Second Variant: Dofoil
Attack Delivery
USB, Files, and Network Autonomously
Primary: Phishing
Goal
The main goal of this malware is still to download, manipulate files, send the main.dll library if possible, deploy other modules and remain hidden.
Espionage, tunnel creation carry a bigger payload.
Compatible with other APT-made payloads so far: Conti, Ryuk, Cobalt Strike.
The malware was uncovered by BIO-ISAC when one of its member companies, Biobright, investigated a ransomware attack on an unnamed biomanufacturing facility. During the investigation of researchers, they found the program that was used to load the malware. This malware was more complex than ordinary malware. BIO-ISAC has since uncovered a second attack on another facility. The group issued a warning to all the biotech industries saying it is actively spreading in the bio-economy.

The malware was not attributed to any country by the BIO-ISAC, but they said it is likely to be state-sponsored hackers’ new mutated strain of advanced persistent threat actors.

According to Malwarebytes, the Tardigrade malware showed some similarities to the ‘SmokeLoader’ malware, which has been active since 2011 in the black market.

BIO-ISAC is urging potentially targeted firms to install an antivirus that is capable of “behavioral analysis.” It has also been said to stay on guard against phishing attacks that can carry the malware. The group added in their statement,” At this time, biomanufacturing sites and their partners are encouraged to assume that they are targets and take necessary steps to review their cybersecurity and response postures.”

Source:- https://web-root-wsa-installer.com/mutating-malware-targeting-vaccine-manufacturing-industries/