Cylance vs. Paipeu Malware

Background & Timeline

Today, our Threat Guidance team looked at a truly unknown flavor of malware.

With such a high volume of new malware produced 24/7 – numbering into the hundreds of thousands per day – it’s unusual when our Threat Guidance team can’t categorize one into a known family. However, using the CylancePROTECT® Dashboard, a sample was quarantined on an endpoint (as “Unique to Cylance”) of a real customer.

All of the sample’s properties – the location of the file, the compile date, and the lack of similar files on known malware repositories – did not fall into anything which Cylance or any others have seen to date.

What Is It?

This piece of malware was fascinating to us, because it was so beautifully simple – just compiled C++ code, straightforward – only connecting to a single (albeit Korean) IP address, and benign at first glance. But upon further inspection, we learned that this seemingly innocent piece of malware was collecting a ton of information from the victim, much like a legitimate asset management agent.

A great deal of endpoint information was collected – including System, Network, Disk/Memory, and Processes/Services. Taken together, this data could be used to map an individual asset, or “Configuration Item” in Information Technology Infrastructure Library (ITIL) lingo, or could also be used to provide a larger view of the organization and its proprietary network.

And that’s where things get dangerous. For example, understanding various local system and network topology makes this uniquely suited to reconnaissance – especially if it is not performing any unusual or malicious activity itself.

We named the new malware ‘Paipeu,’ the Korean word for ‘Pipes’ (파이프), due to its hardcoded South Korean IP address and its ability to use named pipes, including its enabling of NULL session (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog