Breach, Content

Stealthy Malware Targets MSPs, “Hides in Plain Sight” from Anti-Virus Security

John Ferrell,
John Ferrell, co-founder, Huntress Labs

Cyber attackers are aiming elaborate malware at managed service providers (MSPs) that deploys multiple, complex cloaking techniques to evade detection, Huntress Labs said in an updated blog post.

MSPs are particularly attractive targets for hackers because they typically maintain relationships with many clients, so one malevolent foray can simultaneously sweep many potential victims. Huntress, which provides managed detection and response (MDR) services through MSPs, first unraveled the malware’s processes in a blog posted last June. The follow-on blog zeros in on how the malware masks its actions.

At first glance, the malware looked like a log for an application to hide its activity, but a closer examination revealed that the file is “associated with a malicious foothold that we discovered,” wrote John Ferrell, Huntress co-founder, in the initial blog post. “The malware authors used several tricks to hide in plain sight, including renaming legitimate files, masquerading as an existing scheduled task, and using a malicious payload stored in a file made to look like an error log.”

A Closer Look

Author: John Hammond, senior cybersecurity researcher, Huntress Labs

The bug, John Hammond, Huntress senior security researcher said in the updated blog, is a “multi-stager, multi-payload” with layers of abstraction about which the security specialist jokingly referred to as “the gift that keeps on giving.” While malware payloads delivered in stages isn’t unusual, the level to which this one goes to avoid detection is unique and clever enough to slide right past a typical, off-the-shelf anti-virus or endpoint protection program, he said.

An initial payload is delivered using legitimate Windows binaries to extract out and execute new PowerShell code that contains another piece of obfuscated and encoded data to retrieve a second payload using Google’s DNS over HTTPS service. “Using DNS over HTTP as means to receive another malware payload is a very clever trick — while DNS filtering might be in place on a secure network, limited and locked down HTTP access to is much less likely,” Hammond wrote. To deliver the final payload, the malware code reaches out to an external server which installs the final command-and-control stub to give the hacker control of the target machine.

“While it is seemingly simple to ‘hide in plain sight’, after peeling off the layers you can uncover just how stealthy and meticulous attackers must be — and ultimately, what tricks and techniques us defenders must know to protect ourselves,” Hammond said.

Huntress Labs: Funding, MSP Partner Focus

Huntress Labs is increasingly well known across the MSSP and MSP partner ecosystems.

Earlier this year, Huntress raised $18 million in Series A funding from ForgePoint Capital​, a powerhouse in the cybersecurity venture capital market. The five-year old, Ellicott City, Maryland-based MDR provider expects to triple its employee roster to 60 people by the end of 2020.

Shortly after the funding, Huntress Labs released an extendible security platform for MSPs and VARs at no additional cost to partners. Each time a new Huntress security service debuts, it becomes available to MSP and VAR dashboards for no additional monthly fee. True believers in the platform include Clear Guidance Partners.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.