Just when you thought cybercriminals couldn't get any worse, a new form of malware has been leveraging the popularity of the newly viral protest slogan "Je suis Charlie", proving that hackers are increasingly able to respond to online trends by writing new malware quickly and causing widespread disruption.
The new malicious software is based on DarkComet RAT code and was first noticed within a day of the recent attacks on the Charlie Hebdo newspaper in Paris, according to security researchers at Blue Coat Systems, Inc. Not only was the malware preying on a hugely popular online trend, but it was able to avoid detection by antivirus scanners, allowing it to spread like wildfire. The virus was able to get past 51 of the 53 security programs testing for new malware, Blue Coat reported.
The malware was originally spread through the viral nature of the slogan on social media sites. On Twitter it used the #JesuisCharlie hashtag which was used more than 5 million times. Once launched, the virus shows an image of a newborn baby's hand with a hospital bracelet that says "Je suis Charlie."
"It demonstrates how agile these criminal organizations have become," said Blue Coat chief security strategist Hugh Thompson in an interview with CSO. "They can react very quickly, personalize their attacks very quickly, and distribute them very quickly. It's not the first time we've seen this kind of personalization of an attack. We're seeing an increasing response time, an infrastructure that's been built out pretty robustly over the last few years."
Agile malware causing enterprise disruptions
According to Thompson, the malware is very flexible and capable of changing quickly to avoid detection. The domain and hosts switch frequently, each only existing for 24 hours, then disappearing and are never used again. The cybercriminals behind the attacks have created a very dynamic infrastructure, using multiple layers of distribution and command and control infrastructure that is obscured even further than that. The malicious software utilizes the DarkComet remote access rootkit, allowing hackers to have remote access of compromised machines.
Especially when a new virus emerges so quickly and is able to spread rapidly, enterprises often realize that traditional firewalls and antivirus software aren't sufficient to protect networks within the new threat landscape. To fill in the gaps left behind by other defense solutions, many organizations are starting to turn to security information and event management services. By utilizing a Managed SIEM solution, businesses receive continuous monitoring of network activity, as well as analysis of any suspicious behavior that may suggest a breach. This information is invaluable in the creation of more comprehensive protection policies, leading to a dramatically more reliable security solution.