A malicious new form of malware targeting universities, government organizations and private companies has been detected in what could potentially be the first major state-sponsored attack of 2018.

Called “Lebal” by security researchers at Comodo Group Inc. in an announcement today, the malware has so far been detected in five universities, 23 private companies and several government organizations. Described as a “sophisticated type of malware,” Lebal uses a complicated chain of methods to bypass technical security means and deceive people.

The vector for the attacks, which are described as being specifically targeted versus random attempts, was not through usual email attacks but camouflaged through several layers. The first attempt involves a phishing email disguised as a message from Federal Express, while the second attempt involves a malicious link pretending to be a link to Google Drive.

Once a user clicks on a link, the attackers can steal private data from the web browser, including cookies and credentials, and they look for information about e-mail and instant messaging clients. In addition, Lebal pulls credentials from FTP clients like FileZilla or WinSCP and attempts to locate and access cryptocurrency wallets such as bitcoin or Electrum. “In short,” the security researchers note, “it grabs everything it can extract” from a victim’s machine.

It doesn’t stop there, either. The malware also attempts to turn off operating-system defenses while also hiding itself from antimalware tools in various sophisticated ways, both of which make it more dangerous than other forms of malware attacks.

The attack, aimed at 30 mail servers, is said to have come from one IP address from Sao Paolo, Brazil, with all 328 phishing emails sent on Jan. 8. The fact it came from Brazil means nothing in terms of where the attackers are based, however, since it would be extraordinarily easy for the attackers to hijack a machine externally to distribute the malware.

Comodo Threat Research Labs said enterprise users, in particular, should be aware that the attackers are likely to use the malware again and to take all reasonable actions to protect against Lebal gaining access to their network.

Photo: christiaancolen/Flickr