UPDATED 08:00 EDT / JANUARY 24 2018

INFRA

Researchers warn new Lebal malware is seeking high-profile targets

A malicious new form of malware targeting universities, government organizations and private companies has been detected in what could potentially be the first major state-sponsored attack of 2018.

Called “Lebal” by security researchers at Comodo Group Inc. in an announcement today, the malware has so far been detected in five universities, 23 private companies and several government organizations. Described as a “sophisticated type of malware,” Lebal uses a complicated chain of methods to bypass technical security means and deceive people.

The vector for the attacks, which are described as being specifically targeted versus random attempts, was not through usual email attacks but camouflaged through several layers. The first attempt involves a phishing email disguised as a message from Federal Express, while the second attempt involves a malicious link pretending to be a link to Google Drive.

Once a user clicks on a link, the attackers can steal private data from the web browser, including cookies and credentials, and they look for information about e-mail and instant messaging clients. In addition, Lebal pulls credentials from FTP clients like FileZilla or WinSCP and attempts to locate and access cryptocurrency wallets such as bitcoin or Electrum. “In short,” the security researchers note, “it grabs everything it can extract” from a victim’s machine.

It doesn’t stop there, either. The malware also attempts to turn off operating-system defenses while also hiding itself from antimalware tools in various sophisticated ways, both of which make it more dangerous than other forms of malware attacks.

The attack, aimed at 30 mail servers, is said to have come from one IP address from Sao Paolo, Brazil, with all 328 phishing emails sent on Jan. 8. The fact it came from Brazil means nothing in terms of where the attackers are based, however, since it would be extraordinarily easy for the attackers to hijack a machine externally to distribute the malware.

Comodo Threat Research Labs said enterprise users, in particular, should be aware that the attackers are likely to use the malware again and to take all reasonable actions to protect against Lebal gaining access to their network.

Photo: christiaancolen/Flickr 

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU