Nyotron Discovers Active Malware Campaign on a Critical Infrastructure Organization in the Middle East

Dubbed Copperfield, Script Based Exploit Uses New Masquerading Techniques to Evade User and Anti-malware Safeguards Santa Clara, CA — December 19, 2017 — Nyotron, a provider of OS-Centric Positive Security based endpoint protection solutions, announced the discovery of a new advanced malware campaign, found in the wild attempting to attack a company’s Middle Eastern critical infrastructure clients. Copperfield malware’s predecessor, known as H-worm by Houdini, was discovered years ago. Copperfield, however, used a crypter-based obfuscation technique to change its structure and hash in order to avoid detection. Hence, the sample was unique and was able to bypass two other leading antivirus products installed in the customer’s environment. Like its predecessor, Copperfield is a Remote Access Trojan (RAT) that leverages Windows Script Host — an automation tool in Windows — to gain full control capabilities, including:
  • Sending information about the machine it is installed on (including antivirus software installed)
  • Updating itself
  • Exfiltrating sensitive data to an external server
  • Arbitrary code execution
  • Downloading and running executables such as keyloggers, additional malware, screen grabbers, etc.
The Copperfield campaign infected organizations through a USB drive. The malware boasts a unique set of masquerading techniques, hiding all original files found on the drive while creating malware-laced LNK files with the same names and even icons as the originals. Upon execution, a user would see nothing out of the ordinary; in one of the discovered cases, the user’s movie started as expected while the malware ran silently in the background. The icon swapping feature of Copperfield has not been previously described or used by other malware variants. Nyotron blocked all damage from the malware after suspicious activity triggered three of the solution’s protection modules:
  • Abnormal Communication
  • Local Data Exfiltration
  • Application Tampering
Copperfield campaign’s Command and Control server IP address points to servers located in Mecca, Saudi Arabia. Other circumstantial evidence and clues left in the malware point to either Iran or Algeria. This is in-line with Nyotron’s security landscape predictions for 2018 — more damaging and bolder attacks coming from tier-2 and tier-3 nation-state actors. These countries are now capable of taking on the critical infrastructure of tier-1 countries such as the United States. Hacking is becoming democratized and, at the same time, no truly innovative security solution has received wide market adoption in the past few years, thus giving sophisticated and well-funded attackers an asymmetric advantage. Full report on the Operation Copperfield is available at https://nyotron.com/copperfield/. About Nyotron Nyotron complements anti-malware solutions by filling in the critical gap in their protection — true zero-day malware prevention — by offering the industry’s first and only OS-Centric Positive Security based endpoint protection. Nyotron’s unique and patented technology provides the final layer of protection against completely new, unknown malware that no other vendor can offer. Currently installed anti-malware products work seamlessly with Nyotron to provide what every organization has always wanted — real-time threat-agnostic protection from any attack without foreknowledge of the attack vector. The company’s headquarters is in Santa Clara, California, and R&D is in Israel. To learn more, visit www.nyotron.com.