LevelBlue Labs has recently observed a malicious campaign abusing legitimate anti-virus products to remain undetected. Upon achieving execution, the threat actor deploys several executables to gain a foothold in the infected system. One of these executables caught our attention as it masqueraded as different anti-virus components, while in reality they offer a proxy service through a Command and Control (C&C) server. The binaries are based on the legitimate anti-virus components but are modified to include the malicious code. This activity seems to be a continuation of the activity already reported by Sophos in late April and marks a new iteration in the toolset of this threat actor. In this new iteration of the campaign, we have observed Malwarebytes, BitDefender and APEX products being targeted amongst others. Author: AlienVault
Related Tags:
SbaProxy
T1554
T1090
AlienVault OTX
AlienVault
Associated Indicators:
BAA50DBDB108E1769C5B0BEFF7462EA7DEB8FD37782A49F0911619BC51D42105
1ADE6A15EBCBE8CB9BDA1E232D7E4111B808FD4128E0D5DB15BFAFAFC3EC7B8E
9C1E0C8C5B9B9FE9D0AA533FB7D9D1B57DB98FD70C4F66A26A3ED9E06AC132A7
9DC809B2E5FBF38FA01530609CA7B608E2E61BD713145F84CF22C68809AEC372
7D96EC8B72015515C4E0B5A1AE6C799801CF7B86861ADE0298A372C7CED5FD93
AC47AA570A47E035FC72E15573521F5AD93433FA
42896F8069C341A3E78F940DFCC4EBF4A5884471
C73A9395D5ECA18FD86700B086455C59
B6680E15C4F36E7B75FC6676BC911667