A new week, a new malware warning. This time, malware delivered by an infected ISO file dressed up as a resume.
The guys over at Unit 42 at Palo Alto Networks have found particularly nefarious malware that was built using the Brute Ratel (BRC4) tool.
The malware apparently has such high quality code and distribution methods that researchers believe another state actor is at fault.
The malware is apparently being delivered by a fake resume in ISO format. Once mounted, the resume loads what looks like a Word document while simultaneously installing the malware in the background.
ISO format isn’t normal for a resume, it’s usually a .docx or .pdf, but this one is an ISO and mounts automatically on most Windows devices.
The Brute Ratel (BRC4) tool is a sophisticated piece of work that has been very well coded. It’s apparently an attack simulation tool used for penetration testing. Those behind it said they reverse engineered leading antivirus products to ensure it can avoid detection.
By all accounts, it’s highly regarded for its capabilities, even if it’s now being used to deliver malware.
“This tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.”
The threat is malware executed within a malicious DLL that integrates into the Runtimebroker.exe memory space on Windows devices. The malware can carry multiple payloads so it’s difficult to predict exactly what its capabilities are.
The main issue is the sophistication and style of delivery. It leads Unit 42 to think it’s being spread by state sponsored hackers. They even went as far as to say they think it’s Cozy Bear, the Russian state sponsored hacking group that’s behind it.
Not a lot more is known about the malware right now and presumably, antivirus and malware products will be updated shortly to address the threat.