The first article is from Talos, entitled Malware Meets Sysadmin - Automation Tools Gone Bad. In short, this article talks about a piece of malware floating around that tricks a user into downloading AutoIt and an associated script via a macro in a Word document. AutoIt is a piece of software for Windows that allows a the user to write a script that simulates key presses, manipulates processes, and calls Windows API functions among other things. It has legitimate uses, like automating repetitive sysadmin tasks. However, like lots of other tools, it can be used in ways that are not intended.
First, let's take a moment to talk about how malware is deployed on a computer. Malware is typically deployed in stages.
Stage 1 is initial infection. This is the stage where the malware is first deployed onto the computer, usually via a drive-by download (man-in-the-middle) or phishing. The stage 1 tool is typically small and might be used to check the environment for anything that the malware author might not want to deal with (like the malware running in a VM, because that might indicate that someone is examining it). In the article above, the Stage 1 tool is the Word document that contained the malware. Stage 1 tools will also survey a machine to see if it can determine vulnerabilities in installed software (usually by checking the versions). This data is sent back to a server that the malware author controls, and the software for the next stage is selected and downloaded.
Stage 2 tools are loaders. Loaders are tools used to prepare the environment for the persistent malware and pave the way for the malware to be installed. Once the Stage 2 tool is downloaded, it will exploit a vulnerability identified before and unpack (or even download) the Stage 3 malware. The stage 2 tool in the example above is AutoIt and the associated script.
Stage 3 is the persistent malware that the malware author communicates with. Using this deployment, a malware author will download files, capture keystrokes, and make your computer a pivot to other computers in your network. The stage 2 tool in the example above is the RC4 encrypted binary.
So the malware in the example above uses a tool intended to automate system administration tasks for loading malware and surveying the computer. Why would the malware author do this?
Motivations for Re-Purposing Legitimate SoftwareUsing software that appears legitimate gives the malware credibility in the eyes of the user. The crux of phishing attacks is to get the user to click on your malware (or a link to it) without knowing that it is malware. If you downloaded something and it appeared to be digitally signed, a user might be more inclined to trust it. It is all about appearances.
Recently, a Reddit user posted that a beta for a game he downloaded from a link on Steam's Greenlight service contained malware. Steam is a digital software distribution service primarily for games. Greenlight is a service that allows Steam users to vote for games they want to see available for sale on the Steam store. It sounds like a great idea in theory since game developers can see if there is an audience for their game, and gamers get to experience new games. I will not get into the all of the pros and cons of Greenlight, but there is one aspect that I would like to talk about: the low barrier for entry.
To me, this is an interesting technique to entice users to download malware. The barrier for entry on Greenlight is very low. All you have to do is buy access to publish on the service here for $100. That is it. If you had the intent, you could create a page, put some fake screenshots on it, and host a "beta" version of your game that really contained some sort of malware. This might be slightly harder in other ecosystems, like iTunes, but I still think it is possible. Have you ever installed an app from iTunes or Google Play and paid attention to some of the permissions? For example, there are games on Google Play that want permissions to retrieve running apps, find accounts on the device, and modify contents of USB storage. The things the apps want to do might be innocuous, but without analyzing the software, you have to trust the author.
As an awareness of information security becomes more widespread, malware authors will think of progressively sneakier ways to deploy their software. So, how do you know if someone or the software they offer is trustworthy? Some people say by using open source software. That can certainly help, but there are pitfalls there too. First, someone (or some group) has to vet the code. Assuming you trust that someone or group, you might think you are in the clear. However, how do you know that the build of the software does not have "additions" that are not present in the code? You would have to build it yourself, which is not a process that everyone is willing to do. Closed source software is not any better. Take Windows 10 for example. Even if you turn off all of the instances where data is sent back to Microsoft, you cannot turn off all of them, as in this screenshot:
At the end of the day, you have to trust someone (such as whoever develops your operating system) unless you want to throw your computer out of the window or use it as a boat anchor. Even then, your data is on someone's computer subject to the security practices they employ. Therefore, my advice is not to place your trust in any one particular piece of software. There is a motto that I have taken to heart, and it applies here: "Trust, but verify." Verify could mean monitoring network connections or filesystem changes externally (such as a lab environment) or by listening to people you trust.
What are your thoughts? Let me know in the comments below. Thanks for reading!