Hackers are increasingly using advanced obfuscation techniques to hide their malware code from researchers. Recently, an unusual DNS query led to the discovery of a multi-step obfuscated malware.
In a recent incident, attackers were observed using nslookup.exe, a network administration command-line tool used for querying the DNS, in an unusual way that would hide the actual malicious intent.
- In this procedure, the certutil tool was abused to decode files hidden inside a certificate file, which was used by a multi-step obfuscated malware.
- In addition, it used an obfuscated AutoIT script, which is using process hollowing of a spawned nslookup to run the malicious payload.
Use of obfuscation tools in recent incidents
Recently, a stealthy multi-striped backdoor called Kobalos was used to infect HPC networks of high-profile organizations. The backdoor was using a complex obfuscation mechanism to avoid analysis.
- Operators behind Agent Tesla were observed to be tampering with AMSI to lower its defenses. Equipped with base64-encoded obfuscated code, the technique completely removes the endpoint protection at the point of execution of malware.
- Last month, a phishing campaign was discovered that used the Web Open Font Format (WOFF) obfuscation. In this, code is decoded inside a Cascading Style Sheets.
- In the same month, LuckyBoy malvertising campaign was seen targeting mobile and other connected device users. The campaign was using heavy obfuscation and cloaking to prevent detection.
Obfuscation provides an edge to malware authors and makes it harder for researchers to analyze or detect the malicious code. To identify and prevent such threats, experts recommend finding out the root cause of the issue. Especially when any legitimate tools or processes act in any unusual behavior, such incidents should be followed with deeper research to identify any hidden aspects.