A sophisticated new malware threat has been discovered that is being used to target a wide range of industry sectors and infect systems with RAT/malware.

The campaign is being used to spread multiple malware variants and gain full access to systems and data. While many organizations have been attacked, the threat actors have been targeting IT service providers, where credential compromises can be leveraged to gain access to their clients’ environments.

The threat actors are able to evade detection by conventional antivirus solutions and operate virtually undetected.

The campaign has been running since at least May 2016 according to a recent alert issued by the National Cybersecurity Communications Integration Center (NCCIC) of the U.S. Department of Homeland Security.

The campaign is still being investigated, but due to the risk of attack, information has now been released to allow organizations to take steps to block the threat and mitigate risk. NCCIC categorizes the threat level as medium.

While threat detection systems are capable of identifying intrusions, this campaign is unlikely to be detected. The attack methods used by the threat actors involve impersonating end users leveraging stolen credentials. Communications with the C2 are encrypted, typically occurring over port 443 with the domains frequently changing IP address. Domains are also spoofed to appear as legitimate traffic, including Windows update sites.

Two main malware variants are being used in this campaign – the remote administration Trojan (RAT) REDLEAVES and the PLUGX/SOGU Remote Access Tool. PLUGX malware has been around since 2012, although various modifications have been made to the malware to prevent detection.

PLUGX allows the threat actors to perform a range of malicious activities such as setting connections, terminating processes, logging off the current user and modifying files. It also gives the threat actors full control of the compromised system and allows the downloading of files. READLEAVES offers the threat actors a typical range of RAT functions including system enumeration.

NCCIC has released Indicators of Compromise (IOCs) to allow organizations to conduct scans to determine whether they have been infected and further information will be published when it becomes available.

While anti-virus solutions should be used, they are unlikely to offer protection against this malware campaign. NCCIC warns organizations that there is no single security solution that can prevent infection, therefore a multi-layered defense is required. The aim of organizations should be to make it as difficult as possible for the attackers to gain access to their systems and install malware and operate undetected.

NCCIC offers several suggestions to help organizations improve their defenses against attack. Since phishing emails are used to fool end users into revealing their credentials, anti-phishing solutions should be employed to prevent the emails from reaching end users’ inboxes.

Other mitigations are detailed in NCCIC’s recent report, which can be downloaded from US-CERT on this link.