The Channel logo


By | Darren Pauli 10th February 2015 05:56

Received surprise new Redmond licenses? You might be pwned

Sleeping beauty rears ugly head

Black hats are flinging supposedly free licenses at enterprises in a bid to get malware on corporate networks, security bod Martin Nystrom says.

They wrote malware that was slightly neurotic in its bid to evade detection and would make use of the Tor network to receive stolen data.

The Cisco threat defence man said realistic phishing emails claiming approval for Microsoft licenses were personally-addressed to some of its customers foisting a link to where the malware would be downloaded.

He said the malware would search for sandboxes, a tool common with researchers, and put itself to sleep for up to half an hour to avoid detection.

"The email is very similar to the real email Microsoft sends," Nystrom said, adding analysis of the malware required a good measure of skill and resources.

"The malware seemed to know it was being analysed (by Nystrom) and exited after 20 seconds without doing anything.

"[It] sleeps to wait out automatic sandbox analysis before starting to communicate on the internet."

Attackers served a copycat Microsoft Volume Licensing Service Center page hosted on hacked WordPress sites where a low-detection Chanitor malware variant would quietly download seemingly as a volume license.

Once on a victim machine it would detect at least the three most popular sandboxes and use a sleep command to remain dormant for about 30 minutes.

The fake site dropping malware

It would later alter a file structure to make some sandbox systems fail.

Chanitor also probed a series of IP addresses before checking if Tor network connections were possible.

Nystrom said the attack was typical of a trend to target corporate staff with smarter phishing emails, and of the continued cat-and-mouse game between white hat probing and black hat evasion. ®

comment icon Read 8 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe