Malware campaign attempts abuse of defender binaries

/in


We are investigating a ransomware campaign that abuses legitimate Sophos executables and DLLs by modifying their original content, overwriting the entry-point code, and inserting the decrypted payload as a resource – in other words, impersonating legitimate files to attempt to sneak onto systems. A preliminary check indicates that all the affected Sophos files were part of the 2022.4.3 version of our Windows Endpoint product.

To be sure, this kind of malicious behavior is (unfortunately) nothing new for the infosecurity industry – indeed, for any software developer. Over the years we’ve seen other infostealers impersonating installers; we’ve seen grab-bag collections of fake utilities, including off-brand antimalware relabeled as legitimate Sophos protections; we’ve seen criminals attack closed-source and open-source code with equal fervor. Later in this post we’ll discuss precisely what attackers think to gain from this – and how defenders can respond.

In general, it’s just part of the tech territory — in fact, in the course of investigating this campaign, we also found similar abuses of files published by other defenders, including AVG, BitDefender, Emsisoft and Microsoft, as well as use of a possibly compromised (and definitely expired) digital signature from another company, as well as a bogus “installer” claiming to be for software from yet another company, along with dozens of malicious downloaders, MSI installers, and other indicators of (attempted) compromise. Our investigation continues and will be reflected in the Indicators of Compromise file on our Github; affected vendors will hear from us privately.

The eventual payloads we have seen in our investigation vary – Cobalt Strike, Brute Ratel, Qakbot, Latrodectus, and others. Evidence exists of use by more than one criminal group, but further inquiry into attribution, or into the compromised signature or fake installer mentioned above, is beyond the scope of this post.

That said, it’s always interesting when something like this turns up. In this article we’ll walk through one such discovery and what we found when we dug into it.

Initial discoveries

The event that first drew our attention to…

Source…