Just call it recycled, vintage or gently used malware. What’s old is new again with cybercriminals repurposing used tactics and malware for a fresh campaign. Take Operation Arid Viper, for example.
Proofpoint wrote in a blog post this past week that the group, after some time away, returned with slight tweaks to its malware and techniques. While the group always targeted Middle Eastern organizations, primarily in Israel, its refreshed campaign relies on different social engineering attempts, added encryption for exfiltrated data, and new Command and Control (C&C) servers, as well as new executable names.
While these changes might have taken some time, especially implementing encryption, Kevin Epstein, VP of threat operations at Proofpoint, told SCMagazine.com these attackers get a “high return on investment.”
“Relatively to finding a new zero-day or inventing a new family of malware, this is further proof that attackers are in it for business purposes,” he said.
They don’t need anything especially new, as many times, detection tools forget about the group and even a slight tweak becomes enough to pass through and infect a user’s system.
Their recalibration didn’t even work properly, Epstein noted. Despite strong encryption algorithms trying to be implemented, it wasn’t correctly integrated, allowing for brute force attacks to find the correct key/IV combinations. Therefore, data leaked and Proofpoint analyzed the revamped campaign.
Arid Viper steals everything it can, Epstein said, including basic information, such as computer names and user credentials, as well as the user’s directory structure. It goes for even more data collection with screenshots of the victim’s screen being taken every five minutes. Targets mainly include telecom companies, high tech groups and business services.
“There’s this persistent stereotype of cybercriminals as a person in a garage, but it’s really a big well-put-together ecosystem,” Epstein said. “It’s more economical to reuse [already created tools], which may well be an explanation for why we’re seeing more resurgent attacks.”
Saying the new Arid Viper campaign is a “classic example” of a resurgent attack, Epstein added it “will not be the last, and they’re not getting any less lethal as they go.”
For this reason, just as attackers re-upped their malware and attacks, network defenders needed to constantly reevaluate their systems, too.
“If you’re using legacy systems from three to four years ago you are certainly not prepared for the modern attacks you’re seeing,” Epstein said.