Threat Management, Incident Response, Malware, TDR, Vulnerability Management

New ‘Moker’ malware can alter security measures

Researchers at enSilo have spotted new malware dubbed “Moker” that they said is unique since it bypasses and disables security measures, achieves system privileges, can be controlled without requiring internet connectivity, and takes great measures in order to bypass posthumous research once detected.

EnSilo Senior Security Researcher Yotam Gottesman, in a Wednesday email correspondence with SCMagazine.com, described the malware, which his team spotted in a single customer's network, as an Advanced Persistent Threat (APT) that exhibits Remote Access Trojan (RAT) capabilities.

While Gottesman said the malware is aimed at Windows systems, he explained researchers can't yet tell "who in particular" it targets.

“This case might have been a dedicated attack,” Gottesman said.  “However, we do see that malware authors adopt techniques used by other authors. We won't be surprised if we see future APTs using similar measures that were used by Moker (such as bypassing security mechanisms and dissection techniques),” Gottesman added. 

The researcher wrote Tuesday in his company blog that the malware can take screenshots, record web traffic, alter sensitive system files and monitor key strokes.

The RAT seizes control of a victim's computer by “creating a new user account and opening a remote desktop protocol (RDP) channel to gain remote control of the victim's device,” he wrote.

Moker uses code packing, two-step installation and exploits vulnerabilities.The two-step installation is done to defeat security measures that rely on time-sensitive techniques like sandboxing, according to the blog.

It's unclear at the present how the lone victim became infected with the malware, whether through phishing emails, malicious links, infected thumb drives or other methods. Equally unclear is who created and perpetrated the malware but Gottesman wrote in the blog post that Moker communicated with a server in Montenegro, which, he noted, could have been done to throw off the researchers and law enforcement.

To guard against Moker, which hasn't yet been spotted in VirusTotal, Gottesman recommended that organizations “block in real-time all malicious outbound communications, prevent in real-time the malicious tampering of files, and follow up on actual malicious communicating/tampering attempts in order to perform attack forensics."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.