Managed service providers are being targeted with malware that uses a complex mixture of strategies to go unnoticed, according to Huntress Labs.
The attack is more complex than originally thought, according to a followup report Wednesday on the malware first detailed in June. Huntress Labs initially explained the malware they discovered on two MSPs as using a novel trick to disguise its activity as a log file; the malware also launched native, living-off-the-land tools as renamed processes.
The malware disguises contact with its command infrastructure by routing traffic through Google's DNS over HTTPS service, and disguising other traffic as the email security feature DKIM.
"Google is a site that's not going to be blocked. You just can't turn that off for your workers," said John Hammond, senior security researcher at Huntress Labs.
Managed service providers are a one-stop-shop for various kinds of attacks because they have access to multiple clients. That makes them attractive to anyone from a ransomware vendor who wants to infect multiple victims to an intelligence agency wanting to pilfer data from multiple contractors.
Huntress Labs has seen two instances of the attack, both cosmetically different, and is not prepared to draw broad conclusions about the attacker's intent or if this will be seen again.
But hackers typically do not put this much work into stealth for a mere two attacks said Kyle Hanslovan, co-founder and CEO of Huntress Labs.
"The question is always if the juice is worth the squeeze," he said. "It seems like a disproportionate amount of work to not get more juice."