An unknown threat group is currently targeting facilities of numerous bio-manufacturers with a new Tardigrade malware that is utilised to be distributed to compromised networks and exfiltrate data for long periods without being detected.
According to recent reports, the malicious threat group has been targeting all sectors under healthcare since the start of 2020. The member of the targeted biomanufacturing facility that was attacked recently said that they noticed the first signals of these attacks to be an unknown type of malware infection, where the operators dropped ransom notes that did not indicate any fascination towards the ransom payment.
The purpose of the initial ransomware infection is to hide the actual payload drop that will release a metamorphic malware that will then inhibit and develop inside the infected device, resulting in data exfiltration.
The researcher in charge of the malware infection case explained that the threat developer utilised a modified metamorphic version of ‘SmokeLoader,’ now called the Tardigrade malware.
The malware is transmitted via phishing or flash drives that found their route on the system’s territory. It is also strangely agile since it can recompile the loader from memory without leaving any traces of a consistent signature. Therefore, it is very challenging to trace, identify, and extinguish.
The modified SmokeLoader operates as an evasive entrance point for the operators, downloading additional payloads, manipulating files, and deploying more modules. Previous unmodified SmokeLoader relies more on external direction; however, this version can function independently without a command-and-control connection. Therefore, even if the C2 is out, the malware will continue to move laterally based on its own designed logic and decision-making attribute.
The objective of the threat actors is to execute cyber threats and operational interruptions; however, they use Tardigrade malware as a persistent problem for the compromised system even if they are no longer in command. Researchers advise to keep following processes of standard network segmentation and keep offline backups of crucial biological infrastructure.
It is also vital to immediately call experts’ attention if something unusual happens inside a system, especially for healthcare institutions, and as well as using security software with potent behavioural analysis abilities. Even if the malware changes its signature and exfiltration operations, the suspicious behaviour could still be identified, detected, and sent distress calls.
The identity and location of the threat actors are still unknown, so the origins of Tardigrade malware remain a mystery.