The notorious individual who compromised the Solar Winds months ago by sending a poisoned curriculum vitae may have been cooking something new related to Cozy Bear.
The researchers claimed that a single malware managed to evade more than 50 AV solutions. Moreover, these antivirus products failed to detect the malware and prove that state-sponsored hackers found a new method to orchestrate their campaigns.
The analysts claimed the malware was first spotted last May and included a malicious payload that suggests it was developed using a tool dubbed BRC4. BRC4, also known as Brute Ratel, is a customised command and control centre for the Red Team and adversary simulation. The malware developers also claimed that they had reverse-engineered antivirus software to make the BRC4 highly undetectable.
The malware observed by the researchers starts as a file that impersonates a curriculum vitae (CV) of a man named Roshan Bandara. However, the alleged man’s CV offers an ISO file with a disk image format. Unfortunately, if a user accesses the ISO file, it will mount as a Windows drive and displays a File Manager window that contains a single file. The file is named as Roshan-Bandara_CV_Dialog.
The file also appears as an MS Word file but does not show a CV. When accessed, the user would open a CMD[.]EXE will automatically operate the OneDrive Updater, which retrieves and installs the BRC4.
Once the malware is deployed, several malicious activities can happen to the infected machine. However, the researchers are not concerned with malicious activities. The main thing that the researchers are concerned about is the technique used to bypass security detections.
Cozy Bear may be the developer of the evasive malware.
Based on reports, the Russian-sponsored group Cozy Bear may be affiliated with the attack since it also used the same poisoned CV attacks against the Solar Wind.
It is also noteworthy that the ISO used in the attacks was developed on the same day as the new strain of BRC4 emerged. This detail implies that the state-sponsored actors may be surveying the commercial malware industry and upgrading their version to become heavily obfuscated.