Cunning “Tardigrade” malware attacks biological manufacturing facilities

When ransomware appears At a biological manufacturing facility this spring, the response team had some questions.The attacker only left half-hearted ransom Please note, and does not seem to be so interested in actually receiving the payment. Then there is the malware they use: a shockingly complex strain called Tardigrade.

As researchers from the biomedical and network security company BioBright dig further, they discovered that Tardigrade is more than simply locking down the entire facility’s computers. It was discovered that the malware can adapt to its environment, hide itself, and even run autonomously when disconnected from the command and control server. This is something new.

Today, BioBright is a member of the cybersecurity non-profit organization Bioeconomic Information Sharing and Analysis Center or BIO-ISAC Public Disclosure discover About tardigrade animals. Although they did not specify who the malware was developed, they said that the complexity of the malware and other digital forensics clues indicate that this is a well-funded and aggressive “advanced persistent threat” organization. In addition, they said that malware is “actively spreading” in the biomanufacturing industry.

“It almost certainly started with espionage, but it affects everything-sabotage, sabotage, espionage, all of the above,” said Charles Fracchia, CEO of BioBright. “This is by far the most sophisticated malware we have seen in this field. This is very similar to other attacks and activities by the nation-state APT against other industries.”

As the world scrambles to develop, produce and distribute cutting-edge vaccines and drugs to counter Coronavirus disease In the pandemic, the importance of bio-manufacturing has been fully demonstrated. Fracchia declined to comment on whether the victims were engaged in Covid-19-related work, but emphasized that their process plays a key role.

Researchers found that Tardigrade has some similarities with the popular malware downloader Smoke Loader.Also known as Dofoil, this tool has been used to distribute malware payloads At least since 2011 Or earlier, and easily available on criminal forums. In 2018, Microsoft blocked Large-scale cryptocurrency mining activities using Smoke Loader and security companies Research results published by Proofpoint In July, regarding the data theft attack, the attack disguised the downloader as a legitimate privacy tool and tricked the victim into installing it. Attackers can use various ready-made plug-ins to adjust the functionality of the malware, and it is known for using clever technical tricks to hide itself.

BioBright researchers said that despite the similarities with Smoke Loader, Tardigrade appears to be more advanced and offers more customization options. It also adds the function of a Trojan horse, which means that once installed on the victim’s network, it searches for stored passwords, deploys a keylogger, starts leaking data, and establishes backdoors for the attackers to choose their own adventures.

BioBright Malware Analyst Callie Churchwell said: “This malware is designed to build itself in different ways in different environments, so the signature is constantly changing and more difficult to detect.” “I tested it nearly 100 times, each Every time it builds itself in different ways and communicates differently. In addition, if it cannot communicate with the command and control server, it has the ability to be more autonomous and self-sufficient, which is completely unexpected.”

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *