The beta started off with a small network of roughly 10-30 devices, and things went smoothly at first. Device population and fingerprinting weren’t an issue, and our parental controls were working as intended. Device permissions were functioning as expected as well.
It didn’t take long for Pangolin to start doing its job. On its first day of beta, Pangolin found a serious security breach.
I’m already paranoid when it comes to my network security, so you can imagine my shock when Pangolin informed me that my work laptop was contacting a CNC server flagged to have been in use by Hidden Cobra, a malicious hacker group from North Korea.
I had to get to the bottom of the situation, so I began some forensic tests to discover the root of the problem. The usual avenues – anti-virus, newly installed files, and new .dll and config files – turned up nothing.
Digging a little deeper, I began to think of what I did in the last few days and proceeded to uninstall all software. I also checked email attachments, and that’s where something peculiar came up.
There was an invoice attached in an email from someone in my contact list, which wasn’t unusual because they normally did this a couple of times a year. When I called them, though, I was surprised to hear that they hadn’t sent anything in quite a significant amount of time. This set off a lot of red flags, so I told them to quickly change their email login credentials and add a 2FA method.
Though the pdf invoice didn’t trigger any alarm bells from Google or Microsoft Defender, I discovered that there was a crypter embedded within the file.
A crypter is similar to a runtime packer (or compression), except it encrypts the executable files. This is something that is usually picked up by Google or Microsoft Defender, but for some reason anti-virus was not able to detect it.
It was an advanced piece of malware. It used common evasion techniques such as sandbox detection, but also hid itself from prying eyes through more creative methods. The malware had code that was reorganized, also called subroutine reordering, making it harder for anti-virus software to detect. It also used code transportation, which re-ordered sequences of the instruction with no visible impact on code behaviour.
The malware was further scrambled and mutated on virtually all levels of its code – with garbage logic that made no sense. As a final touch, the malware even attempts to kill certain instances that anti-virus software relies on in host computers. This was designed to deter future fingerprinting.
Disassembling it further showed that it could possibly be forked into a ransomware type malware as there was leftover code hinting at CPU core counting. At least I would imagine it for ransomware, as it is often the case that ransomware would watch the load on a target CPU in order to pick the low usage times it would then use to encrypt the target files.
Endpoint security shines in situations like this, where malware is so new, or so advanced, that traditional methods of detection simply don’t work. By noticing that there was a strange request being made to a Hidden Cobra delta server somewhere in Russia from within our network, Pangolin helped start the chain of events that led to the malware’s discovery. By blocking the attempted connection, Pangolin allowed us to start investigating without risking any further harm to our network or devices. This investigation allowed us to verify the malware and submit it to VirusTotal.
This particular incident reminded us that even cybersecurity professionals run the risk of being infected by advanced pieces of malware. Even the best of us get ‘pwned’ sometimes, and that’s why a holistic endpoint solution is integral to any network’s security. It also shows us that the internet is a true wild west these days as coding language becomes easier to learn, and obfuscation techniques are openly discussed through channels like reddit and other forums openly.
This beta blog was written by TeamRed Founder, Miko Tan.