back to article Near-undetectable malware linked to Russia's Cozy Bear

Palo Alto Networks' Unit 42 threat intelligence team has claimed that a piece of malware that 56 antivirus products were unable to detect is evidence that state-backed attackers have found new ways to go about the evil business. Unit 42's analysts assert that the malware was spotted in May 2022 and contains a malicious payload …

  1. Pascal Monett Silver badge
    Facepalm

    Cunning ?

    Yeah, like I'm going to just open an ISO file from somebody I don't know.

    I feel that, when users are going to finally grasp the fact that you do not open attachments from people you don't know, all of these "cunning" attacks are going to become a lot more difficult.

    1. Neil Barnes Silver badge

      Re: Cunning ?

      do not open attachments from people you don't know

      And that will happen, um, a day or two after the heat death of the universe...

    2. Eguro
      Paris Hilton

      Re: Cunning ?

      But the email was clearly sent from the CEOs phone!!

    3. johnfbw

      Re: Cunning ?

      CVs are almost exclusively files sent from people you don't know.

      There is basically no alternative because it is private information from non -tech literate people.

      Web front end for HR (hideous abominations) usually ask for the file as well

      1. veti Silver badge

        Re: Cunning ?

        I've never seen an HR portal that offers ".iso" as a valid file format option.

        1. MiguelC Silver badge

          Re: Cunning ?

          then your average HR bod will click on the ISO file because "the damn portal won't open it"

          1. Jellied Eel Silver badge

            Re: Cunning ?

            Your average HR bod should have a security policy that prevents them from trying to run an ISO. And so should probably 99% of the company outside IT functions that could justify it.

            Sure, not being able to run/install random software you've found on the 'net could be annoying, but it's a lot safer for your employer. I've worked in a few places where I couldn't install apps, but could just ask IT to install things like Wireshark or hex editors for me. Just needed justification, and IT checking licence/security implications.

            1. mistersaxon

              Re: Cunning ?

              The ISO is just a file system and a way to get past the Outlook automatic filter for executable types. I want to know more about this so-called undetectable malware that gets installed by the OneDrive updater? But this all looks like Office allowing executables in a document format (again/still). Add ISO to your blocked file types on mail and move on…

              1. Jellied Eel Silver badge

                Re: Cunning ?

                Yup, it's part of the arms race between IT security and hackers. But the combination of account security profile and filtering should help protect businesses. And the odd curse at MS for steadily removing useful information in it's default views. Win11 I'm looking at you.

                Oh for the good'ol days where file names and extensions were simple to see, and not all the infantilsed emoticons MS has replaced text with.

                I also wonder if this explains a lot of the spam I've been seeing in YT comments. There's been a lot recently claiming to be job seekers, often for medical tech positions. Those looked like attempts to get gullible people to download a 'CV'. If I can find an example, I'll add a link if any security types want to play with it in their sandboxes.

              2. sniperpaddy

                Re: Cunning ?

                passworded zips wil do the same

          2. Roland6 Silver badge

            Re: Cunning ?

            Your average user will click on the attachment "Roshan Bandara CV" because the default configuration of the OS is to hide file extensions...

            Although, the extension is only an unreliable indicator to the actual format of the attachment. One would hope both the OS and security scanning software would flag instances where the extension differs from the file type contained in the file header block.

          3. Doctor Syntax Silver badge

            Re: Cunning ?

            Your average HR bod is about the same risk to their employer as your average sales and marketing bof.

            "Hacker was a very average minister" - Yes Minister Diaries.

          4. veti Silver badge

            Re: Cunning ?

            No, your average HR bod will never see the file because it won't come through the portal.

      2. This post has been deleted by its author

    4. Phil O'Sophical Silver badge

      Re: Cunning ?

      An OS that allows an ordinary user to mount a disk from which privileged programs can be run, just by clicking on an email, isn't fit for purpose.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cunning ?

        It's not a disk. It's a file. Whether it's called .iso, .zip or .tar, it's just an archive of files whose content can be extracted. The OS just makes it easy. And there's no special privilege attached to the content.

        This appears to mean that antivirus are less careful about scanning the content of .iso files than .zip files, which sounds rather dumb of them.

        1. Anonymous Coward
          Anonymous Coward

          Not Cunning

          but to be fair, they have found an attack vector that was slipping through the cracks. The steps the tool takes accomplish the same ends as custom code, but don't trigger the same response.

          This is just another variant of the standard tactic and technique of stringing together an attack chain from code, tools, and gadgets that are already on the host machines.

          The real obstacle here is that you have a grey zone where tools like One Drive and Dropbox are used daily for general use, so it gets hard to restrict them w/o over blocking and annoying people. So they set the heuristics loose to avoid complaints and something nasty slipped by initially.

          That said, I really hate the fact that we are on gmail, and they make it a pain to sideline this stuff. The old on prem mail server wasn't built by a multi-billion scale team, but has useful features like the ability sideline an queue suspicious attachments till they were release by one of the mail admins. Because some users will reliably click on ANYTHING. How those features aren't considered part of the minimum viable product I will never know.

          So instead we try to block the users work machine from running the thing, and they just forward it to someone else to open for them, or open it on their personal device. If you can't trust them not to open it, why are you trusting them to have it at all?

    5. Persona Silver badge

      Re: Cunning ?

      do not open attachments from people you don't know

      This is precisely what the HR department needs to do. Yes there are ways around it by having CV's posted to a web server, however at the end of the day someone is still going to need to open and read that attachment. Only than do they "know" who the CV is from.

    6. DS999 Silver badge

      Can Windows mount an ISO?

      Last time I tried to do this (Windows 7?) you needed extra software. If it will work by default then this issue is as much Microsoft's fault as anyone's. The average person has no reason to mount an ISO file, that should be something that is disabled by default, which would completely defuse this attack.

    7. sketharaman

      Re: Cunning ?

      I agree that .ISO is a major tell but (1) File extensions are not displayed in some email clients (2) Some people don't notice file extensions (3) Most importantly, "0-touch" malware is a thing, which does not involve any file or clicking any attachment.

  2. sebacoustic

    Well I for one hope that Roshan Bandara finds a job once his CV was widely distributed

  3. Anonymous Coward
    Anonymous Coward

    “Roshan Bandara” you say

    So this unexpected .exe file from Svetlana Getyagearoff is perfectly OK then?

    1. Anonymous Coward
      Anonymous Coward

      Re: “Roshan Bandara” you say

      Nah, that's dubious, as the last name should be in the correct grammatical genus - should be Getyagearoffa...

      1. Jedit Silver badge
        IT Angle

        Re: “Roshan Bandara” you say

        I thought she was normally called Getya Legova?

  4. Andy The Hat Silver badge

    Come back Windows ...

    The change of Windows direction from application-centric to data-centric was always going to be, was, and still is a pain in the crackers for *basic* security, especially if the user can't even see what's going to happen without further investigation. At least give users the ability to peek under their blindfold ... even if their wrists are still bound, they're being hypnotised by a telepathic rotating-circley thing and Margret on Facebook (nail operative, global pandemic expert and IT security professional) says "click it ... click it ...it'll be ok".

    A simple information/dialog box that says "file xyz.yyy is trying to open in / execute / mount - ok?" would provide a one click buffer - a whole click more but wouldn't it be worth the effort.

    1. veti Silver badge

      Re: Come back Windows ...

      Err... That sounds like the kind of security that has been rightly derided as ineffective before. Any check that amounts to "add a click to the workflow" is not going to make anything better.

      I'm quite baffled by this report. It requires the victim to click on unknown files, not once, but twice. This is the standard for "so clever that only a state actor could come up with it"?

    2. thondwe

      Re: Come back Windows ...

      Just tried to open a couple of ISOs on my Windows 11 machine - all give me a "Security Warning" "Unknown Publisher" dialog (Even on a Windows Server ISO) - BUT there is a tick box to "Always Ask" - which clearly can be unticked - maybe a GPO for disabling, but - only requires a one Dories in an org to just click through...

    3. naive

      Re: Come back Windows ...

      It is not specifically Windows, it is the one dimensional security model going back to the founding days of operating systems in the early 60's. A logged in user has full access to all services and files the OS has on offer based on a privilege model. There are no provisions for sand boxing or controlled access to resources within the privileges the user has on the OS. This worked well on mainframes of old where is was close to impossible to download and deploy new apps. In the internet age this model causes the world enormous headaches in the shape of virus scanners, gigantic databases of good and bad websites and the issues resulting from security breaches.

      In Windows the one dimensional model bites users hard, since Windows is eager to be easy for the user, happily auto executing things based on file types or contents. Maybe Intel is to blame a bit as well, easy creation of VM's on Android/ARM phones made online banking apps popular on smart phones. If Intel had done more to support easy VM creation on its x86 things decade ago, MS could have used the security benefits of this approach.

      The model Android uses holds some potential, there apps get specific rights on objects, combined with sand boxing this limits what apps can leak to bad actors.

      The 60's security model in Linux and Windows will be hard to replace with a multi layered model, where apps are more isolated from drives other resources either by sand boxing or messaging techniques instead of direct read/write access to everything once a foothold. is gained.

      1. JimmyPage

        Re: Come back Windows ...

        The 60's security model in Linux and Windows

        firstly old doesn't mean bad. Just look at Roman trowels to see how good design simply can't be improved.

        secondly, Linux was built on the Unix security model where everything is a file and has it's own security descriptors. Just being at a console ("root" or "admin") doesn't automatically make you an administrator.

        Yes, they have tried to retro-fit this level of security to windows. But as last years printer driver snafu showed, it'll never be 100%.

        All of which said it's entirely possible to build a pawnable linux box if you wanted to. But it would take more work than you'd think.

        1. Anonymous Coward
          Anonymous Coward

          Screwing up is easier than you think

          Still just takes one mistake. One line of bad code, one line in a config file, one wrong permission bit on one file.

          The rules of the game favor a patient attacker, because defenders have imperfect information, limited time, limited resources, and millions of lines of imperfect code they didn't even write. Then all of the code and configs they did, and whatever blunders they made themselves.

          And there aren't many safety rails there. Unless you set them up yourself, there aren't watchdogs checking for and fixing those configuration and permission errors, or a warning saying do you REALLY, REALLY, REALLY want to run that as root.

          And windows or unix, the underlying hardware is riddled with exploitable issues that are even further out of reach, running on a network with all of the same problems. Hence the move to principals of defense in depth, visibility, response and remediation.

  5. Anonymous Coward
    Anonymous Coward

    About The Email Store-And-Forward Process....

    Quote: "...Bandara's CV is offered as an ISO file..."

    ....so.....umpty-ump email servers (many at places like M$, Google, Yahoo....and so on)....all these email servers have passed on an email with an ISO file attached....and none of these technically sophisticated organisations....all of them supposedly taking "security very seriously"......none of these organisations do diddly-squat about this malware ISO file....

    ....instead they proceed to deliver the email and the ISO attachment......and they leave the end user to decide...."Should I click on this?"

    What am I missing here?

    1. Plest Silver badge

      Re: About The Email Store-And-Forward Process....

      The first time a legit file gets blocked the doogooders all scream "CORPORATE OPPRESSION!!". Next thing MS has to apologise because Betty Smith aged 87 had medical records that didn't get emailed and now she's in a hospital bed.

      For the record, I totally agree with you but I just know the second any corp does anything the liberal crowd scream "OPRESSSION!", without thinking about time and place for such things.

    2. vincent himpe

      Re: About The Email Store-And-Forward Process....

      email should be text only..

      We need a universal dataformat that is non-executable . Allow only letters, number and punctuation. Subset of ASCII. ASCII is 8 bit , by suppressing more than half of it you cannot emulate opcodes even if you were able to break the system and manage to convert the data to executable.

      The receiving routines would have a bitmask: anything not in the allowable set is simply removed from the input stream before it goes to the applications.

      Then bolt an HTML or XML like structure on top of that to do formatting. Everything in plaintext.

      Executable files can only be transmitted using a dedicated service (similar to an app store) and installed by an installer program.

      Operating system is not able to accept any executable code unless it comes through that channel. That way you can plaster the users screen with as many warnings as needed to get it into their thick heads that they are going to install executable code.

      1. Irony Deficient Silver badge

        email should be text only…

        We need a universal dataformat that is non-executable. Allow only letters, numbers and punctuation. Subset of ASCII. ASCII is 8 bit

        ASCII is seven-bit. Many extensions to ASCII, however, are eight-bit.

        There are many more alphabets (never mind the abjads, abugidas, syllabaries, and logosyllabaries) in the world than could fit in a subset of seven (or even eight) bits. Exhibit A — Unicode is 21-bit, albeit with a few thousand symbols, notational characters, and formatting characters among its 144,697 characters in version 14.

      2. Roland6 Silver badge

        Re: About The Email Store-And-Forward Process....

        >email should be text only..

        I thought that was the purpose of MIME...

      3. veti Silver badge

        Re: About The Email Store-And-Forward Process....

        Right. Now all you need to do is develop dedicated channels with foolproof malware scanning for every type of file that can be transmitted, and make sure they're free and as easy to use as email. (In thinking through the "security" aspect, remember that malware can be buried several layers deep. In this story, for instance, there's an .iso file containing a malware .exe, but there's no reason in principle why it couldn't contain a well-formed .7z file containing another .iso file containing a web server that would deliver the actual payload.)

        When you've done that, get back to us and we'll discuss managing the changeover.

  6. DaemonProcess

    insistently dumb

    Every week I hear of users who _demand_ to open any email and attachment they receive. Regardless of all the security training they get. Then they say it's our fault for allowing malware through. The question is... what legally constitutes enough protection these days - 3 different AV scanners, sandboxes, what else?

    1. Plest Silver badge

      Re: insistently dumb

      Exactly. You can't win. Users or "liberal dogooders" screaming about not being allowed to have something, even when it's pointed out that security is a valid reason. My shop scans everything, including email wording, if anything suspicious comes up, it gets snagged and you get a email warning you that something nasty or with rude words tried to be delivered, if you still want it then contact helpdesk and they'll discuss it with you. I put my trust in the automated scanners, if they say it's nasty then helpdesk can destroy it with all the other trash at the end of each day.

      1. Anonymous Coward
        Anonymous Coward

        Re: insistently dumb

        Why 'liberal dogooders' but not 'entitled karens'? Is it really necessary to politicise everything?

        1. Anonymous Coward
          Anonymous Coward

          Re: insistently dumb

          Liberal dogooders is OK as it mocks the politicians, entitled karens is not as it mocks dumbufcks.

        2. Anonymous Coward
          Anonymous Coward

          Re: insistently dumb

          Hey, welcome to the modern times, where every news site of note or merit has full time trolls spewing political talking points and nonsense in response to every post.

          A little pinch of Huxley with your Orwell.

    2. Doctor Syntax Silver badge

      Re: insistently dumb

      Every week I hear of users who _demand_ to open any email and attachment they receive.

      Sign this:

      "I request permission to open any email attachment I choose. I acknowledge that I have been warned about the risks this brings to the business which pays my salary and confirm that I understand that warning and those risks. If this request is granted this document becomes my unconditional resignation effective immediately an attachment I open causes damege.

      Signed ........................"

  7. Mike 137 Silver badge

    Undetectable?

    " Unusually, Bandara's CV is offered as an ISO file – a disk image file format"

    Yes, sufficiently unusual that anyone paying the slightest attention and knowing what an ISO file is would question its validity for delivery of a CV. However the situation is not helped by the OS allowing an ISO to be launched by just 'clicking' (thanks to thondwe for checking this out). Or of course by the long standing MS policy of hiding file extensions from the user, so most folks aren't even aware what they mean. So you don't have to be dumb, just uninformed and handed a system with all precautions disabled (a.k.a. situation normal).

    1. Roland6 Silver badge

      Re: Undetectable?

      No longer, 26 vendors have now updated their AV product:

      https://www.virustotal.com/gui/file/1fc7b0e1054d54ce8f1de0cc95976081c7a85c7926c03172a3ddaa672690042c

      But whether they now (or previously) routinely detected and scanned .iso's is a different question.

  8. pyhoff@gmail.com

    Iso

    Yeah cause windows insists on hiding extensions. Why probably some execs decision the icon should be enough he said. Agree with another poster just put in a pop up with the actual filename and its extension. Mark of the web you say, what if the file is forwarded via internal relay from doc repo, guess what no mark of the web, just add the extension by default.

    1. js6898

      Re: Iso

      anyone know why the decision was made back.in the day to hide file extensions ? seems a pretty stupid thing to do.

      1. Irony Deficient Silver badge

        anyone know why the decision was made back in the day to hide file extensions ?

        I think that that was introduced in Windows 95. My guess was that it was done in analogy with the Mac OS desktop, so that people could use a desktop icon to visually identify a file type rather than depending upon a file extension. (A hidden file extension would also permit less horizontal space to be used underneath a desktop icon to display a file name that included a file extension.)

        1. Anonymous Coward
          Anonymous Coward

          Re: anyone know why the decision was made back in the day to hide file extensions ?

          Dumb people trying to make the OS dumber for other dumb people and then failing. Then they used the excuse that it would be too confusing to change it. But they change the UI so much with every release that the same people are totally lost, and occasionally change the default mouse scrolling direction on computers because other people made their tablets scroll the opposite direction.

          Because they are idiots and fools. Amusingly enough, we warned them at the time. But instead we still have a 90's era menu where you can fix the autorun settings one file type at at time, instead of having a choice of setting(or restoring) sane defaults. You still have to go into the file explorer settings and tell it to show extensions, hidden files, etc.

          And if it contains HTML, it will helpfully load it into a browser frame which, on detecting it came from a local file path, may make very, very poor assumptions on the level of access it should have. It may even auto-execute arbitrary JavaScript in that HTML when it load the image preview, in addition to "preloading" any links to external resources in it.

        2. This post has been deleted by its author

      2. veti Silver badge

        Re: Iso

        Amusingly enough, lots of people back then mocked MS for using the file extension to denote the file type. So I suspect there might have been a slight cringe factor at work, and a desire to justify their previous decisions.

        The irony being that in Windows, the file extension - not its header - really does determine what application gets invoked when you click on the file.

      3. AlbertH

        Re: Iso

        anyone know why the decision was made back.in the day to hide file extensions ? seems a pretty stupid thing to do.

        Because Bill G insisted that their products were "easy to use", and they (wrongly) believed that the "technical bits" at the end of a filename would scare the technically illiterate numpties that they were hoping would be able to use their simplified "Windoze"

  9. Anonymous Coward
    Anonymous Coward

    Click at your peril

    I've said time and time again that until people who keep clicking on unknown attachments from unknown addresses without any thought are disciplined, then they will not learn and this problem will not go away.

    1. Plest Silver badge

      Re: Click at your peril

      Email arrives and is blocked by automated scanners due to something dodgy...

      User: "I need that email now! Do you know who I am? I'm not some nobody around here, so please release it ASAP or I'll be speaking with your superior!"

      I've actually heard that screamed down the phone to a colleague.

      1. TimMaher Silver badge
        Trollface

        Re: your superior

        To which “senior, not superior” is the correct response.

      2. WolfFan Silver badge

        Re: Click at your peril

        I’ve had that happen, to me and my guys. The request goes to the back of the queue. Interestingly enough, either the user in question never has contacted my ‘superior’ or said superior hasn’t bothered to say anything to me. And, amazingly, the user hasn’t contacted me when it’s one of my guys.

        The policy is clear. Certain file types are not allowed as attachments. Period. End of story. Send it as one of the approved file formats, or send it as a link to a cloudy thing… and there are ways to secure cloudy things, too.

        And if a user figures a way to get past our file type blocks, which has happened, and insists on playing with the file and dumps malware on the system, that’s a termination offense… and that’s happened, too.

        Users around here no longer demand that unauthorized file types be allowed in. Imagine that.

      3. sipke

        Re: Click at your peril

        It sounds like you work at a disfunctional company. If the self-described VIPs refuse to participate in security, it's probably just a matter of time before a breach... and blame being heaped on IT.

    2. Ilgaz

      Re: Click at your peril

      No matter what you do or teach them, they will do it.

      The idea is securing the workstation. I am shocked that a company sized as Solarwinds being in that business didn't setup complex policies. On Windows, you gotta be Administrator to mount ISO files or install such deep level software.

      Everyone wondering around as Root, sh*t happens.

  10. Persona Silver badge

    CV on ISO file

    I recall someone sending their CV on an ISO. They were applying for a security job. It was probably around 1999. I rejected it and the candidate out of hand without opening the ISO on the grounds that they were being a pain in the arse before I had even read their CV, let alone employed them.

  11. Fading
    Headmaster

    Can we not just get all email scanners....

    To strip the last three characters from all attachments and default windows to open anything without and extension into a hex editor. Anyone that really needs the attachment will have to download and rename the file appropriately.

    I know this would never fly with users..... :(

    1. Ramis101

      Re: Can we not just get all email scanners....

      Nice idea, but i would go simpler.

      Simply add an extra .xxx extension to it that windows then won't helpfully open for you.

      User can't open file

      User calls support

      support opens attachment & shrieks Ye Gods!

      and the user/pleb/CEO is saved

      1. Anonymous Coward
        Anonymous Coward

        because sometimes it's about the things we add

        not the things we take away...

  12. Anonymous Coward
    Anonymous Coward

    Two problems here, as well.

    One is the users clicking on nasty things.

    However, after that happens, the corporate network should be totally fine thanks to appropriate defences.

    Trust in God, but tie up your camel.

  13. Mr. Skeezix

    What is a CV? I have no idea.

    1. veti Silver badge

      If only there was some way of asking those sorts of general knowledge questions without wasting other real people's time on them...

      1. Roland6 Silver badge

        It never ceases to amaze me how many people are able to locate and navigate websites, such as El Reg Forums; yet seem to have a total inability to use Google et al...

  14. Anonymous Coward
    Anonymous Coward

    Do it by text

    Civil service applications are by text box only. Just copy and paste.

    Only the content matters, not the fancy formatting.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022