Government authorities and individuals in Turkey are apparently been targeted by India’s well-known SideWinder APT group, which is using polymorphism techniques, enabling bypass standard signature-based antivirus (AV) detection and deliver a next-stage payload.
In an article published on their blog on May 8, the researchers from the BlackBerry Threat Research and Intelligence team described how attacks make use of documents with information catered to their interests that, when opened, leverages a remote template injection issue to deliver malicious payloads.
The campaign’s first phase, identified last November, targets Pakistani targets with a server-side polymorphic attacks, while a later phase, discovered earlier this year, employs phishing techniques to spread malicious lure documents to victims.
While, rather than using malicious macron with documents to disseminate malware, which is frequently the case when documents are used as lures, the APT uses the CVE-2017-0199 vulnerability to deliver the payloads.
How Polymorphism Deceits Defenders
Attackers have been utilizing the Server-side polymorphism as a way to evade detection by AV tools. The researchers noted that it accomplishes this by utilizing malicious code that modifies its appearance through encryption and obfuscation, ensuring that no two samples seem the same and are therefore difficult to analyze.
“The att
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: