Burned malware returns, according to Cylance: is Hacking Team responsible?

Credit: Dreamstime

Burning malware is like Hercules fighting the nine-headed Hydra. For every head he cuts off, two more grow back in its place.

That’s the lesson from a new report by Cylance, and one both enterprise network defenders – and the public at large – should pay attention to.

Cyber mercenaries sell malware to oppressive regimes in the Middle East, which then use that malware to attack their own citizens, research from the Citizen Lab suggested earlier this year.

The current regimes in Turkey and Egypt compel local ISPs to run Canadian-made Sandvine/Procera deep packet inspection middle-boxes that inject the malware into unencrypted HTTP downloads of popular software like Avast, VLC Player and WinRAR. Large numbers of users in Egypt, Turkey and Syria (near the border with Turkey) are affected.

For the last six months, Cylance has been studying how the malware, known as Promethium or StrongPity, has changed as a result of the Citizen Lab report.

“Even though the indicators of compromise seem to disappear off your radar screen [it] doesn’t mean they’re gone,” Kevin Livelli, director of threat intelligence at Cylance, tells CSO.

Instead, the malware group, widely believed to be developed by a cyber mercenary group, tweaks a little code to fly under the radar again and continues to sell to oppressive regimes.

Assigning attribution?

Oppressive regimes without the resources to develop their own malware instead turn to the grey market, where any number of cyber mercenary groups provide the software and hardware needed to identify, hack, stalk, harass, disappear, torture and murder dissidents, journalists, political opponents and anyone else the regime of the day doesn’t like.

Explosive reporting from Israel’s Haaretz newspaper exposed the dark underbelly of the cyber mercenary business in that country. Israel is far from the only country that permits cyber mercenaries to operate. Countries like Canada, Germany and Italy tolerate such activity as well.

Cylance declined, as a matter of company policy, to attribute the malware to a particular group of cyber mercenaries, but its report hints that it might be Hacking Team, the Italian cyber mercenary group that got hacked by a vigilante hacker by the name of Phineas Phisher and had 400GB of its source code, internal documents and emails dumped online.

“We have reason to believe [this malware group] bears a strong connection to a company based in Italy, a lead we hope to investigate in the near future,” the Cylance report said.