Ddos 
A recent report by Unit 42 highlights the discovery of several new malware samples with unique characteristics. These samples posed challenges in attribution and function determination. While many threat actors use readily available offensive security tools, researchers are also seeing novel, custom-built malware with new tricks and techniques. The report details three particularly unusual malware examples encountered in the past year.
Rare C++/CLI IIS Backdoor Emerges
Unit 42 revealed a novel passive Internet Information Services (IIS) backdoor written in the rarely used C++/CLI programming language. “This programming language is very rare among malware authors, likely because C++/CLI is poorly documented compared to other languages,” noted Unit 42.
The backdoor operates by registering itself with IIS to monitor HTTP responses. Attackers communicate with the backdoor using encrypted HTTP requests containing specific headers. The malware notably employs AES encryption for command processing and result transmission, leveraging AMSI and ETW patching techniques to evade detection.
Researchers remarked on its complexity, stating, “Even though it has been professionally created, there appear to be weak spots that facilitate detection and analysis,” such as cleartext debug strings and hard-coded credentials. Despite these weaknesses, the malware represents a significant evolution in targeted attack methodologies.
Dixie-Playing Bootkit Uses Kernel Driver Exploit
Another unusual discovery detailed by Unit 42 is a bootkit designed to install a GRUB 2 bootloader, an unprecedented tactic. Utilizing an unsecured kernel driver, this bootkit installs a customized bootloader capable of playing the song “Dixie” through the PC speaker upon system reboot, likely indicative of an offensive prank or proof-of-concept malware.
“To our knowledge, this is the first malware that installs a GRUB 2 bootloader,” the researchers stated. The malware, uploaded from a real victim system in Oxford, Mississippi, employed administrative privileges to gain system persistence, highlighting potential risks associated with privilege escalation and driver security.
ProjectGeass: New Multi-Platform Red Team Framework
Unit 42 also analyzed ProjectGeass, a new red team framework under active development. “ProjectGeass is a post-exploitation framework that appears to have been developed for a professional or commercial purpose,” Unit 42 described. Developed in C++, ProjectGeass supports multiple platforms, including Windows, Android, and Unix/Linux, and utilizes encrypted communication and command execution features typical of advanced red team tools.
Researchers highlighted its extensive capabilities, including keylogging, process management, file system interactions, and command execution, indicating its potential use in complex penetration testing scenarios.
For further details, review the complete findings at Unit 42.
Donate