14 DAY TRIAL // A new freshly compiled piece of malicious code was discovered in the wild and the security company that found it can't even place it in a known malware family. Cylance named it the Infostealer Paipeu.
Security company Cylance recently discovered such a sample after one of its prevention products quarantined a threat in the System32 directory on a customer's endpoint.
"The location of the file, the recent compile date, and the lack of similar files on known malware repositories combined to flag this sample as something we should take a deeper look at it.
"The sample, it seems, performs a straight call back to a Korean IP address. Once the malware connected to a fake server, researchers were able to view a HTTP POST over port 443. "The entire HTTP header is hardcoded as a single string and only the POST data changes. After the POST and lacking an interesting response, the malware exits with no notable changes to the OS," Cylance said.
What can it do?
Once deployed, the malware collects and sends back information on the infected computer, including the NetBIOS name of the local computer, the language identifier for the system locale, how much free disk space is available, active processes on the specified terminal server, and list of members of a specified local group. Lastly, the malware can add a user account, assign a password and privilege level.
"One of the more interesting pieces in this sample is the ability to use named pipes and it’s enabling of NULL session pipes. Use of named pipes for communication is not unheard of in malware; PlugX and Duqu are two famous examples that have both been known to use them. When found, it’s typically used for communication between different pieces of malware on a host, or between infected systems inside a LAN. Duqu was able to use it to proxy C2 commands through internet connected hosts to hosts they wouldn’t otherwise be able to reach," researchers note.
Another thing this malware can do is dump password hashes. The sample has two pwdump dll's embedded, one 32-bit and one 64-bit.
The sample was compiled just two days before Cylance discovered it, which, combined with the fact that it cannot be tied to any known malware family, indicates this was a targeted attack.