Skip to main content

Stealthy malware shows why you shouldn’t open unknown emails

A new kind of malware was recently discovered that managed to slip past 56 separate antivirus products before finally getting caught.

The malware, when executed, can cause some serious damage to your device — and it seems to be so well made that it might be the product of nation-state actors. Opening an email attachment is all it takes to grant it enough entry to wreak havoc.

Hands on a laptop.
EThamPhoto / Getty Images / EThamPhoto / Getty Images

Unit 42, a threat intelligence team from Palo Alto, has just published a report on a piece of malware that managed to avoid detection from a massive 56 antivirus products. According to the team, the way the malware was built, packaged, and deployed is very similar to various techniques used by the APT29 threat group, also known under the names of Iron Ritual and Cozy Bear. This group has been attributed to Russia’s Foreign Intelligence Service (SVR), which indicates that the malware in question could be a nation-state affair.

Recommended Videos

According to Unit 42, the malware was first spotted in May 2022, and it was found hidden within a pretty strange file type — ISO, which is a disk image file used to carry the entire contents of an optical disc. The file comes with a malicious payload that Unit 42 believes was created using a tool called Brute Ratel (BRC4). BRC4 prides itself on being hard to detect, citing the fact that the tool’s authors reverse-engineered antivirus software in order to make the tool even stealthier. Brute Ratel is particularly popular with APT29, adding further weight to the claim that this malware could be linked to the Russia-based Cozy Bear group.

The ISO file pretends to be the curriculum vitae (resume) of someone named Roshan Bandara. Upon arrival in the recipient’s email mailbox, it doesn’t do anything, but when clicked, it mounts as a Windows drive and displays a file called “Roshan-Bandara_CV_Dialog”. At that point, it’s easy to get fooled — the file appears to be a typical Microsoft Word file, but if you click it, it executes cmd.exe and proceeds to install BRC4.

When that’s done, any number of things could happen to your PC — it all depends on the attacker’s intentions.

Unit 42 notes that finding this malware is worrying for a number of reasons. For one, there is a high probability that it is linked to APT29. Aside from the reasons listed above, the ISO file was created on the same day as when a new version of BRC4 was made public. This suggests that state-backed cyber attack actors could be timing their attacks to deploy them at the most opportune times. APT29 has also used malicious ISOs in the past, so everything seems to fall in line.

The near-undetectability is worrying in itself. For malware to be that stealthy takes a lot of work, and it suggests that such attacks could pose a real threat when used by the wrong team of people.

How can you stay safe?

A digital security lock.
zf L / Getty Images

Amidst frequent reports that cyber attacks have been on a massive rise in recent years, one can hope that many users are now more conscious of the dangers of trusting random people and their files all too much. However, sometimes these attacks come from unexpected sources and in various forms. Enormous distributed denial-of-service (DDoS) attacks happen all the time, but these are more of a problem for enterprise users. Sometimes, software that we know and trust can be used as a decoy to fool us into trusting the download. How to stay safe when danger seems to be lurking around every corner?

First of all, it’s important to realize that a lot of these large-scale cyberattacks are made to target organizations — it’s unlikely that individuals would be targetted. However, in this particular case where the malware is hidden within an ISO file that poses as a resume, it could plausibly be opened by people in various HR settings, including those in smaller organizations. Bigger businesses often have more robust IT departments that wouldn’t allow the opening of an unexpected ISO file — but you never know when something might slip through the cracks.

With the above in mind, it’s never a bad idea to follow a very simple rule that many of us still forget at times — never open attachments from unknown recipients. This can be difficult for an HR department that’s actively collecting resumes, but you, as an individual, can implement that rule into your daily life and not miss out on anything. It’s also not a bad idea to pick up one of the best antivirus software options available. However, the greatest security can be gained by simply browsing mindfully and not visiting websites that might not seem too legit as well as being cautious about your emails.

Monica J. White
Monica is a computing writer at Digital Trends, focusing on PC hardware. Since joining the team in 2021, Monica has written…
The FBI broke Apple’s iPhone encryption. Here’s why you shouldn’t panic
iPhone 11 Pro feature image

If you’re worried about your iPhone’s security after the Justice Department announced it had broken into yet another terrorist’s cell phone, don’t panic. The FBI and its hacking prowess probably aren’t any concern of yours, as long as you're not a terrorist.

The Justice Department announced on Monday that it had found a link between the terrorist group Al Qaeda and the man who killed three U.S. sailors in a terrorist attack at a military base in Pensacola, Florida, in December, CNN reported. The bigger deal was that the department was able to make this connection because it broke through the encryption on the shooter’s iPhone after a very public back-and-forth with Apple, wherein the company refused to decrypt the phone.

Read more
Here’s why you shouldn’t charge your MacBook Pro on the left side
Fitbit Versa Lite Review

If you own a MacBook Pro (if you don't, you can always get one with a discount thanks to the Black Friday MacBook deals) and have noticed it gets hot while charging, there could be a simple solution. Only charge it using the ports on the right-hand side of your device.

The issue seems to affect USB-C MacBook Pro models, meaning any high-end Apple laptop from 2016 onward. When charging the laptop using one of the left-hand USB-C ports, the laptop gets unusually hot and the fans start spinning to counteract the increased heat. Given that one of the selling points of Apple laptops is near-silent operation, that is less than ideal.

Read more
Google is shutting down your Chromebook apps, but here’s why you shouldn’t worry
pixelbook go hands on features price photos video release date google hero

The focus of Chromebooks has always been the Chrome web browser. Apps were always an afterthought, and ever since Google introduced the Android Play Store to Chrome OS, users have had three different ways to experience apps on their Chromebooks.

First, there are Chrome Apps, which are specially packaged and run inside the Chrome web browser. These are the ones Google is shutting down, with a final shutdown date set for 2022.

Read more