Twisted ‘Tardigrade’ malware hits bio-manufacturing facilities

When the ransomware hit A biomanufacturing facility this spring, something wasn’t right for the response team. The attackers left nothing but a lukewarm ransom Note, they don’t appear to be too interested in actually taking a payment. Then there was the malware they used: a shockingly complex strain called Tardigrade.

As researchers at biomedical and cybersecurity firm BioBright dig deeper, they discovered that Tardigrade did more than just shut down computers throughout the facility. He found that the malware could adapt to its environment, disguise itself, and even operate independently when disconnected from the C&C server. This was something new.

Today, the nonprofit Bioeconomy Information Exchange and Analysis for Cybersecurity, or BIO-ISAC, of ​​which BioBright is a member, is making the public disclosure. the findings About tardigrades. Although they do not attribute information about who developed the malware, they say its development and other digital forensic evidence indicates the existence of a well-funded and motivated “Advance Persistent Threat” group. Moreover, they say malware is “actively spreading” in the bio-manufacturing industry.

“This definitely started with espionage, but it hit everything—disruption, destruction, espionage, all of the above,” says Charles Fracchia, CEO of BioBright. “It is by far the most sophisticated malware we have seen in the field. This is eerily similar to other attacks and campaigns by nation-state APTs targeting other industries.”

While the world is scrambling to develop, produce and distribute the latest vaccines and medicines to combat COVID-19 As a pandemic, the importance of biomanufacturing has been shown to the fullest. Fracchia declined to comment on whether the victims acted in connection with Covid-19, but emphasized that their operations play a critical role.

The researchers found that Tardigrade bears some resemblance to the popular malware downloader known as Smoke Loader. The tool is also known as Dofoil, and the tool has been used to distribute malware payloads Since at least 2011 Or earlier and readily available in criminal forums. in 2018, Microsoft is in trouble Big Cryptocurrency Mining Campaign Using Smoke Loader and Security Company Published results Proofpoint In July, a data theft attack disguised the download tool as a legitimate privacy tool to trick victims into installing it. Attackers can adapt the malware’s functionality with a variety of off-the-shelf plugins, and it’s known for using clever technical tricks to disguise itself.

BioBright researchers say that despite its similarities to the Smoke Loader, Tardigrade appears to be more advanced and offers an expanded set of customization options. It also adds Trojan horse functionality, which means that once it is installed on the victim’s network, it searches for stored passwords, deploys a keylogger, begins data mining, and establishes a backdoor for attackers to choose their own adventure.

“This malware is designed to build itself differently in different environments, so the signature is constantly changing and difficult to detect,” says Kali Churchill, BioBright Malware Analyst. “I tested it nearly 100 times and each time it built itself differently and communicated differently. Plus, if it wasn’t able to connect to the command and control server, it would have the potential to be more independent and self-sufficient, which is unexpected completely “.

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button