Evasive New Malware Dodges Detection From Over 50 AV Scanners, Security Report Warns

Hacker in a hoodie behind a Matrix-style foreground
Security researchers say they've uncovered a sneaky new malware strain that may go undetected by virtually all antivirus scanners on the market. While they have not tested each and every one of them in existence, they did upload the sample to VirusTotal and all 56 AV scanners on the site failed to detect a malicious payload.

This malware's ability to evade detection so expertly, as this strain was specifically designed to do, is precisely what makes it "uniquely dangerous."

"The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market. While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated," researchers at Palo Alto Networks' Unit 42 threat intelligence division stated in a blog post.

According to the malware's description, its developers built the strain after reverse engineering some of the top endpoint detection and response (EDR) and antivirus engines. That's part of the reason why it's so adept at going undetected. It's also part of the reason why Unit 42 researchers believe that this is state-sponsored malware.

The other reason is the distribution path. It spoofs a CV document but is packaged as a self-contained ISO containing a Windows shortcut (LNK), a malicious payload DLL, and a legitimate copy of Microsoft OneDrive Updater. Once a machine is infected, a potential world of hurt awaits—it can download more malware, take screenshots, upload sensitive files to a command and control center, and more.

"Overall, we believe this research is significant in that it identifies not only a new red team capability that is largely undetectable by most cybersecurity vendors, but more importantly, a capability with a growing user base that we assess is now leveraging nation-state deployment techniques," the researchers added.

This sneaky malware started off as a hobby and has morphed into a full-time development projects. The latest version hit the scene in mid-May and costs $2,500 per user. It's expected that the developer(s) will rake in more than $1 million from this strain over the next year.

Fortunately, Unit 42 shared its findings with its fellow Cyber Threat Alliance (CTA) members, so hopefully AV makers will make work at updating their scanners. At least until the next version. As always, be sure to keep whatever AV software you're using up to date.