Upon closer inspection, the researchers at AT&T Alien Labs identified these binaries as modified versions of the open source Prism backdoor that has been used in multiple campaigns earlier.
“We have conducted further investigation of the samples and discovered that several campaigns using these malicious executables have managed to remain active and under the radar for more than 3.5 years. The oldest samples Alien Labs can attribute to one of the actors date from the 8th of November, 2017,” note the researchers.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- Check our roundup of the best Linux distros
- Here's our choice of the best malware removal software on the market
- Protect your devices with these best antivirus software
Calling Prism a “simplistic and straightforward” backdoor that’s easy to detect, the researchers note that the fact the modified binaries have managed to evade detection for several years is perhaps a result of the security infrastructure focussing its efforts on bigger campaigns, allowing smaller ones to slip through the gaps.
Under the radar
One of the variants analyzed by the researchers, named WaterDrop, is easily identifiable, but still manages to maintain a near-zero detection score in the VirusTotal database. Moreover, WaterDrop communications with its command and control (C2) server over plain-text HTTP.
Tracking the evolution of the malware, the researchers note that many use the same C2 server. While the earlier variants of the malware don’t implement any of the common mechanisms malware authors use to avoid being flagged, such as obfuscation, and encryption, the newer variants do, along with a few other modifications.
The researchers reason that these backdoors fly under the radar since they are usually used in smaller campaigns.
“Alien Labs expects the adversaries to remain active and conduct operations with this toolset and infrastructure. We will continue to monitor and report any noteworthy findings,” conclude the researchers.
- These are the best endpoint protection tools