Seculert researchers recently came across a malware sample they’re calling “Magic,” which had remained undetected on targeted machines for 11 months.
According to Seculert CTO Aviv Raff, the malware’s name comes from the fact that it communicates with its command and control (C2) server using a custom-made protocol, with “some_magic_code1” required at the beginning of every conversation to verify that the communication is coming from an infected machine.
In one example, Raff writes, “[the] C2 server responds with a command to add a new backdoor user — Username: WINDOWS, Password: MyPass1234 — which enables the attacker to remotely access the infected machine or network.”
Raff says the threat is still under development, with several clear indications of functionality that isn’t yet in use. “For instance, in case the attacker would like to open a browser on the victim’s machine, the malware will popup on the RDP session for the attacker a box with the message: ‘TODO:Start browser,'” he writes.
Ultimately, the malware’s ultimate objective isn’t clear. It’s capable of setting up a backdoor, stealing information, injecting HTML into the browser, and downloading and executing additional malicious files — which means, Raff says, that “this might be only the first phase of a much broader attack.”