Malware 'meal kits' give attackers the ingredients to bypass detection

A new report from HP Wolf Security reveals cybercriminal marketplaces offering low-level attackers the tools needed to bypass detection and infect users in the form of so-called 'meal kits'.

These are pre-packaged malware kits which give low-level attackers all the ingredients to evade detection tools, making it easier for them to breach organizations and steal sensitive data.

Alex Holland, senior malware analyst in the HP Wolf Security threat research team, says, "Threat actors today can easily purchase pre-packaged, user-friendly malware 'meal kits', that infect systems with a single click. Instead of creating their own tools, low-level cybercriminals can access kits that use living-off-the-land tactics. These stealthy in-memory attacks are often harder to detect due to security tool exclusions for admin use, like automation."

Attack techniques include fake shipping documents concealing Vjw0rm JavaScript malware. This obfuscated code allows the malware to slip past email defenses and reach endpoints. The analyzed attack delivered Houdini, a 10-year-old VBScript RAT.

Researchers have also uncovered a 'Jekyll and Hyde' attack. This is a Parallax RAT campaign launching two threads when a user opens a malicious scanned invoice designed to trick users. The 'Jekyll' thread opens a decoy invoice copied from a legitimate online template, reducing suspicion, while the 'Hyde' runs the malware in the background.

Interestingly attackers are also targeting would be cybercriminals by hosting fake malware building kits on code sharing platforms like GitHub. These malicious code repositories trick wannabe threat actors into infecting their own machines. One popular malware kit, XWorm, is advertised on underground markets for as much as $500 USD, driving resource-strapped cybercriminals to buy fake cracked versions.

Among other findings, archives remain the most popular malware delivery type for the sixth quarter running, used in 36 percent of cases analyzed by HP. Also, despite being disabled by default, macro-enabled Excel add-in threats (.xlam) rose to the seventh most popular file extension abused by attackers in Q3, up from 46th place in Q2. Q3 also saw malware campaigns abusing PowerPoint add-ins.

"While the tools for crafting stealthy attacks are readily available, threat actors still rely on the user clicking," adds Holland. "To neutralize the risk of pre-packaged malware kits, businesses should isolate high-risk activities, like opening email attachments, link clicks, and downloads. This significantly minimizes the potential for a breach by reducing the attack surface."

The full report is available from the HP site.

Image credit: alphaspirit/depositphotos.com