Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
An airgapped machine is a computer that is so heavily secured that it has no physical or digital connections to any networks. They’re usually also heavily physically secured in datacenters and server rooms with carefully monitored physical access. To put new data into an airgapped machine, typically a cybercriminal would have to physically breach the facility that it’s in and use some sort of external or removable media for their attack, such as an optical disc, a USB drive, or an external hard disk. Using airgapped machines is really inconvenient, so computers are usually only airgapped if they handle very, very sensitive data. That makes them especially attractive targets for attackers. If an airgapped machine was a purse, it would be a Hermès white Himalaya crocodile diamond Birkin bag whereas a typical client machine would be one of my beloved Tokidoki bags. (I much prefer my Tokidoki bags, by the way.)
Palo Alto Networks Unit 42 discovered signs of a new attack for airgapped machines. Tick is a cyberespionage group that has targeted entities in South Korea and Japan. There’s a Korean defense contractor which makes USB drives according to very niche IT Security Certification Center guidelines for Korean public sector and private sector enterprise clientele. Unit 42 discovered that at least one of the USB drives have very carefully crafted malware on them. But Unit 42 researchers haven’t physically possessed any of the compromised USB drives. It should be difficult for an external party to get malware on one of those devices in the first place. Unit 42 calls the malware SymonLoader, and it exclusively exploits Windows XP and Windows Server 2003 vulnerabilities.
So Tick has been trying to attack airgapped machines with versions of Windows which haven’t been supported for a long time. Do a lot of these airgapped machines run legacy operating systems? It’s highly probable that Tick carefully fingerprinted their targets before they started developing SymonLoader.
Here’s the attack scenario that Unit 42 hypothesizes. Tick somehow acquired and compromised some of these heavily secured USB drives. They put their SymonLoader malware on them whenever they can acquire access to them. Once a compromised drive is mounted into a targeted airgapped Windows XP or Windows Server 2003 machine, SymonLoader exploits vulnerabilities which only pertain to those operating systems. While SymonLoader is in memory, if more heavily secured USB drives are detected as mounted to the file system, it’ll try to load the unknown malicious file using APIs designed for file system access. It’s the cycle of very specifically designed malware for very specific targets! It’s custom tailored haute couture Windows malware! It’s too exclusive for little people like me! (I use currently supported Linux Mint anyway.) Because Unit 42 doesn’t have any of the compromised drives in their possession, they can only speculate how the drives have been infected and how they’re delivered to their targets.
Tick has been known to turn legitimate applications into Trojans. Here’s what Unit 42 wrote about HomamDownloader last summer:
“HomamDownloader is a small downloader program with minimal interesting characteristics from a technical point of view. HomamDownloader was discovered to be delivered by Tick via a spearphishing email. The adversary crafted credible email and attachment after understanding the targets and their behavior…
In addition to the social engineering email technique, the attacker also employs a trick to the attachment. The actor embedded malicious code to a resource section of the legitimate SFX file created by a file encryption tool, and modified the entry point of the program for jumping to the malicious code soon after the SFX program starts. The malicious code drops HomamDownloader, then jumps back to the regular flow in the CODE section, which in turn asks the user the password and decrypts the file. Therefore, once a user executes the attachment and sees the password dialog on SFX, the downloader dropped by the malicious code starts working even if the user chooses the Cancel on the password window.”
Now it’s time to return to SymonLoader. Once a USB drive with SymonLoader is mounted into one of Tick’s targets, it tries to have the user execute it by using a Trojanized version of some sort of software that the user would want to install in their environment. Once executed, SymonLoader looks for other secured USB drives if and when they’re mounted into the file system.
SymonLoader extracts a hidden executable file from a special secured USB drive and then executes it. Unit 42 researchers haven’t had a copy of the file to examine for themselves. But they’re pretty confident that Tick is behind this attack because they’ve found shellcode which resembles shellcode the group has previously been known to use.
SymonLoader checks the machine for its version of Windows and if it’s newer than Windows Server 2003 or Windows XP, then it stops trying to do anything else. Windows Vista is its kryptonite, I guess. If the machine’s OS is Windows XP or Windows Server 2003, then a hidden window is executed which continuously checks for mounted drives as they become part of the file system. SymonLoader uses the SCSI INQUIRY command to verify if any of the newly mounted drives are of the specifically secured device model they’re looking for. If the parameters are ever matched, SymonLoader then extracts an unknown file from the USB drive.
Not a lot else is known about how SymonLoader behaves or why, but Unit 42 wrote this:
“While we do not have a copy of the file hidden on the secure USB, we have more than enough information to determine it is more than likely malicious. Weaponizing a secure USB drive is an uncommon technique and likely done in an effort to compromise airgapped systems, which are systems that do not connect to the public internet. Some industries or organizations are known for introducing air gapping for security reasons. In addition, outdated version operating systems are often used in those environments because of no easy-update solutions without internet connectivity. When users are not able to connect to external servers, they tend to rely on physical storage devices, particularly USB drives, for data exchange. The SymonLoader and secure USB drive discussed in this blog may fit for this circumstance.”
That’s some MacGyver-level malware development and distribution. It would be fascinating and illuminating to know who Tick’s specific targets are, because it’s clear that they really, really want something from them.
Tags: Symonloader Malware,malware
Reading Time: 4 minutes Increased dependency on computers and access to data makes an organization more vulnerable to cybersecurity threats. With the increase in cyber-criminals and cyber-attacks, many companies today are looking for greater protection of their decentralized computing work environments from their Managed Service Providers (MSPs). As a result, MSPs need to deliver firewall solutions that are designed…
Reading Time: 3 minutes Rapid technological growth and increasing digitalization in all aspects of life around the world have increased the value of ensuring cyber-security at all levels. This is increasingly true for EU member states and the organizations that are based in or operate from these countries. The number of cyber-attacks targeting EU member states has risen. The…
Reading Time: 3 minutes Disruptions are often unforeseen. This could be a catastrophic event like a hurricane, a fire, or an earthquake. Disruptions, however, can also come in other forms such as that of a pandemic. This means that a building doesn’t necessarily have to be demolished or lives have to be lost for an unforeseen event to completely…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats