View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 8, 2019

Trojan Targeting Only Italian Machines Contains Cheeky Mario Image

"Sometimes huge clues like this are put into samples on purpose.”

By CBR Staff Writer

Security researchers at virtualization-based security enterprise Bromium have encountered a cheeky Super Mario reference within a malware attack targeting Italian systems.

Bromium engineer Matthew Rowen was investigating a piece of malware that was hidden inside an Excel spreadsheet. He discovered that the malware was coded to only execute if it was in a machine based in Italy.

Once an unsuspecting user opens the Excel sheet they are greeted by a common warning such as ‘It’s not possible to view the preview online. To view the content, you need to click on “enable edit”. Once they press enable content the Trojan malware launches a cmd.exe and powershell operation.

Mario Image

Mario Image Contained within the Malware.

The malware downloads an image of Super Mario to your device, within which is hidden a PowerShell attack containing the GrandCrab Trojan. GrandCrab first discover in January of 2018, encrypts users’ files with a unique key and then tries to extort a ransom in crypto-currency.

Matthew Rowen Member of Technical Staff, Engineering at Bromium wrote in security blog that: “Steganographic techniques such as using the low-bits from pixel values are clearly not new, but it’s rare that we see this kind of thing in malspam; even at Bromium, where we normally see slightly more advanced malware that evaded the rest of the endpoint security stack. It’s also pretty hard to defend against this kind of traffic at the firewall.”

The Unavoidable Blue PowerShell Attack

Fileless malware attacks often use default Windows tools to commit malicious actions or move laterally across a network to other machines. The most common Windows tools used in these types of attacks are PowerShell and WMI, which are installed on nearly every Windows machine. PowersShell is a scripting language that when used by threat actors can give them unrestricted access to Windows APIs and system inner core.

Fred O’Connor researcher at endpoint security company Cyberreason commented in a blog that: “PowerShell’s ability to run remotely through WinRM makes it an even more appealing tool. This feature enables attackers to get through Windows Firewall, run PowerShell scripts remotely or simply drop into an interactive PowerShell session, providing complete admin control over an endpoint.” He also notes that if WinRM is not on, it can be turned on remotely through WMI using a single line of code.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Also See: New GandCrab Ransomware Decryptor Released

Hackers and coders who are part of the cyber black market have a vested interest in integrating some form of signature within their work. Just like any market if something becomes a runaway hit, they can claim ownership and then illicit increased money for use of their products.

Matthew Rowen commented on his find that: “Malware authors actually spend quite a lot of effort on marketing, including often mentioning specific researchers by name within samples. It’s not clear whether or not this sample was actually trying to encourage me to investigate or not, but sometimes huge clues like this are put into samples on purpose.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.