Fraudulent ‘Tardigrade’ Malware Hit Biomanufacturing Facilities

If the ransomware is hit a biomanufacturing facility this spring, there was something wrong with the group response. The attackers left only half a heart ransom note, and seems less interested in actually collecting fees. Then there’s the malware they use: a surprisingly sophisticated strain called Tardigrade.

As researchers at biomedical and cybersecurity firm BioBright dug in further, they discovered that Tardigrade did more than just lock down computers throughout the facility. It has been found that malware can adapt to its environment, hide itself, and act autonomously if disconnected from its command and control server. This is something new.

Now the cybersecurity non-profit Bioeconomy Information Sharing and Analysis Center, or BIO-ISAC, of ​​which BioBright is a member, has been publicly disclosed findings about Tardigrade. While they did not make an account of who developed the malware, they said its sophistication and other digital forensic clues indicate a well-funded and inspired “advanced ongoing threat.” group. In addition, they say, malware is “actively spreading” in the biomanufacturing industry.

“It almost certainly started with spy, but it hit everything — disruption, destruction, spying, all over,” said Charles Fracchia, CEO of BioBright. “It’s the most sophisticated malware we’ve seen in this space. It’s remarkably similar to other APT attacks and campaigns in the country targeting other industries.

As the world strives to develop, manufacture, and distribute new vaccines and drugs to overcome Covid-19 pandemic, the importance of biomanufacturing is fully demonstrated. Fracchia declined to comment on whether the victims worked in relation to Covid-19, but stressed that their processes play an important role.

The researchers found that Tardigrade bears a resemblance to a popular malware downloader known as Smoke Loader. Also known as Dofoil, the tool is used to distribute malware payloads since at least 2011 or earlier and more readily available in criminal forums. In 2018, Restricted by Microsoft a large cryptocurrency mining campaign using Smoke Loader, and the security company Proofpoint published findings in July about a data theft attack disguised as a downloader as a legitimate privacy tool to trick victims into installing it. Attackers can customize the functionality of the malware with a variety of ready-made plug-ins, and they are known to use intelligent technical tricks to hide themselves.

Researchers at BioBright say that despite the similarities to Smoke Loader, Tardigrade appears more advanced and offers an expanded range of customization options. It also adds functionality to a trojan, meaning that once installed on a victim’s network it searches for stored passwords, deploys a keylogger, starts exfiltrating data, and built a backdoor for attackers to choose their own adventure.

“This malware is designed to make itself different in different environments, so the signature is constantly changing and harder to find,” said Callie Churchwell, a malware analyst at BioBright. “I’ve tried it almost 100 times and each time it builds itself in a different way and communicates differently. In addition, if it can’t communicate with the command and control server, it has the ability to be more autonomous and sufficient- self, unexpected.

Source link


Leave a Reply

Your email address will not be published. Required fields are marked *