How can we help?
A new strain of malware has been discovered which targets Windows, Linux and macOS.
The researchers who discovered it report that it masquerades as a system update.
First discovered in December 2021, it appears to have been active from the second half of 2021 based on domain registrations and virus total submissions.
The initial stages of the malware grant an operator backdoor access to a network.
It was seen checking in with the command-and-control (C&C) servers for instructions but no further stages of interaction were observed during this time, so the full capabilities are not known.
The malware uses common persistence techniques which can be easily detected.
On Windows machines by using a registry key to execute a binary at startup.
Name: igfxCUIService Type: REG_SZ Data: “C:\ProgramData\SystemData\igfxCUIService.exe”
On Linux devices, the malware creates a cron job to run on a schedule.
On macOS it creates a LaunchAgent under the path /Library/LaunchAgents/com.apple.update.plist.
Indicators of Compromise
Based on victimology, the researchers assess that these are targeted attacks.
It’s rare for new strains of malware to be found in the wild, in particular for Linux.
The fact that this was written from scratch for each of the 3 most common operating systems suggests a well-resourced threat actor.
It’s more normal for crime groups to use off the shelf commodity malware.