When ransomware hits a bio feng shui production facility this spring, something went wrong with the response team. Attackers leave only half love ransom note, and apparently not everyone is interested in actually receiving a payment. Then there was the malware they used: an amazingly complex strain called Tardigrade.
When researchers at cybersecurity and biomedical company BioBright dug deeper, they discovered that Tardigrade was more than simply locking down computers throughout an entire facility. They found that the malware was able to adapt to its environment, conceal itself, and even operate independently when cut off from its command-and-control server. This is something new.
Today, the nonprofit Cybersecurity Bioeconomic Information Sharing and Analysis Center, or BIO-ISAC, of which BioBright is a member, is disclosing it publicly. detect about Tardigrade. Although they did not give a credit to who developed the malware, they said its sophistication and other digital forensics clues reveal an “elevated persistent threat group.” well funded and motivated. Furthermore, they say, the malware is “actively spreading” in the bio-feng shui manufacturing industry.
“This almost certainly started with espionage, but it affected everything — disruption, destruction, espionage, all of the above,” said Charles Fracchia, CEO of BioBright. ” Charles Fracchia, CEO of BioBright. “It is by far the most sophisticated malware we have seen in this space. This is eerily similar to other attacks and campaigns by national APTs targeting other industries.”
As the world scrambles to develop, manufacture, and distribute advanced vaccines and drugs to fight Covid-19 pandemic, the importance of bio-feng shui production has been fully demonstrated. Fracchia declined to comment on whether the victims were in Covid-19-related work, but stressed that their processes played an important role.
The researchers found that Tardigrade shares some similarities with a popular malware downloader known as Smoke Loader. Also known as Dofoil, this tool has been used to spread malware at least since 2011 or earlier and available on crime forums. In 2018, Microsoft forbids a major crypto mining campaign used Smoke Loader and security company Proofpoint’s Published Findings in July about a data theft attack that disguised the downloader as a legitimate security tool to trick victims into installing it. Attackers can tweak the malware’s functionality with a variety of pre-made plug-ins, and it’s known for using clever engineering tricks to conceal itself.
BioBright researchers say that despite its similarities to Smoke Loader, Tardigrade appears to be more advanced and offers an extensive range of customization options. It also adds trojan functionality, meaning that once installed on the victim’s network, it searches for stored passwords, deploys keyloggers, initiates data retrieval, and sets up a backdoor for attackers to access. Attack choose their own adventure.
“This malware is designed to build itself differently in different environments, so,” said Callie Churchwell, an independent software analyst who collaborated with BioBright on the Tardigrade investigation. signatures are constantly changing and are harder to detect. “I have tested it almost 100 times and each time it builds itself in a different way and communicates differently. Also, if it can’t communicate with the command and control server, it has the ability to be more autonomous and self-sufficient, which is completely unexpected. “
