The malware was discovered by cybersecurity researchers from Unit 42, the threat intelligence team at Palo Alto Networks. The team first spotted the strain in May, when it discovered that it was built using the Brute Ratel (BRC4) tool.
BRC4’s developers claim to have even reverse-engineered popular antivirus products, to make sure their tool avoids detection.
The quality of the design and the speed at which it was distributed between the victims’ endpoints has convinced the researchers that a state-sponsored actor is behind the campaign.
While the tool itself is dangerous, the researchers were more interested in its distribution path, which indicates a state-sponsored actor is in play.
The malware is being distributed in the form of a fake CV document. The CV is an ISO file that, once mounted onto a virtual drive, displays something resembling a Microsoft Word document.
While the researchers still can’t pinpoint exactly who the threat actor behind BRC4 is, they suspect Russian-based APT29 (AKA Cozy Bear), which has used weaponized ISOs in the past.
Another hint suggesting that a state-sponsored actor is in play is the speed at which BRC4 was leveraged. The ISO was created the same day the latest version of BRC4 was published.
“The analysis of the two samples described in this blog, as well as the advanced tradecraft used to package these payloads, make it clear that malicious cyber actors have begun to adopt this capability,” Unit 42 wrote in a blog post.
“We believe it is imperative that all security vendors create protections to detect BRC4 and that all organizations take proactive measures to defend against this tool.”