Those of you who run anti-malware software probably put a lot of thought into which app you installed. Unfortunately, the creator of a new malware strain put even more thought into rendering it moot.
Palo Alto Networks refers to this advanced new malware as T9000. They’re convinced its primary function is to gather intelligence. Not only is the initial drop folder it creates named “intel,” once T9000 has dug its claws into a system it begins harvesting data and taking screenshots of specific apps. It even records audio from Skype as WAV files.
T9000 is fairly specific about what it goes after. Palo Alto say that its primary targets are Microsoft Office files — Word documents, Excel spreadsheets, and Powerpoint presentations. It doesn’t look for them just anywhere, either. T9000 watches for removable drives to be plugged in and then goes to work.
Malware can only carry out its intended mission if it can weasel its way onto a system, though. Today’s security software can make that very difficult, thanks to its own advanced functionality. T9000, however, has been built specifically to avoid detection.
It does that by installing only the most essential components first. Their job: to scour a system’s registry and figure out what anti-malware software is installed on it. Once T9000 knows who’s in charge of security, it knows how to proceed. Additional modules are downloaded and soon its full capabilities have been unlocked — all without tipping off the good guys. Palo Alto says that T9000 can outwit at least two dozen popular apps.
In their report, Palo Alto also mentions that T9000 has its roots in a Trojan that surface back in 2013. A second evolution was discovered in 2014 by researchers at Fire Eye.
So, how do you protect yourself from malware that can sneak past your computer’s defenses? Stay away from things you can’t fully trust. That includes random USB drives, downloads from dodgy-looking websites, and perhaps most importantly attachments to emails. Previous variants infected victims via a phishing campaign.