Over the past couple of weeks two major security concerns have come to light that affect Microsoft’s flagship instant messaging platform, Skype. The question is, are businesses at risk and what can be done about it?
The first of these is the T9000 Trojan, which is actually the latest variant of an older malware kit first discovered in 2013. T5000, as it was called back then, was targeting human rights activists, government workers and employees of the automotive industry across APAC.
However, its younger brother, T9000, comes equipped with a brand new backdoor exploit module that allows attackers to not only exfiltrate a range of file types (as it was originally designed to do), but also hijack Skype and capture encrypted data, streaming video and take screenshots.
T9000 is believed to be the product of an advanced persistent threat (APT) group, given its highly sophisticated encoding and detection evasion capabilities.
It can detect and evade at least 24 of the most well-known and widely relied-upon anti-malware products from vendors such as Sophos, BitDefender, Trend Micro, McAfee Intel and Kaspersky.
The current distribution of T9000 infections seems to be confined to the US for now, however, security researchers at Palo Alto Networks say “the malware’s functionality indicates that the tool is intended for use against a broad range of users”, so it’s only a matter of time before we see it popping up all over the world.
Infections result from users falling prey to a highly-targeted spear phishing campaign, enticing them to open email attachments containing infected rich text formatted (RTF) documents.
Once executed, the malware goes to work, auditing the infected machine and reporting its findings back to the command and control server. The bot-master then selects the additional exploit modules that should be deployed to the endpoint, in some cases resulting in the installation of this new Skype backdoor.
The second, not quite so complex yet just as risky, Skype issue comes from a malware campaign.
There has been a marked rise in global malvertising recently related to the targeting of non-browser-based applications, such as Skype. We’ve seen Skype users being redirected to the Angler exploit kit, which subsequently goes on to install the TeslaCrypt ransomware.
The good news for anyone managing an enterprise network is that you are more than likely protected if you’ve been keeping your Windows systems patched.
This means the T9000 infection can’t get started, so the Skype backdoor will never get installed.
In terms of malvertising and ransomware attacks, the best approach is a blended approach incorporating people, process and technology.
Firstly, keep your systems patched and fully up-to-date with security fixes, as the majority of operating system and vendor supported application issues are patched fairly rapidly.
It’s best practice (and in this case it really is) to run an up-to-date anti-malware product that incorporates the latest technology for scanning and filtering web content for malicious software. Also, make sure it’s in a serviceable paid-up contract so you don’t stop getting malware signatures and not realise you are suddenly unprotected.
Finally, consider user awareness. The security team should be publishing advice about these risks to the wider business.
Remember, this won’t just help users defend against this issue, it will help them up their game and keep their home networks protected: with the age of mobile working and boundary-less computing, your users’ home networks are as much a threat to the corporate network as your gateway once was.