An APT has attacked two separate vaccine manufacturers this year using a shape-shifting malware that appears at first to be a ransomware attack but later shows to be far more sophisticated, researchers have found.
Dubbed Tardigrade by the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC), the attacks used malware that can adapt to its environment, conceal itself, and even operate autonomously when cut off from its command-and-control server (C2), according to a recent advisory released by BIO-ISAC.
The first attack was detected at a “large biomanufacturing facility” in April, with investigators identifying a malware loader “that demonstrated a high degree of autonomy as well as metamorphic capabilities,” according to the advisory. In October 2021, the malware was detected at a second facility as well.
However, for now, “biomanufacturing sites and their partners are encouraged to assume that they are targets and take necessary steps to review their cybersecurity and response postures,” the center warned.
Indeed, there have already been a number of attacks targeting the COVID-19 vaccine efforts since the pandemic began, and they are likely to continue, security researchers warned.
In October 2020, Dr. Reddy’s, the contractor for Russia’s “Sputinik V” COVID-19 vaccine and a major generics producer, had to close plants and isolate its data centers after a cyberattack. Two months later, in December, threat actors broke into the European Medicines Agency (EMA) server and accessed documentation about the vaccine candidate from Pfizer and BioNTech.
According to BioBright, a biomedical and cybersecurity firm and BIO-ISAC member, researchers determined that the malware used in the Tardigrade attacks is a variant of the SmokeLoader family with metamorphic capabilities. SmokeLoader is a generic backdoor with capabilities that vary depending on which modules are included.
The variant seems particularly clever in that it can change its properties depending on its environment, investigators observed. While previous SmokeLoader versions researchers have seen were externally directed by C2 infrastructure, the variant used in the Tardigrade attacks “is far more autonomous” and can direct its own lateral movement, according to BIO-ISAC.
The malware also can elevate its privilege to the highest level immediately by impersonating a client technique, according to the advisory.
Researchers also observed SmokeLoader sending encrypted traffic to a C2 IP address in the attacks, suggesting information exfiltration, they said.
Some security researchers questioned BIO-ISAC’s report and its technical details. Specifically, they doubted BioBright researchers’ identification of an intserrs644.dll file submitted to VirusTotal as being the new Tardigrade malware/SmokeLoader variant. They told BleepingComputer that the DLL file was, rather, a Cobalt Strike beacon and that it has no relation to SmokeLoader.
On Monday, BioBright CEO Charles Fracchia told Threatpost that the assertions are incorrect: “We now have second- and third-party confirmation that we are correct,” he said in an interview, explaining that the disagreement over the malware’s identification boils down to the disparate confidence levels of automatic tools. “I’m a little surprised that people would rush to the conclusion [that the malware is Cobalt Strike] with a 50 percent confidence level [from VirusTotal, et al.].”
(As of Monday, BioBright was still coordinating disclosure of the cyber incident response teams that confirmed its findings but said that one is a “well-known cyber incident response team.”)
BioBright’s “in-depth testing” has demonstrated that the malware isn’t Cobalt Strike, he said. “This is no run-of-the-mill ransomware. It’s a more sophisticated version that may have arisen from SmokeLoader [we assess with] maybe a 65 percent confidence level.”
Somebody loved this malware, Fracchia said: They “spent a lot of time, money and effort to make this sophisticated” code, he suggested, pointing to the metamorphic quality as the “really scary bit.”
The difference between metamorphic and polymorphic is in the compiled artifact, he explained. Most anti-virus works off signatures to identify malware such as Cobalt Strike. To evade that identification, malware engineers do one of two things: They either use polymorphism, scrambles the code package with encryption in a semi-random way, using different keys for encryption so that the package looks different and evades anti-virus detection; or they use the very different technique of metamorphism, which changes constituent parts of the malware and recompiles itself.
“That’s much more bleeding edge,” he said. “That’s from the top shelf of tools.”
BioBright researchers are still trying to unravel how it does that, Fracchia said, but it’s clear that Tardigrade has some very advanced morphic behavior. “We caught a very advanced tool, so – ya,” he said.
The attacks are a warning to vaccine manufacturers that threat actors are becoming more focused on their efforts to cripple critical business sectors, which biomanufacturing has indeed become during the COVID-19 pandemic, security professionals said.
The race to develop and certify vaccines has eclipsed the danger of cyber-attacks on the facilities involved, but it’s imperative that they don’t let their guard down, observed Saryu Nayyar, CEO of security firm Gurucul.
“The loss of vaccine manufacturing capability could be considered a weapon, hurting our ability to combat COVID-19,” she said in an e-mail to Threatpost. “These manufacturers have to be able to detect malware such as Tardigrade and remediate before it does significant harm.”
Though there isn’t direct evidence to prove that the Tardigrade attacks were specifically targeted against the vaccine effort, their complexity and sophistication shows that hyper-vigilance against any type of attack is needed in the sector, noted another security professional.
“The real point is all of our resources are being scanned for vulnerabilities and malware is attempting to be inserted wherever an opening presents itself to the attackers,” said Garret Grajek, CEO of security firm YouAttest.
Additional reporting by Lisa Vaas.
Illustration courtesy of nationalgeotv.com video.
There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.