LabRat Malware Could Evade Detection

A recently uncovered malware strain, known as LabRat, is causing concerns in the cybersecurity world due to its extraordinary ability to remain hidden from conventional security measures. Sysdig, a security vendor, reported that its Threat Research Team (TRT) came across LabRat, which appears to go to great lengths to operate undetected. According to Sysdig, LabRat's tactics demonstrate a higher level of sophistication compared to many other cyberattacks observed by their TRT.

Unlike some attackers who don't prioritize stealth, LabRat's creators have meticulously crafted their operation to minimize the chances of detection. This added effort has made it challenging for defenders to identify and respond to the threat effectively.

LabRat is primarily involved in cryptojacking and proxyjacking campaigns. In cryptojacking, it covertly uses the victim's computer to mine cryptocurrency for the attacker, while in proxyjacking, the victim's machine is enrolled in a peer-to-peer bandwidth-sharing network, benefiting the attacker. The attack vector for LabRat involves exploiting a known vulnerability in GitLab servers (CVE-2021-2205), allowing the attacker to achieve remote code execution and deploy the payload onto the vulnerable system.

What sets LabRat apart is the degree of obfuscation applied to its code. Additionally, the use of the TryCloudFlare service to route traffic further obscures the attackers' presence on infected systems. Sysdig's director of threat research, Michael Clark, noted that LabRat's heavy encryption and anti-reverse engineering techniques made it undetectable by VirusTotal (VT), which is quite unusual.

LabRat Malware Defense

The LabRat group appears to be highly motivated to protect their code from analysis by white hat researchers, as evidenced by their extensive obfuscation efforts. Their primary goal is to maintain access to compromised systems for as long as possible to profit from proxyjacking and cryptomining. Time is of the essence, especially in proxyjacking, where the effectiveness of a non-attributable network depends on the number of nodes. If the network becomes too small, it can be blocked and rendered useless.

Sysdig recommends that administrators' best defense against such attacks is early detection. Having up-to-date and capable monitoring tools can help identify attacks in their early stages, preventing them from taking root and deploying counter-defense tools. In a cyber landscape where attackers are becoming increasingly sophisticated, early detection remains a critical component of effective cybersecurity.