Gruppo TIM
Gruppo TIM

Tardigrade, the shape-shifting virus

An APT attacked two different vaccine manufacturers this year, using shape-shifting malware that initially appears to be a ransomware attack but later turns out to be much more sophisticated.

 

The shape-shifting virus

Cybersecurity analysts sound the alarm: this malware is adaptable and resistant. And in its original form it had also been identified in Italy.

The software would also have the functionality of a Trojan, which means that once installed on a computer network it searches for stored passwords, deploys a keylogger to record typed passwords, initiates data exfiltration, and establishes a backdoor for attackers to re-enter affected systems over and over again.

 

Tardigrade

Dubbed Tardigrade by the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC), the attacks were inherent in using malware that could adapt to its environment, hide and even operate autonomously when cut off from its command and control server (C2).

The first attack was detected in a large bioproduction facility in April 2021, with investigators identifying a malware loader “that has demonstrated a high degree of autonomy and metamorphic capabilities”, according to the BIO-ISAC notice. In October 2021, the malware was also detected in a second facility.

 

The behavior of the malware

The researchers determined that the malware used in the Tardigrade attacks is a variant of the SmokeLoader family with metamorphic capabilities. SmokeLoader is a generic backdoor with capabilities that vary depending on which modules are included.

The variant seems particularly intelligent as it can change its properties depending on the environment, the investigators noted. While previous versions of SmokeLoader that the researchers saw were directed from the outside by the C2 infrastructure, the variant used in Tardigrade attacks is more autonomous and can direct its own lateral movement.

 

Is it a new malware or is it a Cobalt Strike?

Some security researchers have questioned the BIO-ISAC report and its technical details. In particular, they doubted the BioBright researchers’ identification of an intserrs644.dll file sent to VirusTotal as the new Tardigrade / SmokeLoader malware variant. Indeed, it has been claimed that the DLL file was, rather, a Cobalt Strike beacon and has no relation to SmokeLoader.

BioBright’s extensive testing proved the malware is not Cobalt Strike, said BioBright CEO Charles Fracchia, who claims Tardigrade is not common ransomware. Rather, it would be a more sophisticated version probably derived from SmokeLoader.

The difference between metamorphic and polymorphic is in the compiled artifact, he explained. Most antivirus work with signatures to identify malware like Cobalt Strike.

To circumvent such identification, malware engineers do one of two things: either they use polymorphism, encoding the code packet with encryption semi-randomly, and using different keys for encryption so that the packet looks different and avoids the antivirus detection; or they use the metamorphism technique, which changes the constituent parts of the malware and recompiles itself.

BioBright researchers are still trying to unravel how this can all be done in practical terms, Fracchia said, but it’s clear that Tardigrade has very advanced morphic behavior.