Saturday, December 17, 2016

Attacker TTP: AntiFooling

On 10 December 2016, a Wapack Labs analyst reported on a malware tool, AntiFooling V1.0.0, shared on the Spanish hacker forum. In order to defeat malware analysis, certain advanced malware can differentiate between virtual machines and a real computer. AntiFooling tricks malware installed on a computer by simulating processes and artifacts seen in a virtual machine. This is a concern for cyber research efforts. On 12 December 2016 Wapack Labs analyst discovered a script – Anti-AntiFooling – being passed around on the same hacker forum. Anti-AntiFooling v0.1 compares MD5 hash values to detect the use of AntiFooling.

This report provides technical analysis, details on an additional tool, and attribution. Our PIR is being provided for your situational awareness and as an update to previous reporting.

Publication Date: 14 December 2016
Handling Requirements: Traffic light protocol (TLP) AMBER
Attribution/Threat Actors: Malware Tool Author
Actor Type: Adversary capabilities have been assessed as Tier II
Potential Targets: N/A
Past Reporting: DOC-4526