Malicious developers have changed tactics to deceive the security engineers and victims by modifying the flags of the dangerous payloads.
False Flags Are the Newest Tactic Developed by Hackers
False Flags are the newest malicious tactics that has been identified by security experts. This deception techniques modifies the flags of the timestamps, malware, language strings and other important meta data and elements of the payloads.
Experts from Kaspersky Labs identified the false flags that have been used by various malware variants:
The malware samples carry a timestamp that shows the time and date of compilation. If enough samples of the same type are collected, the security experts can determine the working hours. This analysis is used to estimate the time-zone of the malicious operators.
- Language Flags
All malware include strings and debug paths which give information about the developer of the program. The most obvious clue is the language of choice. The debug paths can also reveal the user name of the hacker, the internal naming conventions for the project or the attack campaign. Also phishing documents can include meta data that saves state information that points to the developer’s actual computer. The hackers can manipulate the language markers to confuse security research.
- Backend and Infrastrucutre Connections
The Command and Control (C&C) remote malicious servers can be used to locate the country of origin of the attackers. False flags can be used to create intentional connectivity failure to fool the security analysis of various malware.
- Toolkit Contents – Code, Malware, Passwords and Exploits
The use of certain exploit toolkits can be used to identify the strategies and intentions of the malicious operators. The detection of a certain malware threat can help the security reseachers to reveal information about the location or the identity of the hackers.
Hackers can use long victim lists to deceive the actual targets in a large-scale attack.