Fidelis Threat Advisory #1011
“New CDTO: A Sneakernet Trojan Solution”
The General Dynamics Fidelis Cybersecurity forensics team analyzed several related malware samples that together provide a sophisticated mechanism to gather data from individual computer systems. The malware appears to be part of a system that may be optimized for use by an insider agent and/or for collecting data from disparate networks or air-gapped systems. The malware includes features to clean up after itself by deleting key indicators that it was present.
The malware system apparently includes additional components that have not been identified. These components would potentially perform additional command and control functions and potentially exfiltration from the central host. The sophistication of the malware and the effort involved in its development would indicate that it was developed for a high value target. However, the specific targeting of this malware is not clear at this time. We are concerned that while the malware system was probably developed for a specific target or family of targets, it could be employed with little adaptation against virtually any target.
This threat advisory describes the functionality of the three malware files to include command inputs and the resulting behavior of the malware.
The Fidelis XPS™ advanced threat defense system has been updated with rules to detect various components of this malware system. However, the fact there are still unanswered questions about the components of the malware system and its intended targeting, emphasizes the importance of employing that best practices such as denying use of removable media on sensitive systems and disabling autorun! This is particularly true for systems that are not protected by Fidelis XPS.
Additional reverse engineering and analysis is on-going at this time.