A New Breed of Malware Hides in Plain Sight

This post is also available in: עברית (Hebrew)

A new cyber threat labeled ‘web app engaged’ (WAE) malware is hiding within popular applications like Dropbox and Discord, and has apparently seen an increase of 226% since 2020. Revealed by Georgia Tech’s Cyber Forensics Innovation (CyFI) Lab, the team created a tool that helps cybersecurity responders purge nearly 80% of discovered WAE malware.

Mingxuan Yao, Georgia Tech Ph.D. student explains that web applications are now an integral part of our online lives, since they provide services like data storage, social networking, and content delivery, but that usefulness has made them an attractant to malware creators.

According to Techxplore, WAE malware operates deceptively and unexpectedly- instead of compromising web applications’ security, this type of malware abuses the applications by making its malicious traffic appear innocent, thus effectively hiding in plain sight and carrying out its activities without being detected.

In order to address these threats, both incident responders and web app providers need to coordinate their efforts, a collaboration that has so far been lacking.

The latest research by CyFI Lab aims to enable such cooperation and provide insights into the prevalence and the characteristics of WAE malware. “Marsea”, an automated malware analysis pipeline that studies WAE malware and enables rapid remediation, was created by Yao and his co-authors to automatically and comprehensively examine WAE malware, identifying and separating abuse based on a web app’s identity and assets.

When tested on 10,000 malware samples, Marsea found nearly a thousand instances of malware throughout 29 different web applications, and even revealed that attackers were transitioning their malicious command-and-control servers to these web apps to evade detection.

The team used Marsea to collaborate with web app providers and effectively take down 79.8% of the malicious web app content.