Why detection proved tough
The subtle malware evaded detection for months largely as a result of a compromised utility blends into regular developer habits, making it difficult to establish. “Most EDR applications are blind by design to ‘anticipated’ developer habits,” the Forrester analysts wrote. “A compromised utility doesn’t want exploits, LOLBins, or unique malware. It simply must look boring—like one thing a dev would do.”
Ho famous that his incident response group was unable to extract concrete indicators of compromise regardless of analyzing roughly 400 GB of server logs. In an edit posted Sunday, Ho acknowledged Rapid7’s extra detailed findings. “Final night I obtained an e-mail from Ivan Feigl (Rapid7) to share their glorious investigation story—it appears to be the identical story, and clearly, they’ve extra tangible info (together with IoCs) than I do,” he wrote.
Rapid7 recognized community infrastructure, together with IP addresses in Malaysia and China, together with command and management URLs, together with api.skycloudcenter.com and api.wiresguard.com.
