Skip to main content
Cybersecurity

How a recent malware campaign highlights a tricky evasion technique

Abusing trusted infrastructure to deliver a malicious payload is at the heart of VEIL#DROP.

4 min read

TOPICS: Cybersecurity / Threat Detection & Intelligence / Malware

While some cyberattackers are relying on AI and cutting-edge tools to get through organizations’ increasingly powerful defenses, others are launching stealthy attacks that leverage trust in existing platforms—and they’re succeeding, at least against companies without much budget for cyber defense.

One such attack, known as VEIL#DROP, is a multi-stage malware campaign where attackers steal credentials, passwords, crypto wallet information, and more.

According to Aaron Beardslee, manager of security research at Securonix, whose team uncovered the threat, VEIL#DROP exploits Google’s Blogger and Blogspot, which are used by independent creators and small businesses for low-lift publishing. It starts off with the attacker socially engineering a victim into opening a fake PDF document that actually contains a malicious JavaScript file.

When clicked, that file “executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled,” Beardslee and his co-authors wrote in a report breaking down the exploit. PowerShell then retrieves payloads hosted on “attacker-controlled Blogspot pages, abusing Google’s trusted infrastructure to blend malicious traffic with legitimate web activity and evade reputation-based security controls.” Those payloads then infiltrate and steal the victim’s information.

Beardslee said that typically his team sees these kinds of “defense evasion” techniques built for smaller targets like individuals, who often have a minimalist cybersecurity posture compared to a big company: “If I was building malware to target you, I only have to deal with so much in the way of defenses.”

VEIL#DROP also leaves signs of its presence, Beardslee added. “This particular campaign, it drops files onto the system, although a lot of the execution does happen in memory, there are still some parts of it that do get created,” he said. “Though this is more of a post-mortem investigation where you’re trying to figure out root cause, you would look and see what files were created and this was executed—and then PowerShell started doing weird things, connecting to the internet and then this new process started up and then files started getting deleted.”

Piercing the veil. Securonix’s report suggested that companies with advanced memory and endpoint monitoring, in addition to other sophisticated cybersecurity tools, have a better chance of detecting malicious activity like VEIL#DROP before it can deeply penetrate a system. However, not all companies can spend lots of resources on layered cybersecurity defenses.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

By subscribing, you accept our Terms & Privacy Policy.

Matthew Warner, the CEO and co-founder of security organization Blumira, told IT Brew that heavily defended cybersecurity shops are defined by the amount of time and research that professionals can spend studying the cybersecurity environment.

“It’s a richness of time and money versus lack of richness in putting in the time into learning about that environment,” Warner said. “There’s a lot of change happening, and that change management is just inherently hard if you don’t have the resource.”

Warner also suggested that AI is helping attack groups automate their workflows, at least to a point. “They can use AI to make it a little more refined,” he said. “In the grand scheme of it all, we really haven’t seen a significant change with AI other than the quality parts improving, especially on the automation part.”

In an interview with IT Brew, Beardslee said there’s a larger conversation to be had about the “cat and mouse game” between cyberattackers and defenders. Even as cybersecurity pros design protections against emerging threats like VEIL#DROP, bad actors are also improving their techniques.

Building defenses. Warner stressed that enterprises without the funding to layer defenses against external threats should at least consider how their employees use their machines; for example, many may not need the ability to execute certain types of files, which would reduce the effectiveness of particular attacks. Keeping abreast of zero days and other cybersecurity threats is also key.

“A lot of it really becomes having the time to be curious, which is hard,” Warner said. “Doing that and having the time to do it is its own resource, not necessarily monetary, but still aresource, the time to put in to do that.”

About the author

Caroline Nihill

Caroline Nihill is a reporter for IT Brew who primarily covers cybersecurity and the way that IT teams operate within market trends and challenges.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

By subscribing, you accept our Terms & Privacy Policy.