Not a New Technique in Operation Shaheen Attack

The advanced attack targeting Pakistan described by Cylance mentions an evasion technique that incapacitates the security solutions provided by 8 vendors. Bitdefender products have been successfully blocking this threat since 2016. We conducted our own analysis of this malware and we have new findings to share.

1. The evasion technique described by Cylance in the paper is not a mechanism to bypass the 8 security solutions, but a shutdown mechanism that renders the malware inactive. Once the malware identifies the presence of Bitdefender security solution, it shuts down.

2. As long as the malware stays inactive, it cannot perform any malicious operations on the machine or on the network.

3. As soon as the malware activates and is executed, it is immediately picked up by Bitdefender.

4. The choice of rendering the malware inactive on systems where Bitdefender solutions are present is most likely related to the fact that Bitdefender was successfully detecting the RTF exploit. Both our internal testing and the VirusTotal sample submission show that the our solutions were able to pick the malware up.

5. This technique of shutting down the malware in the presence of a security solution is nothing new or unusual. Several other malware families have code that stops the malware from executing further in specific circumstances for fear of sounding alarms.

Here at Bitdefender we take security extremely seriously. Our internal analysis shows that most of the samples mentioned by Cylance in the report were detected by all Bitdefender security solutions since 2016 both via signatures and behavioral technologies.

Customers  running the Bitdefender Elite HD product were also covered by detection via machine learning technologies (Gen:Illusion.ML.Skyline.B  and Gen:Illusion.ML.Miura.C) as well as via neural network technologies (Gen:NN.ZemsilN.22810, Gen:NN.ZelphiN.22810.KGW) .

For the past 8 years, Bitdefender's detection technologies have received numerous accolades from independent testing organizations such as AV-Test and AV-Comparatives. Our detection technologies are being licensed by almost 40% of competing antimalware vendors, which once again outlines the effectiveness of our capability to detect emerging malware and targeted attacks.