Windows Control Panel

A cyber-espionage group believed to be operating out of China has been deploying malware in the past two years that disguises as control panel link (CPL) files.

The malware's name is Reaver, named so by Palo Alto Networks, the cyber-security company who found it.

Experts say the malware has been used by a cyber-espionage unit that's been around since 2010 and has been tracked under codenames such as DynCalc, Numbered Panda, or APT12.

In previous attacks, this group has deployed other malware families, such as the SunOrcal backdoor, the Surtr RAT, and the EvilGrab infostealer.

New Reaver malware uses CPL files to infect users

The new Reaver malware Palo Alto discovered is a backdoor trojan and helps the cyber-espionage unit gather information from infected hosts and execute malicious commands.

"The new family appears to have been in the wild since late 2016, and to date we have only identified 10 unique samples, indicating it may be sparingly used," researchers said. "Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare."

As for this latest campaign, Palo Alto has no information on who the group targeted with the Reaver malware, but a technical analysis of the infection chain and malware's source code reveals some pretty advanced features:

Can read local files
Can write new files on disk
Can move files on disk
Can delete desired files
Can spawn and terminate processes
Can create and modify directories
Can modify registry keys
Can modify services
Can collect the following data from victims:
    CPU speed
    Computer name
    IP Address
    Microsoft Windows version
    Physical and virtual memory information
    OEM code page identifier for the operating system
    ANSI code page
Can upload the aforementioned data to a remote server
Can be controlled by a remote C&C server
Can kill itself

CPL files used for malware campaigns in the past

This is not the first time CPL files have been weaponized in malware campaigns. Brazilian cyber-criminals used CPL files to infect victims with banking trojans and infostealers way back in 2013.

The technique of using CPL files to hide malware was also adopted by the Carbanak group during their attacks on financial institutions in 2014-2015, during which they stole around $1 billion.

Earlier this year, a security researcher used rogue CPL files to bypass Windows AppLocker protection.

Related Articles:

APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild

Infowars Store Affected by Magecart Credit Card Stealing Hack

State-Sponsored Actors Focus Attacks on Asia

Emotet Trojan Begins Stealing Victim's Email Using New Module

AutoHotkey Malware Is Now a Thing