A cyber-espionage group believed to be operating out of China has been deploying malware in the past two years that disguises as control panel link (CPL) files.
The malware's name is Reaver, named so by Palo Alto Networks, the cyber-security company who found it.
Experts say the malware has been used by a cyber-espionage unit that's been around since 2010 and has been tracked under codenames such as DynCalc, Numbered Panda, or APT12.
In previous attacks, this group has deployed other malware families, such as the SunOrcal backdoor, the Surtr RAT, and the EvilGrab infostealer.
The new Reaver malware Palo Alto discovered is a backdoor trojan and helps the cyber-espionage unit gather information from infected hosts and execute malicious commands.
"The new family appears to have been in the wild since late 2016, and to date we have only identified 10 unique samples, indicating it may be sparingly used," researchers said. "Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare."
As for this latest campaign, Palo Alto has no information on who the group targeted with the Reaver malware, but a technical analysis of the infection chain and malware's source code reveals some pretty advanced features:
The technique of using CPL files to hide malware was also adopted by the Carbanak group during their attacks on financial institutions in 2014-2015, during which they stole around $1 billion.
Earlier this year, a security researcher used rogue CPL files to bypass Windows AppLocker protection.