Multi-Phase Cyber Attacks

A lot of people think that a cyber attack is immediately launched when you click on a link, or a hacker exploits a zero day vulnerability. This is not always the case and recent evidence shows that hackers are hiding in plain sight and waiting to launch their ultimate attack.

Malware can infiltrate your systems in many ways. For example:

Once malware invades your system it might start with a basic user with little system level access (how most users in a corporate network should be configured). However, there are several vulnerabilities that when exploited allow the malware to gain system level access that allows then to activate their malware payload with administration rights (Privilege Escalation Vulnerabilities). Once this is achieved the malware has a lot higher level of access to the host machine, and maybe other systems on the network that require some form of administration rights to access – for example a web server or secured file store. While the malware is exploiting these vulnerabilities they are benign, normally not causing any damage and you may not even know you had been attacked.

Once the malware has got a higher level of access it may then hunt through the network for other servers that give it access to highly confidential information or access accounts to cause real damage.

What are the objectives

Malware these days has several objectives once it has got somewhere with the right level of access. For example:

  • Install a crypto-currency miner
  • Extract highly confidential information (data breach attack)
  • Perform surveillance for specific events (Spyware attack) or install keyloggers to capture username and passwords
  • Attacks with Ransomware or Wiperware
  • Gain access to other sites/clients (Supply Line Attack)
  • Infect system libraries (DLL Hijacking attack) so that system programs are co-opted into performing malicious acts
  • Install Banking Tojans and other malware capabilities
  • Install a back-door to enable high privilege access on demand remotely.

It may also stay quiet until a specific date or signal is sent to it from its command and control service before it launches its attack. It may also stay quiet until the machine is in a low activity period (e.g. outside of work hours or when the screen saver activates) before it starts up its activities. As a result, unless you have active monitoring of the machine in place you probably won’t know it is there especially if it has got as far as a local server.

Finding out if you have been infected Case Study

A Windows 10 laptop that came to my attention recently was running at near 100% CPU usage when the screensaver was activated. This was evident since the CPU fan was running at a high speed since the CPU has increased in temperature.

Once I touched the keyboard the activity subsided, which made it very hard to detect what was going on. Running deep virus scans didn’t detect anything – and I used more than one virus scanner. Checking the system logs didn’t show up anything. Looking for any unrecognised software also didn’t surface anything through the Programmes and Features utility as well as inspection of the various Programme Files directories. Looking at the Task manager didn’t show anything because whatever was causing this high CPU usage had stopped running

After a lot of effort, I managed to see in Task manager a process that briefly showed itself and then disappeared – luckily I was ready to screenshot the PC so I caught the name of the file and then did a search for it. This was some form of disk optimisation utility that appeared to come from Intel. Once I disabled it (by renaming it), the activity subsided. Clearly this was part of the issue.

A few weeks passed and I noticed that this same laptop was showing high CPU usage again. While I didn’t delete the original file, I thought it might have been re-activated, but it had been deleted – highly suspicious. However, in this case the root cause of the increased activity was the Windows disk Indexer service was running amuck. In this case a complete re-indexing of the internal hard drive solved the problem and has not so far re-surfaced.

In this case I don’t think the laptop was infected with malware, but possibly a misconfigured index on the hard drive was causing the issue.

However, this case study does show one method to notice when you might have been infected with a crypto-miner since this is a CPU intensive task.

Other Symptoms of Infection from Hidden Malware

The following is a list of other symptoms that you might see:

  • High CPU usage, evident when the CPU fan is running when the machine is idle
  • The Machine becomes slow to perform normal tasks (e.g. accessing a local file, accessing a website)
  • System errors, for example file corruption errors, blue screen’s
  • Higher than normal network activity in the vicinity of the machine.

In all cases the malware is trying to find things on your machine, or trying to reach out and infect other machines, and this causes the symptoms above.

The machine may be slow for a perfectly normal reason, e.g. performing security updates which can normally be observed if you know where to look.

Cyber Criminals are Getting More Sophisticated

The Attack sequence in a Multi-Phase Attack is typically:

  • Infiltrate vulnerable systems
  • Explore the network discovering what data can be exfiltrated as well as determining the nature of the next phase
  • Exfiltration of data
  • A Visible Ransomware attack, infrastructure attack or similar
  • Disclosure of the stolen data if a ransom is not paid
  • Hiding after the initial attack to continue surveillance or re-launch its attack at a later date.

These days malware can hide in plain sight by infecting system libraries and evading Anti-Virus scans. They also employ encryption so that Anti Virus solutions cannot inspect the contents. They also use steganography to hide malicious software in images and video files.

One way to inspect malware and reverse engineer it is to install it into a virtual machine (a hosted environment that runs on top of Windows/Linux/etc.). Because these virtual machines do not have active access to the underlying hardware (only through software), the malware can detect this and then not run.

Some malware will also attack specific kinds of target. In March 2020 a ransomware was discovered called Ekans. While it had al the usual capabilities, it sought out Industrial Control Systems (ICS). Before starting file-encryption, the ransomware kills specific processes that disables the control systems and thereby ceasing operations. This is particularly dangerous if a Hospital was attacked in this way causing vital life saving equipment to stop working (e.g. oxygen distribution, ventilators). Factories can also be shutdown causing serious damage. A Venezuelan steel works was attacked in this way and because they were processing molten materials, the steel cooled and jammed up all the machinery, which then required to be replaced. Several similar attacks have taken place in the past year with varying degrees of impact.

Ransom Ware Evolves

Malware these days are very sophisticated software systems that can adapt to the target and deliver multiple malware payloads to the infected system.

We are also seeing a lot of Ransomware infecting target machines, extracting vast amounts of confidential information and then initiating the ransomware attack and encrypting everything it has already taken. The data extraction phase can last for days, weeks or even months with very little evidence as to what it is doing. Once the ransomware attacks then you know you have been attacked. However, the initial incident where the malware got foothold could be months in the past and forgotten about.

The ransom note displayed will inform you that you have so many days to pay the ransom to obtain the decryptor so that you can get your data back. However, to give you an incentive to pay they may also inform you that if you don’t pay the ransom they will start to sell your data on the dark net.

I initially heard of this form of attack when the BitPyLock ransomware was discovered in January 2020. In February 2020 I noticed a report on the DoppelPaymer Ransomware performing similar activity. Since then I am seeing reports almost every week of ransomware exhibiting similar capabilities.

One of the more high profile attacks I came across recently was when US based law firm Grubman Shire Meiselas & Sacks (GSMLaw) was attacked in May 2020. This law firm represents a lot of high profile celebrities and other high profile clients. Because the law firm refused to pay the ransom, the attackers started to leak some information to the dark web as a demonstration. They have since leaked and sold highly confidential files for several celebrities on the dark web with the intention of acquiring the same value as the ransom from the sales.

Some of these ransomware strains will also hang around after the system has been restored, or may take up home in an unaffected part of the network. In June 2020 the Maze Ransomware was observed to be still stealing documents even after the Ransomware attack was evident.

Another twist to this kind of attack is when the attackers will wipe all encrypted systems securely if the ransom is not paid, rendering everything lost unless you have secured backups. If the malware is still hanging around, this could be initiated even if you have recovered your files from backup or found a decrypter, for example from the ‘No More Ransom Project‘.

Once you have been attacked, the multi-phase nature of these attacks means that you may never be rid of the malware since it may be hiding in plain sight on every server and PC in your organisation. The only way to be totally rid of it would be to switch everything off and replace every piece of hardware and software. For any organisation (even consumers) that will represent an extremely high cost, probably taking the company to bankruptcy.

Being attacked by malware is devastating. Having confidential information leaked to other cyber criminals will almost destroy your business due to the reputational damage that causes.


Cyber criminals are getting a lot more sophisticated and malware is becoming highly configurable systems that can adapt to specific targets. Cyber attacks are also becoming big business with massive financial rewards for the perpetrators. Malware on Demand is also a big business where ransomware operators will orchestrate specific attacks for paying clients or provide a distribution of their malware.

Malware can also lurk in the shadows until the time is right to strike with the visible part of the attack. We have also seen ransomware evolve where cyber criminals not just hold your systems to ransom by encrypting them, but also your confidential data through threats of disclosure. And once malware gets in, it can hide and continue its attack even after the visible part of the attack has been seen and resolved.

Large companies are seeing attacks on their public facing systems every day as well as phishing attacks on individuals in the organisation. You can’t stop this from happening. However you can do a lot to reduce the impact. For example:

  • Educate your staff, friends and family about Social Engineering – a lot of cyber attacks occur due to a simple phishing email (see our guidance on the Human Firewall)
  • Monitor your systems – this could involve advanced monitoring systems for large corporate networks, or just noticing things are not right in a small office or home environment
  • Correctly configure your network hardware (see also Securing your Internet Router – A Pocket Guide)
  • Adding appropriate Internet Security solutions to your network to detect malware both at the entry to the network and on all client machines and severs (there are also cloud based solutions to deflect DDOS attacks)
  • Make sure all your hardware is fully supported and any software is fully patched (this goes right down to the BIOS/firmware on each computer on your network to the OS and applications)
  • Be aware of what your mobile device is doing, especially when connected to the corporate network and ban certain applications from company devices (Amazon has recently banned TikTok from company devices)
  • Backup all your files and keep a copy in an offsite location so that you can restore them in both an emergency or in case of a cyber attack
  • Limit who has access to administrator accounts and do not share accounts/passwords
  • Do not login to PC’s with a default account or without entering a user name and password
  • Secure user access to servers with username and passwords, especially on shared drives.

The above is probably a minimal list and we are always publishing new guidance on this topic.

Multi-Phase cyber attacks are becoming the norm. Since a lot of the new malwares can evade anti-virus solutions, this means they can often hide in plain sight. This effects consumers as well as businesses (large and small).

Headline image provided by Gwendal Cottin on Unsplash.

Comments are closed.

Create a website or blog at

Up ↑

%d bloggers like this: