A New Constantly Mutating Polymorphic Malware Tardigrade

The cyber security threats keep coming, and it seems as though they are only picking up speed. Recently, constantly mutating malware has been found targeting the biotech industry. The malware has been named Tardigrade due to its ability to mutate and adapt, allowing it to persist in different conditions.

Tardigrade is a new strain of windows software that constantly mutates, hiding from detections. Tardigrade was first discovered in spring due to a ransomware attack on an unnamed biomanufacturing facility. It was also detected in another biomanufacturing facility last month.

“This thing is still evolving; it’s still in motion. We’re still learning more about this as time goes on, but because it was clear that spread was still active, this is an active threat, and a significant threat, we wanted to accelerate disclosure,” Ed Chung, chief medical officer at biomedical company BioBright

Tardigrade is a next-level polymorphic malware. Polymorphic malware rewrites part of its code, changing its identifiable features to help it evade detections. Tardigrade recompiles its entire code during each infection when it initially connects to the internet. The malware recompiles its entire code when it connects to the internet, preventing it from leaving a consistent signature, making it more challenging for antivirus programs to detect.

In case you are unaware, the tardigrade in nature can survive in extreme conditions, even the vacuum of space. This is the logic behind the nickname of the malware. The tardigrade malware has been infecting devices through phishing emails and USB drives. How the USB drives got onto the premises is still unclear.

Tardigrade has some striking similarities to malware that has been around since 2011 known as “Smoke Loader.” Smoke Loader is primarily used as a back door, making it easier for other, more destructive malware to infect devices and networks. While tardigrade has yet to be given a country of origin, it should be noted that Smoke Loader has only been sold to Russian-speaking hackers since 2014.

Since the start of the pandemic, the world has seen an increase in cyber attacks. There has been a spike in attacks across all industries. The increase is especially noticeable in health care facilities and medical researchers. Over the pandemic, the European Medicines Agency (EMA), World Health Organizations (WHO), and the U.S. Department of Health and Human Services have all fallen victim to cyber-attacks. Many hospital systems and medical research facilities have also fallen victim to cyber-attacks throughout the pandemic. There is evidence of an increase in cyber attacks amongst groups fighting the pandemic, including those developing and distributing vaccines.

While tardigrade is typically implemented to steal data, many of the attacks included a ransomware family. Such as, “DopplePaymer” which was used in the attack on Dusseldorf University Hospital, “Conti” was used in the Ireland HSE attacks, and “Mount Locker” was used in the attack on Miltenyi Biotec. What remains unknown is if the ransomware was used to further monetize on a compromised network or if the ransomware was used to cover their previous malicious activity.

We all need to remain vigilant and aware during these times to help make defend against attacks.