DeepLoad, a new type of malware, is going after businesses This article explores malware going. . It gives persistent, credential-stealing access to a single user action that lasts through reboots and regular cleanup efforts.

DeepLoad hides at every level, which makes it hard to find with regular security tools. The malware also put more than 40 hidden installer files on USB drives that were connected, including fake shortcuts for Chrome, Firefox, and AnyDesk. Each one could start a full infection on any computer it touched. A hidden WMI event subscription that was put in place during the initial compromise is outside of normal remediation workflows.

This means that the host can easily reinfect itself without any user action.

One confirmed case showed that the subscription sent three days after the host looked clean and quietly put filemanager.exe back in the user's Downloads folder. PowerShell Script Block Logging should be turned on by security teams because it captures decoded runtime commands and cuts through obfuscation. All credentials that can be accessed from a confirmed infected host, such as saved passwords, session tokens, and active accounts, must be changed right away.

Before using any USB drives that were connected to affected endpoints again, they should be checked. Affected systems must have any browser extensions that are not on the list of approved IT deployment paths removed. Instead of scanning files, endpoint monitoring should switch to behavioral and runtime detection using EDR telemetry and memory scanning. To read the whole ZeroOwl blog post about the new security breach, click here.

Call the National Suicide Prevention Lifeline at 1-800-273-8255 or go to http://www.suicidepreventionlifeline.org/ for private help. If you need help in the U.S., you can call the Samaritans at 08457 90 90 90, go to a local branch, or click here. Go to www.samaritans.org for more information on how to help.