Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2012
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May 24th, 2012

    Do standard security solutions work against advanced persistent threats (APTs)? Are APTs crafted to extract specific files from an organization? Are data breaches caused by APTs? IT groups today face the challenge of protecting/shielding their networks against APTs—computer intrusions by threat actors that aggressively pursue and compromise targets. To help organizations formulate strategies against APTs, TrendLabs prepared an infographic that illustrates the different stages of intrusion.

    By analyzing each stage of an attack, IT groups can gain insight on the tactics and operations of an active attack against their networks. This analysis helps build local threat intelligence—internal threat profiles developed through intimate knowledge and observation of attacks against a specific network. It is key to mitigate future attacks by the same threat actors. The stages our researchers have identified are intelligence gathering, point of entry, command-and-control (C&C) communication, lateral movement, asset/data discovery, and data exfiltration.

    Certain realities make dealing with each stage of an APT attack more difficult than dealing with ordinary cybercrimes. For instance, in the asset discovery stage where the attacker is already inside the network enumerating which assets are valuable enough to extract, a data loss prevention (DLP) strategy can prevent access to confidential information. However, according to a survey, while company secrets comprise two-thirds of a company’s information portfolio, only half of security budgets are allocated to protecting these.

    More of these realities are highlighted in the infographic, “Connecting the APT Dots.”

    Posted in Exploits, Targeted Attacks, Vulnerabilities | Comments Off on [INFOGRAPHIC] APT Myths and Challenges

    A few weeks ago, we have been alerted by our colleagues from Korea to a specially crafted Hangul Word Processor document (.hwp) that exploits an application vulnerability in the Hancom Office word processing software. The file extension .HWP is a popular Korean word processor file format – just the right format for targeting Korean prospective victims, which might be the case here.

    Detected as TROJ_MDROP.ZD, this specially crafted document arrived as an attachment of an email, which used a recent murder case in Korea as social engineering ploy. The email was sent to numerous employees of a prominent Korean company.

    Upon opening the malicious attachment, TROJ_MDROP.ZD exploits a still unidentified vulnerability in order to drop and execute the backdoor BKDR_VISEL.FO in the background. This backdoor gives remote access to a potential attacker, who may perform malicious routines on the infected machine. Based on our analysis, BKDR_VISEL.FO also terminates processes related to specific antivirus programs, making its detection and removal difficult. The backdoor also downloads and executes other malicious files, leaving the compromised system susceptible to further infection and data theft.

    After execution, TROJ_MDROP.ZD replaces itself with a non-malicious .HWP document in order to prevent the user from suspecting any malicious activity. This decoy document contains the following Korean text:

    A Recon for Future Attacks

    Judging from the profile of the target company, a successful infection may lead to mass pilfering of personal data of their customers. Add the fact that .HWP is the Korean government’s de facto standard wordprocessor format, what we may be seeing now is a reconnaissance phase of a future, larger, regional attack.

    With this incident, we may be seeing attackers gradually taking advantage of vulnerabilities in local-based applications. Hancom Office is also not the first of its kind to be exploited by attackers. We previously reported a case wherein malicious users abused vulnerabilities found in the Japanese-language word processor Ichitaro. Successfully exploiting these lead to the installation of a backdoor. Both incidents prove that using regional software does not guarantee absence of malware attacks. In this case the Word Processor vendor, who adopted a specific third-party module that may have contained the vulnerability, needs to pay attention to industry’s CVE information too and get ready to update.

    This highlights the importance of security, specially for organizations whose services include storing customer information. A successful compromise to an organization not only puts their customers at risk, but also easily tarnishes their reputation. Fortunately in this case, proper mitigation steps were executed immediately. However, we must stay vigilant, as this is not the last time we’ll be seeing threats of this kind.

    Trend Micro protects users from this threat via Trend Micro™ Smart Protection Network™ that detects and deletes the related malware. It also blocks the related message and prevents it from even reaching users’ inboxes.

    We will update this blog entry once we get more details about the said vulnerability.

    With additional insights from Thomas Park

    Update as of May 25, 2012 3:23 AM PST

    Based on our analysis, TROJ_MDROP.ZD triggers a buffer overflow that stems from the plug-in file HNCTextArt.hplg, which HWP.EXE uses to process .HWP files. HNCTextArt.hplg contains a code that copies a wide character string, including the null termination character, from the source to the destination. The source string must contain a null terminated character. In the case of this malicious .HWP file, the wide character string being copied does not contain the said null terminated character, resulting in an infinite loop.

    Because of this, HNCTestArt.hplg copies the data repeatedly until an exception occurs. This triggers the malicious shell code inside the malicious .HWP file. The said code decrypts, drops, and executes the PE file and the non-malicious HWP file, which serves as the decoy.

    With additional analysis from Jason Pantig

    Posted in Exploits, Malware, Targeted Attacks, Vulnerabilities | Comments Off on Specially Crafted .HWP File Used for Korean Targeted Campaign


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice