Throughout 2012, we investigated a variety of targeted attacks including several APT campaigns such as LuckyCat and Ixeshe, as well as updates on some long running campaigns such as Lurid/Enfal and Taidoor. There was a lot of great research within the community related to targeted attacks published this year, and I’ve clustered the research I found to be the most interesting into six themes that I think also encapsulate the trends in targeted attacks of 2012:

• Targets and Tools – While targeted attacks were largely equated with APT during 2011, 2012 saw the emergence of a variety of attacks especially those in the Middle East including Shamoon in Saudi Arabia, the Mahdi Campaign, GAUSS and Wiper/Flame which were all well documented by Kaspersky. There were other attacks related to the conflict in the Middle East most notably Syria and Israel and Palestine (also see Norman’s analysis here). APT activity remained a significant concern in 2012, and Dell SecureWorks published a paper on clustering various APT campaigns as well as papers on Mirage and SinDigoo that illustrated the scope of the problem. Bloomberg published a series of articles about the “Comment Crew” that detailed the breadth and impact of an APT campaign.There was also considerable activity targeting Russia, Taiwan, South Korea, Vietnam, India and Japan. In addition to expanded geographic targets, we also saw the expansion of the technologies that were targeted, including Android mobile devices and the Mac platform. Seth Hardy from the Citizen Lab gave a great presentation at SecTor that provides an overview of the various Mac related RATs (SabPub, MacControl, IMULER/Revir and Dokster) that emerged this year. And although we have seen smartcard related attacks in the past, thanks to some great analysis of Sykipot from AlienVault we saw technical details around smartcards that were deliberately targeted.

Read the rest of this entry »

Malware like BKDR_JAVAWAR.JG prove that web servers are viable targets by cybercriminals, as they store crucial data and can be used to infect other systems once unwitting users visit affected websites.

We recently spotted a Java Server page that performs backdoor routines and gains control over vulnerable server. Trend Micro detects this as BKDR_JAVAWAR.JG. This malware may arrive as either a file downloaded from certain malicious sites or as a file dropped by other malware.

For this attack to be successful, the targeted system must be a Java Servlet container (such as Apache Tomcat) or a Java-based HTTP server. Another possible attack scenario is when an attacker checks for websites powered by Apache Tomcat then attempts to access the Tomcat Web Application Manager.

Using a password cracking tool, cybercriminals can access and gain manager/administrative rights allowing the deployment of Web application archive (WAR) files packaged with the backdoor to the server. The backdoor will be automatically added in the accessible Java Server pages. To execute its routine, the attacker can access the Java Server page using the following:

Error! Hyperlink reference not valid. sub-directory inside Tomcat webapps folder}/{malware name}

Read the rest of this entry »