Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2014
    S M T W T F S
    « May   Jul »
    1234567
    891011121314
    15161718192021
    22232425262728
    2930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for June 4th, 2014




    Targeted attacks are difficult to detect and mitigate by nature. We recently uncovered a targeted attack campaign we dubbed as “ANTIFULAI” that targets both government agencies and private industries in Japan. In our 2H 2013 Targeted Attack Trends report, we found that 80% of the analyzed cases of targeted attacks hit government institutions.

    Like many targeted attacks, ANTIFULAI uses several emails as entry vectors to get the attention of its would-be targets. In this particular case, the detected email posed as a job application inquiry with which a JTD file (Ichitaro RTF format) is attached. However, this file exploits an Ichitaro vulnerability (CVE-2013-5990) detected as TROJ_TARODROP.FU.

    When exploited, this vulnerability allows arbitrary code to run on the infected system that is used to drop malicious files. The final payload is a backdoor detected as BKDR_ FULAIRO.SM. Once run, this backdoor gathers the list of running processes, steals information, and downloads and executes files. The presence of the following files indicates the presence of this malware:

    • %Startup%\AntiVir_Update.URL
    • %Temp%\~Proc75c.DAT

    Unusually, this malware “hides” its targets in the URL it uses to contact its command-and-control (C&C) servers. Threat actors can easily see if the targeted organization has been breached by checking the said URL. Examples of the URL format we’ve seen include:

    • [C&C server domain]/[acronym of the target company]/(info|index).php?secue=(false|[proxy name])&pro=[list of running processes]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?fileindex=[A-Z]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?filen=noexist
    • [C&C server domain]/[acronym of the target company]/(info|index).php?filewh=false
    • [C&C server domain]/[acronym of the target company]/(info|index).php?Re=[output result of shell command]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?verify=[filename]
    • [C&C server domain]/[acronym of the target company]/(com.php|update.html)

    The Importance of Threat Intelligence

    Network traffic is one of the ways IT administrators can check if their network has been hit by targeted attacks. This is why it is crucial for enterprises and large organizations to build threat intelligence capabilities. With these tools available to them, IT administrators can break a targeted attack cycle before it reaches the data exfiltration stage.

    In addition, enterprises are advised to regularly update their systems and applications as a security step in mitigating targeted attacks because old vulnerabilities are typically used in order to infiltrate a network.

    Trend Micro protects enterprises from targeted attacks via its Trend Micro™ Deep Discovery, an advanced security platform that identifies malware, C&C communications, and attacker activities signaling an attempted attack.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice