Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    Just like what we have reported recently, we have spotted yet another targeted attack campaign that uses Pro-Tibetan sentiments as social engineering ploy for the attackers to infiltrate target systems. And yes, this is again targeting Windows and Mac systems.

    It starts with the email below:

    Users clicking on the link included in the email will be led to a site with a script that determines if the user is using a Windows or a Mac system.

    The site is currently not resolving but we managed to get the code from Google’s cache:

    The script will load a Java applet exploiting CVE-2011-3544, which is an unspecified vulnerability in the Java Runtime Environment component. The said Java applet is detected as JAVA_RHINO.AE. If exploitation is successful, either a SASFIS backdoor (BKDR_SASFIS.EVL) for Windows OS, or an OLYX backdoor (OSX_OLYX.EVL) for Mac OSX, will be installed in the system.

    Both backdoors report back to the same C&C server. Moreover, both backdoors have functionalities that include features to allow them to upload and download files and navigate through files and directories in the affected system, providing them further means for their lateral movement and data exfiltration activities.

    This reminds us of the previous blog post from our friends in MS about OLYX, which states that the backdoor code is similar to the Gh0St RAT code. This code is one of the favorite backdoor payloads used in advanced persistent campaigns that also target NGOs like Pro-Tibetan organizations.

    It is also worth mentioning that we saw the same Command-and-Control server in both a recent Gh0st RAT attack and the targeted attack against Mac OSX users we recently blogged about.

    Users are protected from JAVA_RHINO.AE as Trend Micro products detect and remove the said malware. In addition, Trend Micro Deep Security users should apply Rule 1004867 - Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability to protect networks from this attack.

    We are continuing to monitor developments in this case and will post more information accordingly. Stay tuned.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice