Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    Targeted attacks are difficult to detect and mitigate by nature. We recently uncovered a targeted attack campaign we dubbed as “ANTIFULAI” that targets both government agencies and private industries in Japan. In our 2H 2013 Targeted Attack Trends report, we found that 80% of the analyzed cases of targeted attacks hit government institutions.

    Like many targeted attacks, ANTIFULAI uses several emails as entry vectors to get the attention of its would-be targets. In this particular case, the detected email posed as a job application inquiry with which a JTD file (Ichitaro RTF format) is attached. However, this file exploits an Ichitaro vulnerability (CVE-2013-5990) detected as TROJ_TARODROP.FU.

    When exploited, this vulnerability allows arbitrary code to run on the infected system that is used to drop malicious files. The final payload is a backdoor detected as BKDR_ FULAIRO.SM. Once run, this backdoor gathers the list of running processes, steals information, and downloads and executes files. The presence of the following files indicates the presence of this malware:

    • %Startup%\AntiVir_Update.URL
    • %Temp%\~Proc75c.DAT

    Unusually, this malware “hides” its targets in the URL it uses to contact its command-and-control (C&C) servers. Threat actors can easily see if the targeted organization has been breached by checking the said URL. Examples of the URL format we’ve seen include:

    • [C&C server domain]/[acronym of the target company]/(info|index).php?secue=(false|[proxy name])&pro=[list of running processes]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?fileindex=[A-Z]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?filen=noexist
    • [C&C server domain]/[acronym of the target company]/(info|index).php?filewh=false
    • [C&C server domain]/[acronym of the target company]/(info|index).php?Re=[output result of shell command]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?verify=[filename]
    • [C&C server domain]/[acronym of the target company]/(com.php|update.html)

    The Importance of Threat Intelligence

    Network traffic is one of the ways IT administrators can check if their network has been hit by targeted attacks. This is why it is crucial for enterprises and large organizations to build threat intelligence capabilities. With these tools available to them, IT administrators can break a targeted attack cycle before it reaches the data exfiltration stage.

    In addition, enterprises are advised to regularly update their systems and applications as a security step in mitigating targeted attacks because old vulnerabilities are typically used in order to infiltrate a network.

    Trend Micro protects enterprises from targeted attacks via its Trend Micro™ Deep Discovery, an advanced security platform that identifies malware, C&C communications, and attacker activities signaling an attempted attack.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • Anonymous

      Hash or it didn’t happen



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice