Noted for its stealth routine, PlugX and its developers now appear to be using several legitimate applications, in particular those used by Microsoft, Lenovo, and McAfee, in an effort to remain under the radar.
PLUGX variants are known for its use of normal applications to load its malicious .DLL components. This .DLL hijacking technique is not new and was initially discussed by last July 2010 by Mandiant here. PlugX is able to use any executable and has started to use known ...
Last week, we posted some detailed information about the actions that the March 20, 2013 MBR wiper attacks took against systems in South Korea.
Today, I’d like to take that and some additional information that has come out about the incident and draw some conclusions about what lessons this attack teaches us.
When we look at the South Korean attacks three specific lessons come out of what we’ve seen:
Post-PC attacks aren't just about devices
Auto-updating infrastructure is a viable target
Security and infrastructure products ...
Certain German websites were defaced by a group of hackers on April Fools day. However, this act was no ordinary prank.
The hackers left messages on the defaced German websites in Arabic, and the message is quite clear:
Figure 1. Screenshot of defaced German website
Translated, the text reads as:
Algeria to the core #
With Palestine unjust or wronged
They also posted the same news on their Facebook page.
Unfortunately, this is not the first time that this group of hackers called "Algeria to the core" ...
Our investigation and analysis of last week's MBR wiper attacks in South Korea is still ongoing. This post summarizes our results and available protection.
The MBR wiper arrives as a dropper file (detected as TROJ_KILLMBR.SM), which drops four files onto the system:
Agentbase.exe –the actual MBR wiper, also detected as TROJ_KILLMBR.SM
~pr1.tmp – a UNIX executable, detected as UNIX_KILLMBR.A
Alg.exe – non-malicious file, related to PuTTY client
Conime.exe – non-malicious, related to PuTTY client
However, before it wipes the MBR, it performs two additional routines: firstly, it ...
We have continued to look into the MBR-wiping attacks that hit Korea earlier. We believe we now have a good picture of how the attack was conducted by looking into two different scenarios, why it caused so much damage, and how we were able to protect users using Trend Micro Deep Discovery and other solutions.
Spoofed Bank Notification Leads to Downloader
On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that ...
