A major attack has hit Japanese users, affecting more than 100 corporate clients. These users visited compromised sites that were used to serve malware via malicious Java files.
As of this writing, we are still looking into this attack although we are releasing information about it in order to warn users of the potential threat.
Here is how this attack progresses:
- Users view the legitimate site, which has been compromised by the addition of malicious scripting code.
- This malicious scripting code redirects users to certain malicious sites.
- These malicious sites host JAVA_AGENT.P and JAVA_AGENT.O, which use Java vulnerabilities to download and run files.
- TROJ_DLOAD.SMAB is downloaded, which drops TROJ_DLOAD.SMAD, which in turn downloads TROJ_DROPPER.OMJ.
- TROJ_DROPPER.OMJ drops TROJ_EXEDOT.SMA.
- TROJ_EXEDOT.SMA checks and reports to certain URLs if certain processes are running on the system. It also attempts to download and execute more malicious files (the sites it attempts to download files from are now offline).
The dropped file, detected as TROJ_DLOAD.SMAD, is named mstmp, as can be seen below.
TROJ_EXEDOT.SMA meanwhile uses lib.dll as file name. Both the mstmp and lib.dll keywords rose in search rankings, which indicates that users were possibly looking for more information on what they are supposed to be. Based on infection reports from Japan, this may be a targeted attack aimed at Japanese users.
In this attack, various Java exploits were used. In addition, we found that in some cases, the malware payload that is placed on users’ systems depend on what Java vulnerability was used. In at least some cases, the ultimate payload was the fake antivirus Security Tool This particular fake antivirus was also seen in recent Gumblar attacks. (Gumblar attacks have been seen in Japan since 2009 and continue to target Japanese users to this day.)
The detection name TROJ_DLOAD.SMAD includes many different files with different hashes, making detection more difficult. The binaries also used anti-debugging techniques to make analysis more complicated.
The inserted scripts also used obfuscation techniques to disguise their routines, as shown below.
Because we have not yet found the final payload, we cannot yet tell what the actual intent of this attack is. However, we can say that Web threats are becoming more sophisticated, increasing the threat to users.
To protect themselves, users should keep their applications and security software updated at all times, both to ensure that exposure to vulnerabilities are minimized and that the latest protection is always available.
We will provide more information on this attack as it becomes available.
This post has been adapted from a post written in Japanese from Trend Micro Security Blog.