We were recently made aware of attacks leveraging the recent data breach that involved Epsilon.
According to reports, the attack involves a Web page that looks very similar to the press release issued by Epsilon concerning the breach. The page also instructs the recipients to click a link at the bottom of the post in order to download and run a tool that will supposedly help them determine if their personal information was among those disclosed during the attack.
We were able to analyze the details of the attack and found that the link downloads an .EXE file now detected as TROJ_MSPOSER.ASM. Running TROJ_MSPOSER.ASM displays the following GUI, which seems to suggest that the system is being checked.
Of course, the graphic is really just there in an attempt to convince the victims that what they downloaded was really a tool that will help them determine if their information is still secure. In the background, however, another malicious file is being installed into the system.
The malicious file installed is a backdoor program now detected as BKDR_MSPOSER.KAX. This file executes a rather long list of commands, which are mostly related to gathering information about the victims. The commands executed include:
- Log keystrokes
- Send email messages
- Capture screenshots
- Capture Web camera
- Record sounds using microphone
- Manipulate system’s sound volume
- Open Web pages
- Manipulate files
- Download/Upload files
- Create/Remove directories
- Enumerate network adapters
- Execute DOS command
- Execute arbitrary commands
- Get access control list information
- Get IP configuration settings
- Get system information (computer name, manufacturer, model, OS, system type, memory)
- Get user name and password
- List/Start/Kill processes
- Start/Stop services
- List drives
- List SQL servers
- Execute netstat
- Execute WMI commands
- Read/Write/Delete registry values
- Update itself
- Remove itself
- Get certificates
By simply looking at the list, it looks like the cybercriminals behind this attack aims to gather a great deal of information from its victims—probably even more than what was taken by those who breached Epsilon’s email system.
As of this writing, Epsilon has not released any kind of tool that will do what the malware in this attack claims and will unlikely do so. Users who were affected by the breach were already informed of the incident via email.
We advise users who receive information about the existence of such a tool—regardless of medium—to ignore this. We already protect Trend Micro product users by blocking the related IP addresses as well as by detecting the malicious files.