Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    We recently came across some malware of the SOGOMOT and MIRYAGO families that update themselves in an unusual way: they download JPEG files that contain encrypted configuration files/binaries. Not only that, we believe that this activity has been ongoing since at least the middle of 2010. A notable detail of the malware we came across is that these malware  hide their configuration files. These JPEGs are located on sites hosted in the Asia-Pacific region, and we believe that these malware families are used in targeted attacks in the region as well.

    Analysis of the JPEG updates

    While the contents of the JPEG file are encrypted, we were able to decrypt and analyze the contents of these files. We can divide these into three groups:

    • configuration file (Type A)
    • configuration file (Type B)
    • binary content (either DLL or EXE files)

    The first kind of configuration file (Type A) is similar to what we’ve seen with other malware. It contains information that allows the malware to process commands from an attacker, change settings/modules, and update itself. Among these settings are URLs where other malicious JPEG files are hosted. In addition, these files indicates that the attacker may have already compromised the targeted organization(s), as some of the information pertains to specific machines or individuals within.

    The second kind of configuration (Type B) file appears to be related to antivirus software. It contains the process names of multiple AV products from various vendors, as well as information about hostnames within the target network. Here is a portion of a Type B file, after decoding:

    Virus=*avp.exe*,*kavmm.exe*,*klserver.exe*|Kaspersky|*nod32kui*,*ekrn.exe*|ESET|*frameworkService*,

    *mcshield*|McAfee|*smc.exe*,*rtvscan.exe*|Symantec|*kwatch.exe*,*kxeserv.exe*,*kxescore.exe*|Kingsoft|

    *ravtask.exe*,*ravmond.exe*|Rising|*avguard*,*sched.exe*|Avira|*kvsrvxp*|jiangming|*avgrsx.exe*,

    *avgwdsvc.exe*|AVG|*tmlisten*,*ntrtscan.exe*,*tmntsrv*|Trend Micro|*360sd.exe*|360sd|

    *zhudongfangyu.exe*|360safe|*qqpcrtp.exe*,*qqpctray.exe*|QQPCMGR|

    This configuration is much shorter than Type A configuration. There are also values in this configuration that is evidence that the infection is already in the stage 2 of the attack.

    In addition to configuration files, the JPEG files can also contain executable files which can either be updates for the malware itself or new malware that well be installed on affected systems.

    JPEG File Hosting and Appearance

    These JPEG files are hosted on various websites mostly located in the Asia-Pacific region. At least some of these sites appear to have legitimate content, meaning they were compromised to host thsese files.

    Here are some screenshots of the JPEG files we’ve seen:

    We have obtained multiple samples of these JPEG files, and based on these, we believe that this method of updates was first used in June 2010, and is still in use today. The frequency of updates varies wildly: at times there were periods with near-daily updates, and at other times months went by between updates.

    Data Exfiltration

    Using the information from the decrypted configuration files, we were able to retrieve  emails sent by this malware. These contain an encrypted attachment named tplink2.bin. This file includes the following information:

    • Hostnames and IP addresses on the infected machine’s network
    • List of JPEG files already accessed by the malware
    • Detailed OS version information, including security updates installed

    With additional analysis from Adam Sun





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • Hellgramite

      This is a great article. Thanks for the information.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice