Attackers used news of the Middle East Respiratory Syndrome (MERS) outbreak as hook in a spear-phishing email sent to an employee of a popular Japanese mass media company. Using a free account from Yahoo! Mail to easily pass through anti-spam filters, the attackers copied publicly available information from the Internet to lure the recipient to open the message. The email header, written in Japanese, translates as “Fw: Prevention of the Middle East Respiratory Syndrome (MERS) while the attachment file reads, “Prevention of the Middle East Respiratory Syndrome (MERS).7z.”
Figure 1. MERS-themed phishing email sent to a Japanese media company employee
The email contains a zipped .CHM file (CHM_ZXSHELL.B) or Windows help file that displays a MERS-related webpage from a popular Japanese information site. The .CHM file is coded to drop the backdoor file ZXShell, which is commonly used in targeted attacks, in the background.
Figure 2. BKDR_ZXSHELL.B infection chain
This particular attack shares various similarities to attacks perpetrated by the Winnti group, hackers with a longtime reputation of attacking targets in the online video game industry directly related to the Winnti malware family.
Our engineers are digging into further evidences that shed more light on this specific attack.
From what we have observed, the wealth of sensitive information that can possibly be found in their media and entertainment companies’ networks motivates attackers to target them. During the hack of Sony Pictures, attackers not only got personal information of Sony employees, they also stole copies of unreleased movies and released the salaries of Sony Picture executives. Further, media and entertainment companies may be targeted to be used as mouthpieces for propaganda, as in the recent cyber attack that caused the hacked social media accounts of French TV Station TV5Monde to become a medium for Islamic State (ISIS) messages.
CHM Help File Leads to ZXShell
The attached 7-Zip file contains a .CHM (compiled HTML) and displays what appear to be safe contents that look just like a page in the Japanese information site that explains MERS, as shown below:
Figure 3. CHM file displays content to look like the MERS page of a popular Japanese information site
In this particular incident, the .CHM file drops the backdoor ZXShell (BKDR_ZXSHELL.B), which then sits inside the affected computer and waits to run commands sent by the attackers. This backdoor may be used to find sensitive data inside the affected networks.
The use of CHM files is steadily becoming a favored tool when it comes to spreading cybercrime-related threats or performing targeted attacks. It can easily bypass Windows security measures given that it’s a legitimate file up to the point it runs and performs malicious codes embedded in it.
Although the use of .CHM file for malicious purposes is not new and has recently been used to infect computers with CryptoWall ransomware, it has rarely been used so far for targeted attacks. The backdoor ZXShell, on the other hand, is usually dropped using exploits in the Microsoft Office or Ichitaro software. By using .CHM files in this incident, attackers presented yet another way to infect targets with ZXShell without the need for exploits. Users may be cautious when it comes to visiting malicious sites where most exploits propagate, but may not watch out for help files sent over email.
Trend Micro now detects all pertinent files related to this threat. Further, Custom Defense™ solutions can effectively block these types of attacks by identifying suspicious behavior such as .CHM help files being used to run malicious code. .
Products using the ATSE (Advanced Threats Scan Engine), such as Deep Discovery (DD), also have heuristic rules in place to detect malicious .CHM attachments. Should attackers try to obfuscate the file to avoid detection, DD is also equipped with a smart sandbox that filters script, shell-code, and payload behavior to protect against unknown threats.
Below are the SHA1 hashes related to this threat:
Update as of July 05, 2015, 08:05 P.M. PDT (UTC-7):
We detect the malicious VBS file as VBS_ZXSHELL.B.