Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    Using encrypted communication like Secure Sockets Layers (SSL) along with the clever use of recent news item as a social engineering lure is the perfect combination to penetrate and remain in a targeted entity’s infrastructure.

    It didn’t take long for targeted attacks to use last week’s Boston Marathon bombing as a bait to trick predetermined users into opening malicious attachments. We found an email with a malicious attachment named The Prayer.DOC, urging recipients to pray for the victims of the tragic event.

    Boston-APT-emailsample

    Figure 1. Sample email leveraging Boston Marathon incident

    The said attachment (MD5: 5863fb691dd5b3002c040fc7c535800f and detected as TROJ_MDROP.ATP) exploits the vulnerability in CVE-2012-0158 to drop the malicious executable file “iExplorer.exe” (MD5: 74a8269dd80d41f7c81e0323719c883c ) onto the target’s computer.

    This malware, detected as TROJ_NAIKON.A, connects over SSL (port 443) to the domain name gnorthpoint.eicp.net which previously resolved to 220.165.218.39 but now resolves to 50.117.115.89.

    The certificate is filled with spoofed information including the identity “donc” and the organization “abc”.

    spoofed-certificate-details

    Figure 2. Screenshot of certificate with spoofed info

    Although the malware connects over SSL which encrypts the traffic, the plain text traffic contains an easy to spot User-Agent:

    GET /config/login_verify2?&.src=ym HTTP/1.1
    User-Agent: NOKIAN95/WEB

    The command-and-control (C&C) server in this case , gnorthpoint.eicp.net, previously shared an IP address, 112.112.38.143 with the command and control server kullywolf.gicp.net which was noted in a ShadowServer report. In that incident, the malicious document has a Vietnamese name CV gui bao cao LD.doc which exploited CVE-2010-3333 but dropped the same family of malware.

    maltego-threat-targetedattack

    At one time, the C&C server gnorthpoint.eicp.net also shared an IP address, 220.165.217.98, with the domain myyuming55.3322.org which was used as a C&C server for a different family of malware that was active in 2011. However, given the time difference, the exact relationship between the two remains unclear.

    In my paper Detecting APT Activity with Network Traffic Analysis, I discussed that the use of SSL encryption to communicate with C&C has its merits, particularly in evading detection based on patterns in URL parameters and HTTP headers. However, certain proactive steps can be done, including looking for default, random or empty values in SSL certificate fields and restricting detections to certificates supplied by external network. Tools like Trend Micro Deep Discovery can certainly help users detect dubious network traffic. It has also been effective in preventing zero-day malware and damaging attacks such as the South Korea MBR-Wiper incident.

    Trend Micro detects the related malware and protects users from the vulnerability cited in this blog post via Trend Micro Deep Security. Users are also advised to keep their systems updated with the latest security patch and be wary of opening and downloading files from email messages.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice