Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Previously, we discussed the “Here You Have” mail attack and the associated malware, WORM_MEYLME.B. Today, let’s look into the backdoor payload, BKDR_BIFROSE.SMU.

    The Here You Have” Payload: A Powerful Backdoor

    Not all backdoor applications are created equal. As such, it can be said that the cybercriminals behind WORM_MEYLE.B deliberately opted to use a BIFROSE backdoor program for several reasons. In our simulated environment, we saw that an attacker can use a BIFROSE variant to transfer files to and from an infected system, delete files, terminate processes, and steal sensitive information off an infected system such as the computer’s name; lists of active users, processes, and windows; and serial keys, among others. It can also access and modify registry information, log and retrieve keystrokes, create a remote shell, issue commands that the infected user’s shell can offer, and routinely capture and retrieve images of an affected user’s screen.

    BIFROSE commands Click for larger view

    WORM_MEYLME authors used the downloaded backdoor to do most of the dirty work. Upon execution, the backdoor will connect to its command-and-control (C&C) server at {BLOCKED} Upon successfully connecting to this server, attackers can now retrieve the passwords they stole earlier. That’s only for starters, however. By maximizing all of the features offered by the BIFROSE backdoor, an attacker can cause serious damage.

    BIFROSE commands

    A Cybercriminal’s Threat: “I Could Smash All Those Infected”

    Not long after the spam outbreak ensued, someone claiming to be responsible for the “Here you have” campaign posted a video on YouTube. In this video, the author claimed that he could have placed a more destructive payload but instead decided to use a stealthier technique with a backdoor application. The author also stated that he could have “smashed all those infected (systems),” as evidenced by the capabilities that BIFROSE exhibits. Lending credibility to the author’s statement, users are advised to keep their antivirus software up-to-date to help mitigate similar threats.

    Click for larger view

    The Big Picture

    In hindsight, the cybercriminals behind the “Here you have” spam campaign’s primary intent was not to create another botnet or an army of zombie computers. Instead, the incident was a good example of a typical hacking attack. It shows that with simple social engineering tactics, cybercriminals can easily compromise users’ systems in targeted organizations.

    Once a system has been affected by MEYLME, various malicious routines are performed—antivirus services are disabled, more components are downloaded, passwords and other sensitive information are stolen, the worm propagates either within or beyond the organization, the BIFROSE backdoor is installed, and even more sensitive information is stolen.

    Click for larger view

    One more thing should be noted as well. BIFROSE has screen capture capabilities, which means that organizations with dedicated or proprietary systems or software that encrypt files or keystrokes are still not safe. The attacker may as well be shoulder surfing and watching the user’s every move.

    Simply put, WORM_MEYLME.B was a key player in a noteworthy attack that utilized an effective social engineering technique. Once a targeted organization’s human resource management (HRM) systems are compromised or, worse, if the majority of the users across its network fall into the same trap, there is no telling how much information can fall into the hands of cybercriminals.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice