Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us

    In our previous blog, we focused on the emergence of hybridized malware, in which malware arrives already infected by a file infector. In effect, there are two different malware families that will run on the infected system. In this scenario, attackers are able to maximize system compromise by deploying two different payloads in one execution, leaving a user’s machine open to a slew of infection.

    This tactic recently re-surfaced during our monitoring of Tibetan-leveraging malware campaigns. It came in the form of BKDR_RILER.SVR, a backdoor that arrives infected by PE_SALITY.AC.

    In a Windows system, the infection starts through a spam mail that offers Tibetan Input Method for Apple iOS 4.2.:

    The email lured recipients to open two attachments:

    1. an RTF file with the file name “Tibetan Input Method for Apple iOS 4.2 devices (iPhone, iPad, iPod touch).doc” and
    2. an archive containing a file named “Tibetan Input Method for Apple iOS 4.2 devices (iPhone, iPad, iPod touch).exe.”

    These attachments are actually identical RTF files (detected as TROJ_ARTIEF.EDX) that exploits CVE-2010-3333 to drop the PE_SALITY.AC-infected backdoor BKDR_RILER.SV into the user’s temporary folder. The malicious RTF also drops and opens a decoy DOC file, document.doc, to cover its malicious activity from the user. This DOC file contains the following:

    Both BKDR_RILER.SVR and PE_SALITY.AC’s ultimate payload is to open a backdoor on the affected system. This leaves a compromised machine remotely controlled by the attackers behind RILER and SALITY.

    New Campaign, Old Tricks

    RILER and SALITY are definitely not new in the malware scene. However, seeing them arrive as one, hybridized executable and employing a themed campaign highlights how diverse malware attacks are these days. Typically, we see these spam-document exploit tandem drop one malware payload at a time. In this campaign, we can see that the attackers are starting to maximize the said vector by utilizing the previous malware hybridization trick to drop multiple malware payloads. Not only that this gives them the benefits of hybridization, it also helps them circumvent the challenges of further installing other malware (blocked malware download sites, AV detections, etc.).

    While there is a cat-and-mouse chase between malware and AV technology, attacks like this reminds us that monitoring attack trends, which includes new and old tricks, is an important factor in mitigating attacks. By understanding how attacks evolves on the front end as well as laterally, security organizations are better positioned in protecting their customers.

    Trend Micro users are protected from this threat via the Trend Micro™ Smart Protection Network™ detects and deletes all the related malware. Trend Micro Deep security also protects users from the vulnerability used in this threat via rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.

    Credits to Threat Research Manager Ivan Macalintal for bringing this threat to our attention.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice