Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2013
    S M T W T F S
    « Mar   May »
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for April 25th, 2013




    Using encrypted communication like Secure Sockets Layers (SSL) along with the clever use of recent news item as a social engineering lure is the perfect combination to penetrate and remain in a targeted entity’s infrastructure.

    It didn’t take long for targeted attacks to use last week’s Boston Marathon bombing as a bait to trick predetermined users into opening malicious attachments. We found an email with a malicious attachment named The Prayer.DOC, urging recipients to pray for the victims of the tragic event.

    Boston-APT-emailsample

    Figure 1. Sample email leveraging Boston Marathon incident

    The said attachment (MD5: 5863fb691dd5b3002c040fc7c535800f and detected as TROJ_MDROP.ATP) exploits the vulnerability in CVE-2012-0158 to drop the malicious executable file “iExplorer.exe” (MD5: 74a8269dd80d41f7c81e0323719c883c ) onto the target’s computer.

    This malware, detected as TROJ_NAIKON.A, connects over SSL (port 443) to the domain name gnorthpoint.eicp.net which previously resolved to 220.165.218.39 but now resolves to 50.117.115.89.

    The certificate is filled with spoofed information including the identity “donc” and the organization “abc”.

    spoofed-certificate-details

    Figure 2. Screenshot of certificate with spoofed info

    Read the rest of this entry »

     
    Posted in Targeted Attacks | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice