• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   File Infector EXPIRO Hits US, Steals FTP Credentials

File Infector EXPIRO Hits US, Steals FTP Credentials

  • Posted on:July 15, 2013 at 12:25 am
  • Posted in:Exploits, Malware
  • Author:
    Rhena Inocencio (Threat Response Engineer)
1

An unusual attack has been spotted in the wild, using an unexpected combination of threats. This attack used exploit kits (in particular Java and PDF exploits) to deliver file infectors onto vulnerable systems. Interestingly, these file infectors have information theft routines, which is a behavior not usually found among file infectors. These malware are part of PE_EXPIRO family, file infectors that was first spotted spotted in 2010. In addition to standard file infection routines, the variants seen in this attack also have information theft routines, an uncommon routine for file infectors. The infection chain goes something like this:

  • The user is lured to a malicious site which contains an exploit kit. Several exploits are used; one of these is a Java exploit (detected as JAVA_EXPLOIT.ZC) which uses CVE-2012-1723. Another Java vulnerability (CVE-2013-1493) is also being used. A PDF exploit is also being used, with the malicious PDF file detected as TROJ_PIDIEF.JXM.
  • Whatever exploit is used, the end result is the same: the mother file infector (either PE_EXPIRO.JX-O, PE_EXPIRO.QW-O, or PE64-EXPIRO-O for 64-bit systems) onto the affected system.
  • Once on the affected system, it seeks out .EXE files in the system to infect. All folders in all available drives (removable, shared, networked) are subjected to this search. The infected files are detected as PE_EXPIRO.JX.
  • It steals system and user information, such as the Windows product ID, drive volume serial number, Windows version and user login credentials. It also steals stored FTP credentials from the Filezilla FTP client.
  • The stolen information is then saved in a .DLL file and uploaded to various command-and-control (C&C) servers.

Here is a diagram of the above chain, using the Java exploit as an example:

About 70% of total infections are within the United States. It is possible that this attack was intended to steal information from organizations or to compromise websites, as the specific targeting of FTP credentials suggests either was possible. The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools.

Since this particular attack used exploits targeting vulnerabilities, we recommend users to update their systems with the latest security patches immediately. Trend Micro blocks the websites associated with this attack, as well as detecting the malware cited in this blog entry.

Additional Analysis by Dexter To, Kai Yu, and Jethro Bacani

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: exploit kitfile infectorUnited States

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.