• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Japan, US Defense Industries Among Targeted Entities in Latest Attack

Japan, US Defense Industries Among Targeted Entities in Latest Attack

  • Posted on:September 19, 2011 at 2:24 pm
  • Posted in:Exploits, Malware, Targeted Attacks
  • Author:
    Nart Villeneuve (Senior Threat Researcher)
7

Trend Micro has uncovered a campaign of targeted attacks that have successfully compromised defense industry companies in Japan, Israel, India, and the United States. We have been able to identify eight victims of this attack and are in the process of notifying them. In total, the attackers compromised 32 computers though there were multiple compromises in several locations. This network has been active since July 2011 and continues to send out malicious documents in an attempt to compromise additional targets.

We have analyzed a sample that connects to the same command-and-control (C&C) server in this targeted attack. We also analyzed the second-stage malware the attackers used that was specifically built for one of the targeted companies as well as a remote access Trojan (RAT).

Attack Vector

The attackers sent out email with a malicious .PDF attachment detected by Trend Micro as TROJ_PIDIEF.EED, which exploits a vulnerability in specific versions of Adobe Flash Player and Reader (CVE_2011-0611) to drop malicious files onto the target’s computer. This malicious payload, detected by Trend Micro as BKDR_ZAPCHAST.QZ, accesses a C&C server and communicates some pieces of information about itself as well as awaits further commands.

The second stage of the attacks involves two components. The attackers issue commands that instruct the compromised computer to report networking information and file names within specified directories back to the server. Certain targets are instructed to download custom DLLs, detected by Trend Micro as BKDR_HUPIG.B, that contain specific functionality related to the compromised entity.

Once inside the network, the attackers issue commands that cause the compromised computer to download tools that allow them to laterally move throughout the network, including some that enable “pass-the-hash” techniques. They then issue additional commands that cause the compromised computer to download a RAT that allows them to take real-time control of the compromised system. Trend Micro detects this RAT as BKDR_HUPIGON.ZXS and BKDR_HUPIGON.ZUY.

Remote Access Trojan

The RAT is called MFC Hunter and has three components:

  • Server: Installed in the victim’s machine and connects to the “hub”
  • Hub: Installed in an intermediary machine and serves as a proxy connection between the victim and the attackers
  • MFC: The RAT client that the attackers use to control a victim’s compromised computer
Click for larger view

By staging the attacks this way, the attackers maintain two separate methods of control. The first allows them to schedule commands that will run on the compromised computer when it connects to the C&C server. The second allows attackers to take real-time control of the compromised computer using the RAT.

While this slew of attacks has managed to compromise a relatively small number of victims, there is a high concentration of defense industry companies among those affected. Moreover, the fact that specific malware components were created for specific victims indicates a level of intentionality with regard to the attacks.

Trend Micro is continuously monitoring this threat and will post updates on this blog for any noteworthy development.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.