• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Targeted Attacks   »   Pawn Storm C&C Redirects to Trend Micro IP Address

Pawn Storm C&C Redirects to Trend Micro IP Address

  • Posted on:July 15, 2015 at 6:12 am
  • Posted in:Targeted Attacks
  • Author:
    Trend Micro
0

Our monitoring of Operation Pawn Storm has led us to an interesting finding: the domain we previously reported hosting the Java 0-day used in the latest Pawn Storm campaign was modified to now lead to a Trend Micro IP address. Our investigations have shown that our systems have not been attacked or compromised. The attackers have simply redirected a DNS record to point to a Trend Micro IP address, likely in retaliation to our disclosure and the subsequent patching of the Orace Java zero-day vulnerability they were exploiting.

PawnStorm

Figure 1. Changes in the Pawn Storm infection chain

The DNS A record of the domain ausameetings[.]com now points to 216.104.20.189, an IP address of Trend Micro. While it was serving the zero-day exploit, the IP address of ausameetings[.]com was 95[.]215[.]45[.]189.

ausameetings_com_DNS_A

Figure 2. DNS A record of ausameetings[.]com

We are not sure when the domain was pointed to Trend Micro, but based from DNS record naming convention, it is most likely modified to point to Trend Micro yesterday, July 14.

We do not have clear evidence that point to the cause behind these developments, but we see the following possible motives:

  • To serve as a form of retaliation by the Pawn Storm operators against Trend Micro for disclosing details about their most recent campaign
  • To mislead network administrators into associating our IP address to the attack, possibly causing admins to mistakenly block it
  • To deceive security researchers into thinking that the Trend Micro IP address is compromised or being misused by Operation Pawn Storm

It bears stressing that we found no traces of compromise or misuse. We will continue to monitor this and update this post as soon as there are relevant developments.

Operation Pawn Storm is a campaign known to specifically target government organizations. One of its most recent campaigns targeted NATO members as well as the White House.

We first discovered the Java 0-day being used in Operation Pawn Storm late last week. Oracle released a security update to address the vulnerability yesterday, July 14.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Pawn Stormtrend micro

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites
  • When PSD2 Opens More Doors: The Risks of Open Banking
  • Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload
  • Hacking LED Wristbands: A ‘Lightning’ Recap of RF Security Basics
  • From BinDiff to Zero-Day: A Proof of Concept Exploiting CVE-2019-1208 in Internet Explorer

Popular Posts

  • TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
  • BlackSquid Slithers Into Servers and Drives With 8 Notorious Exploits to Drop XMRig Miner
  • Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions
  • Adware Posing as 85 Photography and Gaming Apps on Google Play Installed Over 8 Million Times
  • Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.