Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    The upcoming G20 Summit in St. Petersburg, Russia might have already spewed several messages aimed at both common users and specific groups. A recent email we saw is only the latest in these threats.

    The said message is purportedly from the event’s planning team and refers to a “pre-summit meeting”:

    Figure 1. Spammed message

    The email arrives with a RAR attachment containing three files: one LNK file and two other binary files. Based on our analysis, the binary files are actually one file that was split into two. These files may appear to not pose any threat or risk since they are not identified as a valid file.

    The LNK file is not a simple shortcut file; it contains custom commands that recontrust the two separated binary files into one file and execute it (detected as BKDR_SISPROC.A). As a backdoor, BKDR_SISPROC.A communicates to its remote servers to execute malicious commands onto the infected system.

    More importantly, this backdoor also downloads plugins, which will then execute varous data-stealing behaviors such as screen capture and keylogging. The use of plugins instead of a file has certain advantages pertaining to evading detection. Plugins may not need to be a complete valid file in order to work (similar to BKDR_PLUGX). They are loaded in the malware’s own memory space so no new process is spawned, and are generally smaller in size than whole files.

    Overall, the techniques exhibited by this attack do not constitute a new threat. However, as we have predicted and confirmed this year, malicious actors are focused on refining how they distribute threats and evade detections. The splitting of a binary file into two files is a clear sign of the ongoing attempts to keep attacks under the radar.

    Because the email itself piggybacks on a timely and relevant social engineering lure, it is particularly valuable for organizations to educate its users on how to spot a fraud from the get-go. Trend Micro blocks the related email, URL, and malware.

    With analysis from Eruel Ramos and Merianne Polintan.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • sexyboy



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice