It seems that cyber criminals are hoping to take advantage of the Chinese New Year.
A few hours ago, Trend Micro researchers were alerted to malicious URLs that were supposedly exploiting a certain Chinese gaming application. Research Project Manager Ivan Macalintal was later on able to confirm that these URLs indeed carried lines of code attempting to exploit popular Chinese gaming platform Lianzong.
Thankfully, Trend Micro Web Threat Protection proactively detects this as EXPL_EXECOD.A, and so Trend Micro users have, in fact, already been protected against this threat at the onset.
This exploit resides in a line of code which references an exploitable DLL file. This code downloads a Trojan downloader (TROJ_DLOADER.DUY) from a certain URL, which in turn downloads a configuration file from another URL. The said URL contains links to several malicious executables hosted in other domains known to house malware. Said executables are mostly MMORPG password stealers such as the following:
- TSPY_ONLINEG.LPE
- TSPY_ONLINEG.MGU
- TSPY_ONLINEG.OCN
- TSPY_ONLINEG.OMQ
- TSPY_ONLINEG.OMR
- TSPY_ONLINEG.OMS
- TSPY_ONLINEG.OMT
- TSPY_ONLINEG.OMU
- TSPY_ONLINEG.OMV
- TSPY_ONLINEG.OMW
- TSPY_ONLINEG.OMX
- TSPY_ONLINEG.OMY
- TSPY_ONLINEG.ONB
- TSPY_ONLINEG.ONC
- TSPY_ONLINEG.OND
- TSPY_ONLINEG.ONE
- TSPY_ONLINEG.ONF
- TSPY_ONLINEG.ONG
- TSPY_ONLINEG.WN
This attack is evidence of the increasing interest by cyber criminals to home in on certain user groups by taking advantage of the vulnerabilities of local but widely used applications.
As of this writing, no patch has been given by the vendor yet. Meanwhile, users, especially those in China, should practice safe browsing. Users should also install patches once they are made available; these should be found at the vendor’s Web site here.
More information about this attack here.