In our previous blog, we focused on the emergence of hybridized malware, in which malware arrives already infected by a file infector. In effect, there are two different malware families that will run on the infected system. In this scenario, attackers are able to maximize system compromise by deploying two different payloads in one execution, leaving a user’s machine open to a slew of infection.
In a Windows system, the infection starts through a spam mail that offers Tibetan Input Method for Apple iOS 4.2.:
The email lured recipients to open two attachments:
- an RTF file with the file name “Tibetan Input Method for Apple iOS 4.2 devices (iPhone, iPad, iPod touch).doc” and
- an archive containing a file named “Tibetan Input Method for Apple iOS 4.2 devices (iPhone, iPad, iPod touch).exe.”
These attachments are actually identical RTF files (detected as TROJ_ARTIEF.EDX) that exploits CVE-2010-3333 to drop the PE_SALITY.AC-infected backdoor BKDR_RILER.SV into the user’s temporary folder. The malicious RTF also drops and opens a decoy DOC file, document.doc, to cover its malicious activity from the user. This DOC file contains the following:
Both BKDR_RILER.SVR and PE_SALITY.AC’s ultimate payload is to open a backdoor on the affected system. This leaves a compromised machine remotely controlled by the attackers behind RILER and SALITY.
New Campaign, Old Tricks
RILER and SALITY are definitely not new in the malware scene. However, seeing them arrive as one, hybridized executable and employing a themed campaign highlights how diverse malware attacks are these days. Typically, we see these spam-document exploit tandem drop one malware payload at a time. In this campaign, we can see that the attackers are starting to maximize the said vector by utilizing the previous malware hybridization trick to drop multiple malware payloads. Not only that this gives them the benefits of hybridization, it also helps them circumvent the challenges of further installing other malware (blocked malware download sites, AV detections, etc.).
While there is a cat-and-mouse chase between malware and AV technology, attacks like this reminds us that monitoring attack trends, which includes new and old tricks, is an important factor in mitigating attacks. By understanding how attacks evolves on the front end as well as laterally, security organizations are better positioned in protecting their customers.
Trend Micro users are protected from this threat via the Trend Micro™ Smart Protection Network™ detects and deletes all the related malware. Trend Micro Deep security also protects users from the vulnerability used in this threat via rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.
Credits to Threat Research Manager Ivan Macalintal for bringing this threat to our attention.