• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Targeted Attacks   »   Kjw0rm VBS Malware Tied To Attacks on French TV Station TV5Monde

Kjw0rm VBS Malware Tied To Attacks on French TV Station TV5Monde

  • Posted on:April 11, 2015 at 5:31 am
  • Posted in:Targeted Attacks
  • Author:
    Trend Micro
0

A malware that is being tied to the recent cyber attack in France is detected by Trend Micro as a variant of the NJWORM/Kjw0rm remote access Trojan (RAT). This malware (with the MD5 hash of 2962c44ce678d6ca1246f5ead67d115a), which we detect as VBS_KJWORM.SMA, is backdoor that may have been around since 2014.

Ties to previous targeted attacks

Our initial analysis showed that VBS_KJWORM.SMA was created by a hacking tool namedĀ Sec-wOrm 1.2 Fixed vBS Controller. This is a RAT generator that we detect as HKTL_KJWORM.

It should be noted that theĀ Kjw0rm family is already known to us; in January we had written about this family when it emerged from the NJWORM source code leak. Kjw0rmĀ was found in the Arabic-language section ofĀ dev-point.com.

Figure 1. Sample screenshot of the RAT generator ā€œSec-wOrm 1.2 Fixed vBS Controllerā€. (SECWORM)
Hat tip goes out to the Dev4dz forum

Using data from the Trend Microā„¢ Smart Protection Network we found thatĀ VBS_KJWORM.SMA is observed in at least 12 countries in the past week, including South Africa and India. This is not surprising, since this malware is available in underground forums and can be used by anyone.

This particular malware can be used as a backdoor into the infected system. In addition, the C&C server reportedly used in the attack has been tied to another backdoor,Ā BKDR_BLADABINDI.C. Our investigation leads us to believe the actors behind Kjw0rmĀ and BLADABINDI are the same.

Further information from the Smart Protection Network suggests that other VBS malware variants are currently circulating in the wild. Four separate C&C servers (distinct from those used by NJWORM) were also found. These different samples, in turn, are connected to previous NJRAT/JENXCUS attacks. NJRAT has been tied toĀ DUNIHIĀ attacks in the Latin American region.

Note: The SECWORM malware is a RAT derived from KJw0rm with some modifications and improvements.Ā 

Understanding the impact of a cyber attack on a company outage

TheĀ massive cyber attackĀ that hit the French TV5Monde television network this pastĀ April 9, according to reports, began at approximately 10:00 P.M. local time (4:00 P.M. Eastern time) , when 11 of their channels wentĀ off the air.

In addition to this,Ā TV5Monde’s website, company email, as well as their social media outlets cameĀ under attack. The network’s Facebook page was used to post propaganda messages allegedly from the Islamic State (ISIS).Ā One of the network’s Twitter accounts was also accessed and postedĀ messages against the United States and France, as well as issued threats to families of French soldiers. Copies of French soldiers’ IDs and passports were also published.

It should be noted that the technical background of this attack is not yet clear. However, the RAT generator is currently available in several hacker forums and can be used by any threat actor. Therefore, one does not need a lot of technical skill to use it.

Trend Micro solutions

Trend Micro detects all related malware at the endpoint level. In addition, Trend Micro products block connections to C&CĀ servers for these malware.

At the network level,Trend Micro is able to proactively detect these threats.Ā Trend Micro Deep Discovery is able to detect VBS-based malware, providing additional protection to organizations facing these kinds of attacks today.

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE Ā»
SMALL BUSINESSĀ»
HOMEĀ»
Tags: mediaVBS

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, ę—„ęœ¬, ėŒ€ķ•œėÆ¼źµ­, å°ē£
  • Latin America Region (LAR): Brasil, MĆ©xico
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Ɩsterreich / Schweiz, Italia, Š Š¾ŃŃŠøŃ, EspaƱa, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.