A malware that is being tied to the recent cyber attack in France is detected by Trend Micro as a variant of the NJWORM/Kjw0rm remote access Trojan (RAT). This malware (with the MD5 hash of 2962c44ce678d6ca1246f5ead67d115a), which we detect as VBS_KJWORM.SMA, is backdoor that may have been around since 2014.
Ties to previous targeted attacks
Our initial analysis showed that VBS_KJWORM.SMA was created by a hacking tool named Sec-wOrm 1.2 Fixed vBS Controller. This is a RAT generator that we detect as HKTL_KJWORM.
It should be noted that the Kjw0rm family is already known to us; in January we had written about this family when it emerged from the NJWORM source code leak. Kjw0rm was found in the Arabic-language section of dev-point.com.
Figure 1. Sample screenshot of the RAT generator “Sec-wOrm 1.2 Fixed vBS Controller”. (SECWORM)
Hat tip goes out to the Dev4dz forum
Using data from the Trend Micro™ Smart Protection Network we found that VBS_KJWORM.SMA is observed in at least 12 countries in the past week, including South Africa and India. This is not surprising, since this malware is available in underground forums and can be used by anyone.
This particular malware can be used as a backdoor into the infected system. In addition, the C&C server reportedly used in the attack has been tied to another backdoor, BKDR_BLADABINDI.C. Our investigation leads us to believe the actors behind Kjw0rm and BLADABINDI are the same.
Further information from the Smart Protection Network suggests that other VBS malware variants are currently circulating in the wild. Four separate C&C servers (distinct from those used by NJWORM) were also found. These different samples, in turn, are connected to previous NJRAT/JENXCUS attacks. NJRAT has been tied to DUNIHI attacks in the Latin American region.
Note: The SECWORM malware is a RAT derived from KJw0rm with some modifications and improvements.
Understanding the impact of a cyber attack on a company outage
The massive cyber attack that hit the French TV5Monde television network this past April 9, according to reports, began at approximately 10:00 P.M. local time (4:00 P.M. Eastern time) , when 11 of their channels went off the air.
In addition to this, TV5Monde’s website, company email, as well as their social media outlets came under attack. The network’s Facebook page was used to post propaganda messages allegedly from the Islamic State (ISIS). One of the network’s Twitter accounts was also accessed and posted messages against the United States and France, as well as issued threats to families of French soldiers. Copies of French soldiers’ IDs and passports were also published.
It should be noted that the technical background of this attack is not yet clear. However, the RAT generator is currently available in several hacker forums and can be used by any threat actor. Therefore, one does not need a lot of technical skill to use it.
Trend Micro solutions
Trend Micro detects all related malware at the endpoint level. In addition, Trend Micro products block connections to C&C servers for these malware.
At the network level,Trend Micro is able to proactively detect these threats. Trend Micro Deep Discovery is able to detect VBS-based malware, providing additional protection to organizations facing these kinds of attacks today.