Attackers successfully send out emails with PDF attachments to defence companies.
Cybercriminals have successfully compromised defence industry companies in India, USA, Japan, and Israel, according to a new alert issued by security think-tank Trend Micro. The report identified eight victims of this attack. The agency has analysed a sample that connects to the same Command-and-Control (C&C) server in this targeted attack. It has also analysed the second stage malware as well as a Remote Access Trojan (RAT) used by the attackers to specifically attack one of the targeted companies.
The general modus operandi of the attackers has been to send out emails with a malicious PDF attachment, now detected by Trend Micro as TROJ_PIDIEF.EED, which exploits a vulnerability in certain versions of Adobe Flash and Reader (CVE_2011-0611) to drop malicious files on the target's computer. This malicious payload, now detected as BKDR_ZAPCHAST.QZ, connects to a C&C server and communicates some pieces of information about itself and awaits further commands.
There are two components in the second stage of the attack. First, the attacker issues commands instructing the compromised computer to report back networking information and file names within specified directories. Certain targets are instructed to download custom DLLS, detected as BKDR_HUPIG.B, containing specific functionality related to the compromised entity. Once inside the network, the attackers issue commands to the compromised computers to download tools to allow them to move laterally throughout the network including those that enable "pass-the-hash" techniques. Additional commands are issued to cause the compromised computer to download the RAT allowing the attacker to take real-time control of the compromised system. The RAT has been identified as BKDR_HUPIGON.ZXS and BKDR_HUPIGON.ZUY. The prefix BKDR indicates that it is a backdoor attack.
Amit Nath, Country Manager India and SAARC Trend Micro said, "In total, the attackers compromised 32 computers; however, there were multiple compromises at several locations. This network has been active since July 2011 and is continuing to send out malicious documents in an attempt to compromise additional targets. While this network has managed to compromise a relatively small number of victims, there is a high concentration of defence industry companies among the victims. Moreover, the fact that specific malware components are created for specific victims indicates a level of intentionality among the attackers".
This RAT is called MFC Hunter and has three components: Server, which is installed on the victim's computer and connects to the "hub", Hub, which is installed on an intermediary computer to act as a proxy connection between victim and attacker, and MFC, which is the RAT client used by the attacker to gain remote control of the compromised computer.
To summarise, by using the above two ways, the attackers can control the computers using two different methods. While the first one allows them to schedule commands to be run by the compromised computer when it connects to the C&C server, the second allows them to take real-time control of the computer using the RAT. Just like with other types of crimes, this is a game of Cops and Robbers, where unfortunately, the Robbers are usually one step ahead.