RAT Hits Asia

Tuesday, June 18, 2013 @ 09:06 AM gHale


A campaign called Naikon targets communications, oil, government, media and other types of organizations from Asia.

The cybercriminals rely on the RARSTONE Remote Access Tool (RAT), which is similar to PlugX, to take complete control of their targets’ computers, said researchers at Trend Micro.

RELATED STORIES
Cyber Espionage Program Making Rounds
Pakistan Hit by Targeted Attacks
Iran: Nuclear Sites Safe, Secure
APT Attacks Shut Down

Attackers send out spear-phishing emails that claim to contain documents related to diplomatic discussions in the Asia-Pacific region, Trend Micro researchers said.

When a user opens the documents attached to the emails, a vulnerability in Windows common control ends up exploited, and RARSTONE pushes onto the victim’s computer . In the meantime, a bait document displays to avoid raising suspicion.

Once it finds itself on a device, a backdoor component downloads from a command and control (C&C) server directly to the memory. This allows the threat to go undetected by classic file-based scanning technologies .

Unlike other RATs, RARSTONE checks the Uninstall Registry Key and uses it to find out what applications are on the computer. The programs that interfere with its functions end up removed.

In addition, command and control communications occur via SSL to protect the connection and to make sure malicious traffic blends in with legitimate traffic.

The individuals behind the Naikon campaign, named so because of the “NOKIAN95/WEB” user agent string identified in the attacks, want to ensure their infrastructure is difficult to analyze. They use dynamic DNS domains or registrars that have privacy protections.

“Targeted attacks like this are typically part of broader campaigns meant to stay under the radar and steal information from target entities,” said Maharlito Aquino, Trend Micro Threats analyst.

“Traditional technologies like blacklisting and perimeter controls are not enough to detect or block the components of these campaigns. Instead, enterprises need to increase their visibility and control over their networks in order to identify dubious network traffic .”



Leave a Reply

You must be logged in to post a comment.