Trojan Targets Contractors

Monday, February 6, 2012 @ 09:02 AM gHale

There has been an ongoing series of attacks against government contractors since at least early 2009, a new report said.

Attackers are sending firms phishing emails with fake invitations to conferences, often in the form of PDF files that exploit flaws in Adobe Reader, according to the report from Seculert and Zscaler.

Apple Security Fix for OS X
Struggle to Secure Mobile Devices
All Mobile Devices Victimized
Trojan Acts like Carrier IQ Tool

The file installs what the vendors call an “MSUpdater” Trojan that poses as a legitimate Windows Update process. In reality, the Trojan is a remote access tool that can steal information from a company’s network for as long as the breach remains undiscovered.

“Foreign and domestic (United States) companies with intellectual property dealing in aero/geospace and defense seem to be some of the recent industries targeted in these attacks,” the report states, without identifying specific attack targets.

The vendors believe the attacks are either state-sponsored or perpetrated by a high-profile group of attackers, but haven’t yet been able to determine their identities, said Seculert CTO Aviv Raff.

One spear-phishing attack using the method described launched against a U.S.-based defense technology company in September 2010, with an email containing a PDF invitation to the International Conference Series on Intelligent Sensors, Sensor Networks, and Information Processing.

“Clearly, it is a highly targeted attack on that global defense technology company,” Seculert and Zscaler wrote in the report. “The attachment allegedly exploited Adobe Reader vulnerabilities and dropped a few executable files, among which is ‘msupdater.exe’.”

A zero-day vulnerability within Adobe Reader at that time allowed the attack, and the company patched it in October 2010. But the MSUpdater attackers simply latch on to new zero-day vulnerabilities as they occur and exploit them until they are closed and newer ones come along, Raff said. Some cases have involved Microsoft Excel files, but Raff said the attacks mainly use PDFs and exploit Adobe vulnerabilities.

Seculert and Zscaler said they have observed these attacks targeting their own customers. Zscaler wrote in its own analysis these sophisticated attacks and can go undetected for long periods of time. Once an attacker installs a Trojan, the target machines begin communicating with the attackers’ command and control server. Despite the presence of a centralized command and control server, creating a botnet does not appear to be the attackers’ goal. Instead, they are stealing information and controlling specific targets.

“The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox,” Zscaler wrote. “The Trojan functionality is decrypted at run-time, and includes expected functionality, such as downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection.”

Leave a Reply

You must be logged in to post a comment.