Malware Backdoor in Targeted Attacks

Monday, May 13, 2013 @ 03:05 PM gHale

There is a new backdoor from the Winnti family malware that possibly focuses on targeted attacks.

The threat, called “Bkdr_Tengo.A,” passes itself off as a legitimate system DLL file called winmm.dll, said researches from Trend Micro.

Multistage Attack Proves Fruitful
Apache Backdoor Leads to Blackhole
Firewall Hole Found, Patched
Cogent Fixes DataHub Bugs

This is not uncommon for Winnti malware. However, the backdoor is interesting because Aheadlib ends up looking like a legitimate system library, the researchers said.

Aheadlib is a legitimate analysis tool that can construct C code from DLL files. The tool is capable of hooking all the functions provided by the initial library.

While Aheadlib is a great utility for malware analysis, it can also work toward more devious purposes by cybercriminals.

In this case, the malicious file does not end up encrypted, so Trend Micro researchers have been able to easily analyze it.

They report the goal of the program is to steal Microsoft Office, TIFF and PDF files from USB drives attached to an infected system. It also allows cybercriminals to take control of an infected device.

Click here for more analysis on the threat.

Leave a Reply

You must be logged in to post a comment.