Trend Micro Research reveals Indian Defense Companies the current target of Cybercriminals
Trend Micro Researchers were alerted to the discovery of a campaign of targeted attacks that have successfully compromised defense industry companies in India, USA, Japan, Israel. We have been able to identify eight victims of this attack and are in the process of notifying them. We have analyzed a sample that connects to the same command-and-control (C&C) server in this targeted attack. We also analyzed the second stage malware used by the attackers that was built specifically for one of the targeted companies as well as a remote access Trojan (RAT) used by the attackers.
The attackers sent out emails with a malicious PDF attachment, detected by Trend Micro as TROJ_PIDIEF.EED which exploits vulnerability in specific versions of Adobe Flash and Reader (CVE_2011-0611) to drop malicious files on the target's computer. This malicious payload, detected by Trend Micro as BKDR_ZAPCHAST.QZ, connects to a C&C server and communicates some pieces of information about itself and awaits further commands.
The second stage of the attacks involves two components. The attackers issue commands that instruct the compromised computer to report back networking information and file names within specified directories. Certain targets are instructed to download custom DLLS, detected by Trend Micro as BKDR_HUPIG.B, that contain specific functionality related to the compromised entity.
Amit Nath, Country Manager India and SAARC, Trend Micro said, "In total, the attackers compromised 32 computers; however, there were multiple compromises at several locations. This network has been active since July 2011 and is continuing to send out malicious documents in an attempt to compromise additional targets", he further added "While this network has managed to compromise a relatively small number of victims, there is a high concentration of defense industry companies among the victims. Moreover, the fact that specific malware components are created for specific victims indicates a level of intentionality among the attackers. Trend Micro is continuously monitoring this ongoing threat and will post updates on this blog for any noteworthy developments."
Comments
Post a Comment