Category Archives: Advanced Malware

The Mutter Backdoor: Operation Beebus with New Targets

| By | Advanced Malware, Targeted Attack, Threat Research

FireEye Labs has observed a series of related attacks against a dozen organizations in the aerospace, defense, and telecommunications industries as well as government agencies located in the United States and India which have been occurring at least as early as December of 2011. In at least one case, a decoy document included in the attack contained content that focused on Pakistan military advancements in unmanned vehicle, or “drone” technology.

Technically, these attacks exploited previously discovered vulnerabilities via document files delivered by email in order to plant a previously unknown backdoor onto victim systems. The malware used in these attacks employs a number of interesting techniques to “hide in plain sight” and to evade dynamic malware analysis systems. Similar to, though not based on the attacks we saw in South Korea, the malware tries to stay inactive as long as possible to evade dynamic analysis detection methods.

Continue reading »

Trojan.APT.BaneChant: In-Memory Trojan That Observes for Multiple Mouse Clicks

| By | Advanced Malware, Targeted Attack

Summary

Last December, our senior malware researcher (Mr. Abhishek Singh) posted an article about a Trojan which could detect mouse clicks to evade sandbox analysis. Interestingly, we have found another spear phishing document that downloads malware which incorporates improved mouse click detection anti-sandboxing capability. It also leverages multiple advanced evasion techniques to achieve stealth and persistent infection. The name of malicious document is translated to be “Islamic Jihad.doc”. Hence, we suspect that this weaponized document was used to target the governments of Middle East and Central Asia. Continue reading »

Sanny CnC Backend Disabled

| By and | Advanced Malware, Targeted Attack, Threat Research

We recently encountered in the wild another sample related to the Sanny APT. For readers who are not familiar with the Sanny APT, please refer to our previous blog for the background. The sample was using the same lure text and CVE-2012-0158 vulnerability. However this time it was using a different board named “ecowas_1″ as compared to “kbaksan_1″ which was employed previously. The following are the CnC URLs to list stolen data entries extracted from the samples:

New -> hxxp://board.nboard.net/list.php?db=ecowas_1&p=1

Previous -> hxxp://board.nboard.net/list.php?db=kbaksan_1&p=1 Continue reading »

An Encounter with Trojan Nap

| By and | Advanced Malware, Botnets

[Update: February 14, 2013] We recently encountered a stealthy malware that employs extended sleep calls to evade automated analysis systems capturing its behavior. It further makes use of the fast flux technique in order to hide the identity of the attacker controlling it. We call it Trojan Nap. The purpose of this blog is to share the technical details of the execution steps by Nap.

Continue reading »

Hackers Targeting Taiwanese Technology Firm

| By | Advanced Malware

In the past, hackers have attempted to compromise targeted organizations by sending phishing email directly to their users. However, there seems to be a shift away from this trend in the recent years. Hackers were observed to conduct multi-prong approaches to targeting the organization of interest and their affiliated companies. For example, in July 2011, ESTsoft’s ALZip update server was compromised in an attack on CyWorld and Nate users.1

In one of our investigations, a malicious email was found to be targeting a Taiwanese technology company that deals heavily with the finance services industry (FSI) and the government in Taiwan (see Figure 1 below). To trick the user into opening the malicious document, the attacker made use of an announcement by the Taiwanese Ministry of Finance (see Figure 2).

Continue reading »

Happy New Year from New Java Zero-Day

| By | Advanced Malware

We observed that a Java security bypass zero-day vulnerability (CVE-2013-0422) has been actively exploited in the wild starting Jan. 2. We have been able to reproduce the attack in-house with the latest Java 7 update (Java 7 update 10) on Windows.

We initially wanted to hold off on posting this blog entry until we received confirmation from Oracle; however, since other researchers are starting to blog on this issue, we have decided to release our summary. We will continue our research and continue to share more information.

Continue reading »