Security experts at TrendMicro uncovered an unusual espionage campaign that hit United States users based on malware having file infector with stealing capabilities. The attackers acted with specific intent to steal information from organizations or to compromise websites targeting of FTP credentials. The researchers estimated that nearly 70% of total infections hit United States users, this circumstance led them to believe that the attack was intended to steal information from US organizations.
Unfortunately it’s not surprising that a security firm uncover a targeted attack, in the last weeks TrendMicro already alerted the security community on an ongoing targeted attack against Asian and European government agencies, meanwhile the same security firm last month revealed another cyber espionage campaign dubbed Naikon that used RARSTONE malware for the related spear-phishing attacks.
The Naikon campaign hit companies across Asia (e.g. India, Malaysia, Singapore, and Vietnam) belonging to different sectors such as telecommunications, energy, governments, media, and others.
The anomaly resides in the file infector that is equipped with a routine designed to steal data from victim’s systems. The researchers at TrendMicro revealed that the cyber threat has been spotted with an unexpected combination exploit kits, mainly Java and PDF exploits, to deliver file infectors.
The malicious code of file infector belongs to the PE_EXPIRO family spread on into the wild since 2010, but the new variant also includes information theft module.
The blog post describes the infection chain as composed by following steps:
As usual the best way to protect the systems it is strongly suggested to deploy proper defense mechanisms and keep the entire architecture updated.
Pierluigi Paganini
(Security Affairs – Malware, file infector, cyberespionage)