Uncovered an unusual attacks based on anomalous file infector

Security experts uncovered an unusual cyber espionage campaign based on file infector belonging to the PE_EXPIRO family that includes information theft module

Security experts at TrendMicro uncovered an unusual espionage campaign that hit United States users based  on malware having file infector with stealing capabilities. The attackers acted with specific intent to steal information from organizations or to compromise websites targeting of FTP credentials. The researchers estimated that nearly 70% of total infections hit United States users, this circumstance led them to believe that the attack was intended to steal information from US organizations.

Unfortunately it’s not surprising that a security firm uncover a targeted attack, in the last weeks TrendMicro already alerted the security community on an ongoing targeted attack against  Asian and European government agencies, meanwhile the same security firm last month revealed another cyber espionage campaign dubbed Naikon that used RARSTONE malware for the related spear-phishing attacks.

The Naikon campaign hit companies across Asia (e.g. India, Malaysia, Singapore, and Vietnam) belonging to different sectors such as telecommunications, energy, governments, media, and others.

The anomaly resides in the file infector that is equipped with a routine designed to steal data from victim’s systems. The researchers at TrendMicro revealed that the cyber threat has been spotted with an unexpected combination exploit kits, mainly Java and PDF exploits, to deliver file infectors.

The malicious code of file infector belongs to the PE_EXPIRO family spread on into the wild since 2010, but the new variant also includes information theft module.

The blog post describes the infection chain as composed by following steps:

• The user is lured to a malicious site which contains an exploit kit. Several exploits are used; one of these is a Java exploit (detected as JAVA_EXPLOIT.ZC) which uses CVE-2012-1723. Another Java vulnerability (CVE-2013-1493) is also being used. A PDF exploit is also being used, with the malicious PDF file detected as TROJ_PIDIEF.JXM.
• Whatever exploit is used, the end result is the same: the mother file infector (either PE_EXPIRO.JX-O, PE_EXPIRO.QW-O, or PE64-EXPIRO-O for 64-bit systems) onto the affected system.
• Once on the affected system, it seeks out .EXE files in the system to infect. All folders in all available drives (removable, shared, networked) are subjected to this search. The infected files are detected as PE_EXPIRO.JX.
• It steals system and user information, such as the Windows product ID, drive volume serial number, Windows version and user login credentials. It also steals stored FTP credentials from the Filezilla FTP client.
• The stolen information is then saved in a .DLL file and uploaded to various command-and-control (C&C) servers.

 

As usual the best way to protect the systems it is strongly suggested to deploy proper defense mechanisms and keep the entire architecture updated.

Pierluigi Paganini

(Security Affairs – Malware, file infector, cyberespionage)