Trend Micro Researchers were alerted to the discovery of a campaign of targeted attacks that have successfully compromised defense industry companies in India, USA, Japan, Israel. Eight victims of this attack have been identified.
The attackers sent out emails with a malicious .PDF attachment, detected by Trend Micro as TROJ_PIDIEF.EED which exploits vulnerability in specific versions of Adobe Flash and Reader (CVE_2011-0611) to drop malicious files on the target’s computer. This malicious payload, detected by Trend Micro as BKDR_ZAPCHAST.QZ, connects to a C&C server and communicates some pieces of information about itself and awaits further commands.
The second stage of the attacks involves two components. The attackers issue commands that instruct the compromised computer to report back networking information and file names within specified directories. Certain targets are instructed to download custom DLLS, detected by Trend Micro as BKDR_HUPIG.B, that contain specific functionality related to the compromised entity.
Once inside the network, the attackers issue commands that cause the compromised computer to download tools that allow them to move laterally throughout the network including those that enable “pass-the-hash” techniques. They then issue additional commands that cause the compromised computer to download a remote access Trojan (RAT) that allows the attackers to take real-time control of the compromised system. Trend Micro detects this RAT as BKDR_HUPIGON.ZXS and BKDR_HUPIGON.ZUY.
Remote Access Trojan
The RAT is called “MFC Hunter” and has three components:
Server – installed on the victims machine and connects to the “hub”
Hub – installed on an intermediary machine and serves as a proxy connection between victim and attacker
MFC – the RAT client that the attackers use to control the victim’s compromised computer
By staging the attacks this way, the attackers maintain two separate methods of control. The first allows them to schedule commands to be run by the compromised computer when it connects to the command and control server. The second allows attackers to take real-time control of the compromised computer using the RAT.
Tags: Trend Micro Researchers, RAT client , Trend Micro detects RAT, Trend Micro trojan