ANTIFULAI Targeted Attack Exploits Ichitaro Vulnerability

Targeted attacks are difficult to detect and mitigate by nature. We recently uncovered a targeted attack campaign we dubbed as “ANTIFULAI” that targets both government agencies and private industries in Japan. In our 2H 2013 Targeted Attack Trends report, we found that 80% of the analyzed cases of targeted attacks hit government institutions.

Like many targeted attacks, ANTIFULAI uses several emails as entry vectors to get the attention of its would-be targets. In this particular case, the detected email posed as a job application inquiry with which a JTD file (Ichitaro RTF format) is attached. However, this file exploits an Ichitaro vulnerability (CVE-2013-5990) detected as TROJ_TARODROP.FU.

When exploited, this vulnerability allows arbitrary code to run on the infected system that is used to drop malicious files. The final payload is a backdoor detected as BKDR_ FULAIRO.SM. Once run, this backdoor gathers the list of running processes, steals information, and downloads and executes files. The presence of the following files indicates the presence of this malware:

%Startup%\AntiVir_Update.URL
%Temp%\~Proc75c.DAT

Unusually, this malware “hides” its targets in the URL it uses to contact its command-and-control (C&C) servers. Threat actors can easily see if the targeted organization has been breached by checking the said URL. Examples of the URL format we’ve seen include:

[C&C server domain]/[acronym of the target company]/(info|index).php?secue=(false|[proxy name])&pro=[list of running processes]
[C&C server domain]/[acronym of the target company]/(info|index).php?fileindex=[A-Z]
[C&C server domain]/[acronym of the target company]/(info|index).php?filen=noexist
[C&C server domain]/[acronym of the target company]/(info|index).php?filewh=false
[C&C server domain]/[acronym of the target company]/(info|index).php?Re=[output result of shell command]
[C&C server domain]/[acronym of the target company]/(info|index).php?verify=[filename]
[C&C server domain]/[acronym of the target company]/(com.php|update.html)

The Importance of Threat Intelligence

Network traffic is one of the ways IT administrators can check if their network has been hit by targeted attacks. This is why it is crucial for enterprises and large organizations to build threat intelligence capabilities. With these tools available to them, IT administrators can break a targeted attack cycle before it reaches the data exfiltration stage.

In addition, enterprises are advised to regularly update their systems and applications as a security step in mitigating targeted attacks because old vulnerabilities are typically used in order to infiltrate a network.

Trend Micro protects enterprises from targeted attacks via its Trend Micro™ Deep Discovery, an advanced security platform that identifies malware, C&C communications, and attacker activities signaling an attempted attack.

For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

ANTIFULAI Targeted Attack Exploits Ichitaro Vulnerability