IXESHE Malware Avoids Easy Detection to Remain a Persistent Threat

Trend Micro today issued a report on an advanced persistent threat that uses stealthy data-stealing malware called IXESHE (“i-sushi”) to infect machines. So far it’s hit East Asian governments, Taiwanese electronics manufacturers and German telecommunications firms operating across Asia.  

Trend Micro today issued a report on an advanced persistent threat that uses stealthy data-stealing malware called IXESHE (“i-sushi”) to infect machines. So far it’s hit East Asian governments, Taiwanese electronics manufacturers and German telecommunications firms operating across Asia.  

Though the report is new, the attacks are not. According to Trend Micro researchers, IXESHE developers have been launching highly targeted attacks since at least July 2009. In each instance, victims opened a malicious file, primarily a PDF, attached to an email coming from a compromised or spoofed account. Once opened, the PDF either displays a blank or dummy page.

Often the attackers took advantage of unpatched or zero-day exploits in Adobe Acrobat, Reader and Flash; in a few cases, the attack vector was Microsoft Excel.

Once it infects a targeted system, the malware drops an executable file, set to the “hidden” attribute, into one of the following folders:

  •  %APPDATA%Locations
  •  %APPDATA%Adobe
  •  %TEMP%

Some of the file names the attackers have used include:

  • winhlps.exe 
  • acrotry.exe  
  • AcroRd32.exe 
  • Updater.exe

In order for the malware to survive rebooting, it normally creates the following registry run key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun.

Once installed, IXESHE starts communicating with compromised machines hosted on previously infiltrated networks. Almost half of all these command-and-control servers worldwide are located in Taiwan and the United States.

“Overall, this strategy was part of the attackers’ modus operandi,” according to the report. “By choosing compromised machines to act as C&C servers, fewer clues were left for investigators to follow in an attempt to find out who is behind the attacks compared with those using bulletproof hosting services and registered domain names.”

However, one sample sent back an error message that hinted at a C&C server’s actual location, which turned out to be Guangdong, China.

“Previous research on the IXESHE campaign indicated several connections to groups possibly from China,” the report said. “. . . Upon further investigation of the ‘manufact’ campaign, however, it appears that the gang behind it may be English speakers. The name of the campaign, for one, is most likely a shortened form of ‘manufacturing.’ The OS the C&C server uses is also an English install of Microsoft XP. It is also likely, of course, that the C&C server is a compromised machine so it does not use the attackers’ first language.”

An error message also indicated the use of HTran, a tool to disguise the true source or destination of Internet traffic during hacking activity.

Trend Micro researchers said the attackers embed “campaign tags” listing months and days of an attack launch to track their work. To date 40 such tags have been found.

Though the attack software is sophisticated, the social engineering is not. Employees should always be alert to phony e-mails appearing to come from trusted sources, especially if they contain attachments or embedded links.

“The IXESHE attackers are notable for their use of compromised machines within a target’s internal network as C&C servers. This helped disguise their activities,” they said. “In addition, the attackers’ use of the proxy tool, HTran, also helped mask their true location. While their identities remain unknown, the attackers behind the IXESHE campaign demonstrated that they were both determined and capable. While the malware used in the attacks were not very complicated by nature, these proved very effective. This campaign remains an active threat.”

 

 

Suggested articles