Researchers have identified a strain of malware that’s being used in a string of targeted attacks against defense contractors, government agencies and other organizations by leveraging exploits against zero-day vulnerabilities. The attacks may have been going on since 2009 in some form and the emails containing the malicious attachments are specifically targeted at executives and officials in various industries using fake conference invitations.
The attack campaign, as many do, appears to be changing frequently, as the attackers use different binaries and change up their patterns for connecting to remote command-and-control servers. The research, done by Seculert and Zscaler, shows that the attackers are patient, taking the time to dig up some information about their potential targets, and are carefully choosing organizations that have high-value intellectual property and assets.
The malware used in these attacks has been dubbed MSUpdater Trojan, as it attempts to conceal its presence on the machine by disguising its outbound communications as Windows Update requests. The researchers first saw the infection on Dec. 25, 2011, and then, working backward from the malware’s infection routine, connection pattern and other characteristics, were able to find much older incidents that seem to have been the work of the same attackers.
“It is likely that the Christmas day infection resulted from a targeted phishing email as related attacks in this report identify this as the attack vector. No suspicious web transactions were observed from the infected host prior to the C&C beaconing,” the Seculert-Zscaler report says.
The phishing emails that are the carrier for this threat include a PDF attachment that appears to be an invitation to some conference that is likely relevant to the target. Once the victim opens the PDF, the exploit code targets a vulnerability in Adobe Reader that was first publicized by researchers at Contagio in September as part of an ongoing phishing campaign, and later was patched by Adobe. Many of these attacks occurred before the Reader flaw was known publicly.
“It appears that the usage of emails with conference invitations that contain malicious attachments (mostly PDF files) is growing, as we identified several spear-phishing attacks started using this method.
Attackers are trying to lure employees of specific organizations with “invitations” to relevant industry conferences. In addition to ISSNIP, we have seen malicious invitations to an IEEE Aerospace Conference, an Iraq Peace Conference and more. The targeted attacks identified by Seculert and Zscaler, which share a few similar technical parameters (thus, regarded as created by the same group of attackers) arrive in emails with a malicious PDF attachment, mostly related to a conference in the targeted industry. The PDF exploits, at that time, 0-day vulnerabilities within Adobe Reader and executes series of malicious files in a sophisticated manner,” Seculert wrote in an analysis of the attacks.
Once the malware is resident on an infected machine, it will reach out to a remote C&C server and deliver some information about the machine that it’s on, including the OS level and some custom identifiers that serve as the authentication method for the new client to the server. The malware then can download new files from the server, upload files to it and execute commands issued by the C&C machine. Like some other threats that have cropped up in recent years, the malware used in this campaign has the ability to detect whether it’s being dropped into a virtual machine environment. If it detects a VM, the malware won’t install the actual Trojan component and will simply exit.
The research by Seculert and Zscaler shows that the attacks are targeting companies and organizations in the defense industry as well as the aerospace sector. The first attacks likely occurred as far back as early 2009, they said, and while some of the binaries used in the incidents are detected by security software under various names, they haven’t been correlated as part of one ongoing campaign before.
Defense contractors have been frequent targets of various attack crews for a long time now, and some of the more recent high profile attacks have been against these companies. Researchers have connected the attack against RSA last year to subsequent intrusions at defense contractors that were users of the company’s SecurID tokens.