Jump to content

Backdoor Delivered to Japanese Media Company in MERS-Themed Spear Phishing


Karamjit

Recommended Posts

Attack may part of a cyber-espionage campaign

Cybercriminals are quick to exploit important news and reports on the Middle East Respiratory Syndrome (MERS) outbreak in Korea make no exception, although in a recent attack the lure does not seem to have a financial motivation behind and the attack appears to be targeted.

MERS continues to be a concern, the World Health Organization confirming as of June 29 a total of 182 cases, all but one in the Republic of Korea. The number of deaths has increased to 32.

Such figures attract the attention of media organizations in the region, which is probably the main reason the attacker decided to use MERS as the theme for the spear-phishing email.

Malware hidden in Windows help file

Researchers at Trend Micro found that one mass media company in Japan received a message with an attachment claiming to provide prevention methods for MERS, which delivers a backdoor program.

The malware is included in a CHM file, typical for delivering software documentation on Windows. This container includes HTML pages organized in an easy to navigate manner.

It can also be used to download resources from online resources, and in this case there are instructions to add ZXShell, a backdoor that provides an attacker the possibility to run commands on the infected system.

Attackers may be from the Winnti group

Benson Sy, threat analyst at Trend Micro, alleges that the purpose behind the operation is to find sensitive information on the victim’s computer network.

“The use of CHM files is steadily becoming a favored tool when it comes to spreading cybercrime-related threats or performing targeted attacks. It can easily bypass Windows security measures given that it’s a legitimate file up to the point it runs and performs malicious codes embedded in it,” he says in a blog post on Monday.

Most of the times, Sy says, ZXShell is served by exploiting vulnerabilities in components of the Microsoft Office suite, or in Ichitaro software, a word processor popular in Japan.

The researcher notes that this attack resembles the activity of the Winnti group, an elusive threat actor initially interested in targets in the online gaming business, who moved to attacking companies in other industries, such as the pharmaceutical vertical

Source

Link to comment
Share on other sites


  • Views 608
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...