Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/17/2013
07:06 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Pakistan Hit By Targeted Attack Out Of India

Information-stealing malware campaign spreads via phishing email attachments posing as Indian military secrets

Another reminder that cyberespionage isn't all about China targeting the U.S.: Researchers have discovered a family of information-stealing malware targeting Pakistan that appears to originate out of India.

Unlike other known cyberespionage campaigns, this one appears oddly rudimentary in that it uses publicly available tools and basic obfuscation methods, and doesn't encrypt its command-and-control communications, according to researchers at Eset, which posted its analysis of the malware and attack late yesterday.

"String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work," wrote Jean-Ian Boutin, a malware researcher with Eset.

The malware campaign is at least two years old and is spread via phishing emails with rigged Word and PDF files, according to Eset. It steals sensitive information via keyloggers, screenshots, and uploading stolen documents, unencrypted. "The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation," Boutin says.

The attack uses a code-signing certificate issued in 2011 to a New Delhi, India-based Technical and Commercial Consulting Pvt. Ltd., and is designed to ensure the malware binaries could spread within the victim organization. The certificate had been revoked in late March 2012, but was still in use. Eset contacted VeriSign, which revoked the cert. Eset found more than 70 binary files signed with the malicious certificate.

Among the attachments was one that appears to be about Indian military secrets. "We do not have precise information as to which individuals or organizations were really specifically targeted by these files, but based on our investigations, it is our assumption that people and institutions in Pakistan were targeted," Boutin says.

Nearly 80 percent of the infections are in Pakistan, according to Eset. One version of the attack exploits a known and patched Microsoft Office flaw, CVE-2012-0158. The malware executes once the victim opens a malicious Word attachment; the other method used in the attack uses PE files that appear to be Word or PDF attachments.

The attackers used NirSoft's WebPassView and Mail PassView tools for recovering passwords in email clients and browser stores; the tools were signed by the malicious cert.

Eset's full analysis of the targeted attack campaign is in a blog post here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15150
PUBLISHED: 2019-08-19
In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
CVE-2017-18550
PUBLISHED: 2019-08-19
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.
CVE-2017-18551
PUBLISHED: 2019-08-19
An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.
CVE-2017-18552
PUBLISHED: 2019-08-19
An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.
CVE-2018-20976
PUBLISHED: 2019-08-19
An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.