Malware makes use of targeted email with malicious attachments

Dark Reading Staff, Dark Reading

May 31, 2012

2 Min Read

A new advanced persistent threat is on the prowl, targeting enterprises with malicious email attachments, researchers say.

According to a new report from Trend Micro, a group of attackers referred to as "IXESHE" (pronounced "i-sushi") has already leveled its attack on East Asian governments, electronics manufacturers, and a German telecommunications company.

"The IXESHE campaign makes use of targeted emails with malicious attachments to compromise victims’ systems," Trend Micro states. "The emails are often tailored for specific victims and contain malicious attachments that are almost always "weaponized" .PDF files with known exploits that drop malware executables onto targeted systems. In addition, the IXESHE attackers conducted two specific attacks that leveraged zero-day exploits—one in 2009 and another in 2011.

"The IXESHE attackers almost always make use of compromised servers as command-and-control [C&C] servers," Trend Micro continues. In some cases, the compromised servers are hosted on target organizations’ networks after successful infiltration so the attackers can increase their control of the victims’ infrastructure. Using this approach, the attackers amassed at least 60 C&C servers over time.

"This technique also allows the attackers to cover their tracks, as having the C&C server in the victims’ corporate networks means very little C&C traffic leaves them," the Trend Micro researchers report. "The attackers’ deliberate use of compromised machines and dynamic Domain Name System (DNS) services allows them to hide traces of their presence by confusing their activities with data belonging to legitimate individuals.

"The malware samples used in this campaign were not very complicated by nature, but do give the attackers almost complete control over their targets’ compromised systems," Trend Micro warns. Enterprises that find themselves infected with the APT should attempt to determine the attack vector and cut off communications with the C&C server, the researchers advise.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights