A new campaign by a family of information-stealing malware, which appears to originate out ofIndia, has been hittingPakistanhard over the last few months, according to American researchers.
Citing researchers at Eset, Dark Reading, a comprehensive news and information portal that focuses on IT security, said unlike other known cyber-espionage campaigns, this one appears oddly rudimentary in that it uses publicly available tools and basic obfuscation methods, and doesn’t encrypt its command-and-control communications.
“String obfuscation using simple rotation (a shift cipher), no cryptography used in network communication, persistence achieved through the startup menu and use of existing, publicly-available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks, wrote Jean-Ian Boutin, a malware researcher with Eset.
“On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work.”
The malware campaign is at least two years old and is spread via phishing emails with rigged Word and PDF files, according to Eset. It steals sensitive information via keyloggers, screenshots, and uploading stolen documents, unencrypted.
“The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation,” Boutin says.
The attack uses a code-signing certificate issued in 2011 to aNew Delhi, India-based Technical and Commercial Consulting Pvt. Ltd., and is designed to ensure the malware binaries could spread within the victim organisation.
The certificate had been revoked in late March 2012, but was still in use, Dark Reading said. Eset contacted VeriSign, which revoked the cert. Eset found more than 70 binary files signed with the malicious certificate.
Among the attachments was one that appears to be about Indian military secrets, according to Dark Reading. “We do not have precise information as to which individuals or organizations were really specifically targeted by these files, but based on our investigations, it is our assumption that people and institutions in Pakistan were targeted,” Boutin says.
Nearly 80 per cent of the infections are in Pakistan, according to Eset. One version of the attack exploits a known and patched Microsoft Office flaw, CVE-2012-0158. The malware executes once the victim opens a malicious Word attachment; the other method used in the attack uses PE files that appear to be Word or PDF attachments.
The attackers used NirSoft’s WebPassView and Mail PassView tools for recovering passwords in email clients and browser stores; the tools were signed by the malicious cert.
Published in The Nation newspaper on 18-May-2013