Researchers Discover New Malware Used by Chinese Cybercriminals

May 10, 2013

Trend Micro experts have identified a new piece of backdoor malware from the Winnti family, primarily utilized by a Chinese cybercriminal group targeting Southeast Asian organizations in the gaming sector. This Winnti malware enables hackers to take control of users’ systems via a backdoor hidden within the legitimate Aheadlib analysis tool. Named “Bkdr_Tengo.A,” it masquerades as a genuine system DLL file known as winmm.dll. “We believe this was executed using the legitimate Aheadlib analysis tool,” stated Eduardo Altares from Trend Micro. “The file is not encrypted and is relatively straightforward to analyze. Its primary function involves stealing Microsoft Office, .PDF, and .TIFF files from USB drives connected to the system. These extracted files are stored in the $NtUninstallKB080515$ folder within Windows, alongside a log file named Usblog_DXM.log that tracks the activity.”

New Malware Uncovered Linked to Chinese Cybercriminals Targeting Southeast Asian Gaming Sector

May 10, 2013

Recent findings by researchers at Trend Micro reveal a sophisticated form of malware associated with the Winnti group, a well-known Chinese cybercriminal organization. This backdoor malware primarily targets organizations within the Southeast Asian video gaming industry, utilizing tactics designed to exploit vulnerabilities in legitimate software.

The malware, identified as “Bkdr_Tengo.A,” masquerades as the system DLL file “winmm.dll.” According to Trend Micro’s Eduardo Altares, the malware is embedded within a legitimate tool known as Aheadlib, which is commonly used for system analysis. This clever disguise allows the attackers to infiltrate user systems more easily, maintaining a guise of legitimacy.

Notably, the backdoor is unencrypted and its analysis reveals a concerning functionality: it is designed to steal sensitive files, specifically those associated with Microsoft Office, as well as .PDF and .TIFF formats. These stolen files are surreptitiously stored in a folder called $NtUninstallKB080515$ within the Windows directory. Additionally, a log file named Usblog_DXM.log is created, which likely tracks the stolen data or the infection process.

This breach has raised alarms regarding the tactics employed by the Winnti group. The attack likely involved several phases, as described in the MITRE ATT&CK framework, particularly in relation to initial access and persistence. The use of a legitimate analysis tool for infiltration points to a strategic method of exploiting existing trust in software, showcasing the attackers’ sophisticated approach to gaining control over user systems.

Business owners, particularly in the technology and gaming sectors, should exercise heightened vigilance in their cybersecurity measures. The ability of attackers to camouflage malware within trusted applications underscores the necessity for robust security protocols and regular system audits. As this situation continues to unfold, it is imperative for organizations to remain informed and proactive in addressing potential vulnerabilities that could leave them exposed to similar attacks.

The emergence of this new malware variant illustrates the ongoing and evolving threat landscape in cybersecurity, with state-sponsored actors employing advanced techniques to achieve their objectives. As such, an enhanced understanding of these tactics and preemptive action against possible exploits are crucial for safeguarding sensitive information and maintaining operational integrity.

Source link

Related Posts

LulzSec Hackers Facing Sentencing for Cyber Attacks on CIA and Pentagon

Four individuals linked to the hacking group LulzSec appeared in a London court for sentencing on Wednesday. Ryan Ackroyd, Jake Davis, Mustafa al-Bassam, and Ryan Cleary have all pleaded guilty to various hacking offenses. The name LulzSec combines “lulz,” meaning to laugh out loud, and “security,” signaling a mockery of online security measures. Emerging from their bedrooms in 2011, they orchestrated attacks that inflicted millions of pounds in damages on entities like the NHS, CIA, and U.S. military websites, resulting in the theft of sensitive data, including emails, passwords, and credit card details of hundreds of thousands of individuals. Southwark Crown Court heard that they also executed distributed denial of service (DDoS) attacks that crashed numerous websites. Ackroyd, 26, from Mexborough, South Yorkshire, admitted to stealing data from Sony.

U.S. Defense Officials at Risk of Cyber Espionage Through Social Media Platforms

May 16, 2013

Recently, I undertook a fascinating study on the role of social media in the military sector. The widespread adoption of these platforms makes them extremely appealing to governments and intelligence agencies. Social media has significant potential for exploitation in critical areas, including military and defense.

Modern social networks are extensively utilized by various governments, with the U.S., China, and Russia leading the way. Additionally, emerging cyber powers like Iran and North Korea are increasingly interested in utilizing these platforms.

Governments primarily use social media for purposes such as Psychological Operations (PsyOps), Open Source Intelligence (OSINT), cyber espionage, and offensive strategies.

On May 10th, the Illinois Air National Guard’s 183rd Fighter Wing issued a notice in their monthly Falcon View newsletter, highlighting the risks associated with social networking sites.