E-mail Supposedly Inviting to Conference, Serves Trojan

Security Companies Zscaler and Seculert independently detected assaults that recently utilized "MSUpdater Trojan" a RAT (Remote Access Tool) featured malicious program through fake e-mails, apparently inviting recipients for attending some conference, while the messages themselves aimed at government-associated organizations.

Specifically, the phishing electronic mails, which carried the Trojan, contained one PDF attachment supposedly announcing an invitation for being at a conference, which potentially held some meaning for the recipient.

Further, by abusing zero-day security flaws within Adobe Reader, the PDF attachment released the MSUpdater Trojan that in the guise of a 'Microsoft Windows Update' remained invisible to security software.

Seemingly, the e-mail scam altered frequently because of different binaries the attackers employed as well as their changing styles in linking up with remotely operated C&C servers. Indeed, it was for industrial spying that the attacks were designed and they chiefly targeted at capturing intellectual property. A particularly important function of MSUpdater is to get hold of specific files as well as upload the same onto a distantly located command-and-control (C&C) server.

Among the other information the Trojan uploads are the operating software status as well as a few custom identifiers, which authenticate any fresh client that is apprised to the C&C server. Subsequently, MSUpdater may take down fresh content from that server, in return transmit more data to it as well as carry out the instructions the command-and-control server issues.

As a matter of fact, the email-borne assaults may've been continuing starting 2009 in one way or another, while the electronic mails carrying the malevolent PDF attachments in particular aimed at higher officials and other executives of different industries.

Meanwhile, Aviv Raff, CTO of Seculert stated that the security companies were certain that sophisticated attackers executed the assaults; however, they couldn't yet identify the culprits. Arstechnica.com published this on February 1, 2012.

Moreover, back in October 2010, Adobe patched the zero-day flaw, in its Reader application, which had been facilitating the MSUpdater assault. But the perpetrators of the Trojan just hook onto fresh zero-day flaws that emerge until patches for them are prepared following which they move onto still newer ones, states Raff.

Related article: E-Crime Reporting Format To Be Launched in July

» SPAMfighter News - 2/8/2012