Trend Micro Discovers HeartBeat APT Targeting Attack vis-à-vis SK Government

In its recently-published white paper, Trend Micro outlines a currently spreading APT (advanced persistent threat) known as HeartBeat that in one malicious campaign tries to harm South Korea's government as well as a few associated organizations over the Internet starting 2009 if not earlier..

Specifically, the HeartBeat outbreak aims at political parties in South Korea, its government's branches, its armed forces' military wing, media agencies, one SME, as well as a research institute for SK's national policies.

The malware campaign reportedly, uses a RAT (remote administration tool), which became apparent during June 2012 within certain Korean newspaper's networks. With extensive investigations, it was learnt that this RAT's foremost variant surfaced in November 2009 and then it had been utilized during 2011 too.

Online crooks who're disseminating the mentioned RAT give it an appearance of one innocuous document. If run, an authentic file gets opened that disperses any possible doubt, while behind the scene malevolent activities of the malware operate.

And though right now, the document's manner of distribution isn't definitely known, security researchers think spear-phishing e-mails are possibly the channel.

Intriguingly, a form of installer, the said RAT installs one Direct Link Library (.DLL) file, which's subsequently inserted into the svchost.exe a genuine process. Thereafter, the inserted element communicates with the C&C server of the malicious software for confirming contamination as also for receiving remote commands.

The commands issued (to the RAT) include naming the ongoing processes along with each one's process ID; taking down as also running files; uninstalling or updating the malware; starting else destabilizing a process; naming the existing fixed/detachable drives; naming the originally present files along with the date/time they were created; deleting or uploading files; facilitating access from the remote using command shells; and restarting the computer device.

When these commands are executed, the attackers gain entire hold of the victims' PCs.

Notably, the attackers, by utilizing hijacked hosts to serve like command-and-control proxy servers, limit the tracing down chances of probable e-threats. Further, the campaign codes utilized are varied containing Chinese phrases -minzhu, xuehui and guohui- however, utilization of English language seems more comfortable, Trend Micro concludes.

Related article: Trend Micro Warns of Flaw in its Anti-Virus

» SPAMfighter News - 1/9/2013