Pakistanis are Targeted by New India-based Malware Campaign, says ESET

A new malware operation has been targeting Pakistan over the past few months and after electronic-sleuthing, it seems that the attacks have been coming from India which is nearby and hampering a certificate to execute its binaries, warns security vendor ESET.

Jean-Ian Boutin, a malware Researcher at ESET, elaborates that this campaign depends on the abuse of a fake, digitally signed certificate. The certificate is from the Indian company 'Technical and Commercial Consulting Pvt. Ltd.'. In the beginning it is issued in 2011 and withdrawn after March 2012 for the files used. Although the certificate was revoked it was still employed to sign in excess of 70 different malicious binaries intermittently from March 2012 to September 2012.

Two infection vectors are used in the malware. The first one uses a largely used and exploited vulnerability called as CVE-2012-0158. This flaw can be abused by particularly made Microsoft Office docs and allows arbitrary code execution. The docs were distributed via email, and the malicious code was executed without the attacked PC user even knowing as soon as the document was opened.

The second one used PE (Portable Executable) files masked as Microsoft Word or PDF documents, mostly distributed via email. When the user runs the file, the malicious program downloads and runs additional malicious binaries. To escape suspicious by the victim, the user is shown a decoy Word document.

"pakistandefencetoindiantopmiltrysecreat.exe" and "pakterrisiomforindian.exe," are some of the files disguised, observed by ESET.

The malware was embezzling sensitive data from the tainted PCs and transporting it to the servers of the attackers'. It was using multiple types of data-stealing methods, capturing screenshots, and uploading docs to attacker's computer. Interestingly, the details stolen from a compromised machine were uploaded to the server of the attacker.

The idea of not using encryption is mystifying considering the fact that adding of basic encryption would be simple and give extra stealth to the campaign.

A same kind of malware, Redpill, was discovered compromising users computers in India in April 2013. That operation also stole screenshots, plus bank account details and email details. It was the second time that the malware attacked after being initially discovered in 2008.

» SPAMfighter News - 5/23/2013