Sunshop Gang Exploiting IE and Java Flaws for Purveying Malware

FireEye the security company is reporting "Sunshop Group" name of a cyber-spying cabal that's disseminating one RAT (remote access Trojan) along with more malware as it exploits certain lately patched security flaws within Internet Explorer and Java. The assaults have been named 'Sunshop Campaign.'

Researcher Ned Moran at FireEye states that the same cabal has been hijacking a number of websites that consisted of Korean military's and other tactical think tanks' sites in the country, as also one Uyghur discussion and news site amidst others. Scmagazine.com published this dated May 22, 2013.

It's evident that the 0-day flaw in IE was previously exploited in the same month of May 2013 during one "watering hole" assault that used USA's Department-of-Labor online site for distributing malware.

Within the latest Sunshop assaults, end-users accessing hijacked websites are diverted onto one malevolent site known as "Sunshop" the reason why FireEye's researchers have labeled the gang "Sunshop Group."

FireEye explains that the RAT known as Lady Boyle is getting delivered through 3 separate C&C systems during the Sunshop assaults. When end-users surfing inside IE8 get led onto one of the hijacked websites, they encounter the CVE-2013-1347 exploit. Meanwhile, CVE-2013-1493 and CVE-2013-2423 are the twin exploits of Java that have already been fixed. The three C&C servers associate with 58[.]64[.]205[.]53, which one other domain utilized for planting 'Briba' a malware that's reportedly the RAT for IExplore attacking non-government organizations.

As per Moran, the mentioned RAT is a typical malicious program, which facilitates admission into a PC, executes instructions, pulls down victim's data alternatively adds fresh .exe files to his system, and executes shell commands. From experience, it's evident that this particular RAT isn't exploited for anything else and there's no way to buy it. Every time it appears, it leverages only the said kinds of tactical espionage assaults, Moran informs. Threatpost.com published this dated May 23, 2013.

The researcher further informs that the Sunshop Gang as well executed the well-known assaults on the website of the Nobel Peace Prize Committee that resulted in its compromise. The assault utilized one 0-day exploit abusing one earlier unfamiliar flaw within Mozilla's Firefox.

» SPAMfighter News - 5/29/2013