Monday, February 11, 2013

Backdoor.Barkiofork attacks defense and aerospace industry

Symantec Corporation announces the discovery of a number of cyber attacks aimed at in the defense and aerospace industries.

The attacker lures victims letter with malicious content, using as bait a report on the prospects of the defense and aerospace industry.

A few weeks ago, experts Symantec have seen the use of cyber attacks directed phishing aimed at organizing the aerospace and defense industry. SpetsialistamiSymantec revealed at least 12 different organizations have come under attack. Among them were the company related to aviation and air traffic control, as well as carrying out government contracts, including defense.

Email, used in this phishing campaign

As victims of attackers chose exposed persons: top managers, directors and vice presidents. All emails were identical. The tricks hackers use published in 2012 a report concerning the prospects of the defense and aerospace industry. Attackers tried to create the impression that the letter had been sent to the company that originally it was. Moreover, the letter was written in such a way as to make it appear that it came from an employee of the company, or of professionals involved in one of these industries.

When the victim opened the letter attached to the malicious pdf-file exploit breakdowns, trying to exploit the vulnerability 'SWF' File Remote Memory Corruption Vulnerability (CVE-in 2011-0611). If the attempt is successful, the system to download malicious files and "net» pdf-file in order to lull the user.

The user opens a pure PDF-file

Used as bait pdf-file is a review of the prospects for the industry, but the attackers have slightly changed the original, removing some of the branded items.

In addition to writing "pure" PDF-file, the system install a malicious version of the file svchost.exe, which is then placed in the Windows version of the malicious library ntshrui.dll. The threat uses the technique of penetration through the search engine DLL (ntshrui.dll not protected by the operating system, known as the dll-file). When the file svchost.exe runs explorer.exe, then loads the last ntshrui.dll malicious file in the Windows folder instead of a legitimate, located in the System folder Windows. Symantec's malware detection and svchost.exe files ntshrui.dll as Backdoor.Barkiofork.

Studied version Backdoor.Barikiofork has the following functions:

- Take stock discs;
- To contact their server management through;
- Steals the system information;
- Download and install your updates.

This campaign is aimed phishing continues to demonstrate a high level of sophistication and training in conducting malicious attacks designed to steal information, and particularly the use of social engineering techniques, the most effective impact on the victim.

No comments:

Post a Comment