Threat actors are continually evolving their techniques. One of the latest Graftor variants is delivering a Malware DLL via a PNG file delivery mechanism. Graftor basically indicates some type of trojan hiding in a piece of software. Hiding executables and DLLs in PNG files is yet another attempt to avoid detection and deliver malicious content to user systems. In this instance, the malicious content is placed at the end of the real PNG file data.
On the 21st of July, 2014, Cisco TRAC became aware that the website dwnews.com was serving malicious Adobe Flash content. This site is a Chinese language news website covering events in East Asia from a US base. The site is extremely popular, rated by Alexa’s global traffic ranking as the 1759th most visited website worldwide, and the 28th most visited in South Korea. In addition the news site also receives a substantial number of visitors from Japan, the United States and China.
This malware campaign does not appear to be tightly targeted. Twenty-seven companies across eight verticals have been affected:
Banking & Finance
Energy, Oil, and Gas
Engineering & Construction
Pharmaceutical & Chemical
Retail & Wholesale
This is indicative of the campaign acting as a drive-by attack targeting anyone attempting to view one of the affected sites.
We blogged in September of 2013 about variants of Havex. A month ago on June 2, 2014, I had the chance to give a presentation at AREA41. In my presentation “The Art of Escape,” I talked about targeted attacks involving watering holes.
If we look at the timeline of the attacks we see two clear impacting factors:
- CVE release time
- Timeframe of new PluginDetect
This explains why we saw an increase in watering hole attacks peaking in August
There is still time to register for the upcoming FIRST Technical Colloquium April 2-3 2013. The event has a very exciting program covering, bitsquatting, webthreats, RPZ, Passive DNS, Real-world monitoring examples, Spamhaus, SIE, Cuckoo Sandbox, Malware Analysis and many more current issues facing the incident response community.
The event’s line-up includes notables from Cisco Security Intelligence Operations (SIO), Internet Systems Consortium, Shadowserver foundation, KPN-CERT, NATO, MyCert and ING amongst others. Program details can be found here.
Read More »