Wednesday, February 1, 2012

Ongoing Targeted Attack Campaign Going After Defense, Aerospace Industries

Via -

Researchers have identified a strain of malware that's being used in a string of targeted attacks against defense contractors, government agencies and other organizations by leveraging exploits against zero-day vulnerabilities. The attacks may have been going on since 2009 in some form and the emails containing the malicious attachments are specifically targeted at executives and officials in various industries using fake conference invitations.

The attack campaign, as many do, appears to be changing frequently, as the attackers use different binaries and change up their patterns for connecting to remote command-and-control servers. The research, done by Seculert and Zscaler, shows that the attackers are patient, taking the time to dig up some information about their potential targets, and are carefully choosing organizations that have high-value intellectual property and assets.

The malware used in these attacks has been dubbed MSUpdater Trojan, as it attempts to conceal its presence on the machine by disguising its outbound communications as Windows Update requests. The researchers first saw the infection on Dec. 25, 2011, and then, working backward from the malware's infection routine, connection pattern and other characteristics, were able to find much older incidents that seem to have been the work of the same attackers.


The research by Seculert and Zscaler shows that the attacks are targeting companies and organizations in the defense industry as well as the aerospace sector. The first attacks likely occurred as far back as early 2009, they said, and while some of the binaries used in the incidents are detected by security software under various names, they haven't been correlated as part of one ongoing campaign before.


MSUpdater Trojan and the Conference Invite Lure

MSUpdater Trojan Whitepaper

No comments:

Post a Comment