Defense industries targeted in recent attacks —Trend Micro

Several defense industry companies in Japan, Israel, India and the United States have been targeted in a recent series of targeted hack attacks, computer security firm Trend Micro said Tuesday. In a blog post, Trend Micro said the attackers compromised 32 computers, with multiple compromises at several locations. "This network has been active since July 2011 and is continuing to send out malicious documents in an attempt to compromise additional targets," it said. Among the victims was Japanese defense contractor Mitsubishi Heavy Industries (MHI), whose network was compromised due to this targeted attack. While Trend Micro said it has yet to determine the attack vector on MHI, it has analyzed a sample that connects to the same command-and-control (C&C) server. "While this network has managed to compromise a relatively small number of victims, there is a high concentration of defense industry companies among the victims. Moreover, the fact that specific malware components are created for specific victims indicates a level of intentionality among the attackers," Trend Micro said. Malicious .pdf attachments Trend Micro said the attackers sent out emails with a malicious PDF attachment (TROJ_PIDIEF.EED) which exploits a vulnerability in specific versions of Adobe Flash and Reader. The payload, detected as BKDR_ZAPCHAST.QZ, connects to a C&C server and communicates some pieces of information about itself and awaits further commands. In the second stage, the attackers issue commands that instruct the compromised computer to report back networking information and file names within specified directories. Certain targets are instructed to download custom DLL files. "Once inside the network, the attackers issue commands that cause the compromised computer to download tools that allow them to move laterally throughout the network including those that enable 'pass-the-hash' techniques. They then issue additional commands that cause the compromised computer to download a remote access Trojan (RAT) that allows the attackers to take real-time control of the compromised system," Trend Micro said. The RAT, called “MFC Hunter," has three components: - Server: installed on the victim's machine and connects to the “hub" - Hub: installed on an intermediary machine and serves as a proxy connection between victim and attacker - MFC: the RAT client that the attackers use to control the victim’s compromised computer With this setup. the attackers can schedule commands to be run by the compromised computer when it connects to the command and control server. They can also take real-time control of the compromised computer using the RAT. — TJD, GMA News