.jpg's used to spread malware in Asia
Posted by: Timothy Weaver on 09/24/2013 03:11 PM
[
Comments
]
Think that .jpg is safe to open? Security researchers have spotted two new targeted attack campaigns aimed at organizations in Japan, China and elsewhere in Asia. The payload for the attack, first detected by FireEye at the end of August, was hosted on a server in Hong Kong disguised as a .jpg file. The malware exploits a zero day exploit in Internet Explorer revealed only last week.
The group responsible for DeputyDog is the same one that compromised security firm Bit9 back in February 2013, thanks to a connection with the IP address 180.150.228.102.
It explained in more detail as follows:
According to Bit9, the attackers that penetrated their network dropped two variants of the HiKit rootkit. One of these Hitkit samples connected to a command and control server at downloadmp3server[.]servemp3[.]com that resolved to 66.153.86.14. This same IP address also hosted www[.]yahooeast[.]net, a known malicious domain, between March 6, 2012 and April 22, 2012.
The domain yahooeast[.]net was registered to 654@123.com. This email address was also used to register blankchair[.]com – the domain that we see was pointed to the 180.150.228.102 IP, which is the callback associated with sample 58dc05118ef8b11dcb5f5c596ab772fd, and has been already correlated back to the attack leveraging the CVE-2013-3893 zero-day vulnerability.
The malware was observed connecting to a host in South Korea.
The group responsible for DeputyDog is the same one that compromised security firm Bit9 back in February 2013, thanks to a connection with the IP address 180.150.228.102.
It explained in more detail as follows:
According to Bit9, the attackers that penetrated their network dropped two variants of the HiKit rootkit. One of these Hitkit samples connected to a command and control server at downloadmp3server[.]servemp3[.]com that resolved to 66.153.86.14. This same IP address also hosted www[.]yahooeast[.]net, a known malicious domain, between March 6, 2012 and April 22, 2012.
The domain yahooeast[.]net was registered to 654@123.com. This email address was also used to register blankchair[.]com – the domain that we see was pointed to the 180.150.228.102 IP, which is the callback associated with sample 58dc05118ef8b11dcb5f5c596ab772fd, and has been already correlated back to the attack leveraging the CVE-2013-3893 zero-day vulnerability.
The malware was observed connecting to a host in South Korea.
Comments
