14 DAY TRIAL // Most spam campaigns leveraging the recent Boston Marathon explosions have nothing that’s out of the ordinary. However, Trend Micro experts have identified one targeted attack that’s worth mentioning.
It all starts with an email entitled “Please pray for Boston.”
The email reads something like this: “Two powerful bombs exploded near the finish line of the Boston Marathon on Monday afternoon, killing at least three people, including a child, and injuring at least 100 as one of the city’s most cherished rites of spring was transformed from a scene of cheers to a sweaty triumph to one of creams, bloody carnage and death.”
Attached to these emails is an apparently harmless Word document. When opened, the document exploits a vulnerability (which Microsoft patched one year ago) to drop an executable file detected by Trend Micro as Troj_Naikon.A.
The threat is designed to connect to its command and control server via SSL. The digital certificate used in the attack is filled with bogus information, such as “abc” for the organization’s name.
The use of SSL ensures that the traffic sent between the malware and its C&C is encrypted, increasing its chances to avoid being detected by security solutions. However, in this case, the plain text traffic contains a “User-Agent” that’s easy to identify.
The command and control server in question was used in the past by another malware family, which was active in 2011. However, considering that some time has passed since, experts say it’s unclear if there’s a connection between the two.
“The use of SSL encryption to communicate with C&C has its merits, particularly in evading detection based on patterns in URL parameters and HTTP headers,” Trend Micro Senior Threat Researcher Nart Villeneuve noted.
“However, certain proactive steps can be done, including looking for default, random or empty values in SSL certificate fields and restricting detections to certificates supplied by external network.”