14 DAY TRIAL // Attackers using basic steganography techniques and exploits for old vulnerabilities in Microsoft products managed to compromise computers of government and corporate organizations in Taiwan in targeted cyber operations.
Between the months of March and May, the threat actor focused mainly on targets in Taiwan, although entities in the Philippines have also been attacked.
The final payload in the infection chain is a backdoor that allows the threat actor to create a remote shell on the compromised system and move laterally in the network in search of new targets of interest, as well as exfiltrate any data stored on the affected system.
Malware hidden in image file via basic steganography
Malware infiltration is achieved by leveraging CVE-2010-3333 and CVE-2012-0158, two of the most exploited vulnerabilities in Windows that had been reported in 2010 and 2012, respectively.
Patches for these security flaws exist, which suggests that the victims of this campaign, dubbed Operation Tropic Trooper by Trend Micro, still rely on old operating systems, making them more susceptible to attacks.
Infection starts with a spear phishing email that delivers a malware downloader detected as TROJ_YAHOYAH that can run on both 32-bit and 64-bit systems. To mask the deployment of the threat, a decoy document is launched.
Before continuing its routine, the Trojan checks for the presence of certain security products on the system, from vendors such as Qihoo 360, Avast, Avira, Kaspersky or ESET.
The next step is to download a wallpaper image which has been appended malicious code. Launching it displays the picture normally, but comparing its size, though, shows that the tampered version is much larger than the original.
The Trojan looks for a specific marker in the picture to extract the embedded malware, and then launches it, dropping the final payload, which is detected by the security vendor as BKDR_YAHAMAM.
Rootkit installed to hide communication ports
The researchers identified multiple command and control (C&C) servers in four countries: Taiwan (43% of the servers), USA (36%), Hong Kong (14%) and the UAE (7%). Communication with them is encrypted.
According to a report from Trend Micro on Thursday, the malware can steal any file on the system and it can terminate processes and services, delete files and folders, as well as place the computer in sleep mode.
During the analysis of the backdoor, researchers observed that it tries to install a rootkit (usb30.sys) for hiding communication ports. “After creating and starting the rootkit service, BKDR_YAHAMAM then attempts to delete the rootkit and the related service. This will not stop the rootkit from running in the background,” the report explains.
The main purpose of Operation Tropic Trooper appears to be intelligence gathering including credentials for lateral movement, through methods like man-in-the-middle (MitM) and pass-the-hash attacks.
Although the operation is not sophisticated, its success is owed to security gaps in the computer networks of the targeted parties, which may still rely on the defunct Windows XP to carry out their tasks.