14 DAY TRIAL // Workers at a government office in Taiwan have received emails carrying a backdoor that extracts system identifying information and delivers it to a remote server.
The rogue email carries a piece of malware in the attachment, with the purpose of sending the attackers the MAC address of the machine it runs on.
Attackers rely on the popularity of LINE service
The message uses the name of the LINE messaging service in the subject to lure recipients into opening it and claims to come from a political figure.
Threat analyst Benson Sy from Trend Micro security company says that the sender of the malicious email also asks the potential victim to join a particular group in LINE and to provide details for profiling purposes.
LINE is a popular messaging app in countries such as Japan, Taiwan, Indonesia, the US, Mexico and Columbia, boasting over 550 million registered users, 170 million of them having active accounts, according to statistics from October 2014.
The variant for Android devices has at least 100 million installations. The service provides free instant messages and calls over the web. The product is employed by regular users and is said to be used by government officials in Taiwan, too.
Malware uses encrypted communication
Following the analysis of the malware, researchers determined that the command and control (C&C) server it communicates to could be a legitimate server that has been compromised by the attackers.
The only information exfiltrated from the targeted computer appears to be its MAC address, a unique identifier for machines in a network.
“Based on our analysis, this backdoor uses port 443, which is related to HTTPS. The only information it extracts is MAC address as compared to other backdoors that steal data such as hostname, OS version, and domain among others,” Sy said in a blog post last week.
The researchers have observed that the malware piece relies on a string building technique that has been seen in Gh0st RAT (remote access Trojan), whose source code dates from 2001 but it is still used today.
Also, they noted that the attack may be connected to Taidoor, a constantly evolving malware that has been used for cyber-espionage since 2008, with targets ranging from US Defense contractors to Japanese companies, government agencies and an educational institution in Taiwan.