Security experts uncovered an unusual cyber espionage ….

Jul 23, 2013, 01:00 pm EST

Security experts uncovered an unusual cyber espionage campaign based on file infector belonging to the PE_EXPIRO family that includes information theft module

Security experts at TrendMicro uncovered an unusual espionage campaign that hit United States users based  on malware having file infector with stealing capabilities. The attackers acted with specific intent to steal information from organizations or to compromise websites targeting of FTP credentials. The researchers estimated that nearly 70% of total infections hit United States users; this circumstance led them to believe that the attack was intended to steal information from US organizations.

Unfortunately it’s not surprising that a security firm uncover a targeted attack, in the last weeks TrendMicro already alerted the security community on an ongoing targeted attack against  Asian and European government agencies, meanwhile the same security firm last month revealed another cyber espionage campaign dubbed Naikon that used RARSTONE malware for the related spear-phishing attacks.

The Naikon campaign hit companies across Asia (e.g. India, Malaysia, Singapore, and Vietnam) belonging to different sectors such as telecommunications, energy, governments, media, and others.

The anomaly resides in the file infector that is equipped with a routine designed to steal data from victim’s systems. The researchers at TrendMicro revealed that the cyber threat has been spotted with an unexpected combination exploit kits, mainly Java and PDF exploits, to deliver file infectors.

The malicious code of file infector belongs to the PE_EXPIRO family spread on into the wild since 2010, but the new variant also includes information theft module.

The blog post describes the infection chain as composed by following steps:

  • The user is lured to a malicious site which contains an exploit kit. Several exploits are used; one of these is a Java exploit (detected as JAVA_EXPLOIT.ZC) which uses CVE-2012-1723. Another Java vulnerability (CVE-2013-1493) is also being used. A PDF exploit is also being used, with the malicious PDF file detected as TROJ_PIDIEF.JXM.
  • Whatever exploit is used, the end result is the same: the mother file infector (either PE_EXPIRO.JX-O, PE_EXPIRO.QW-O, or PE64-EXPIRO-O for 64-bit systems) onto the affected system.
  • Once on the affected system, it seeks out .EXE files in the system to infect. All folders in all available drives (removable, shared, networkers) are subjected to this search. The infected files are detected as PE_EXPIRO.JX.
  • It steals system and user information, such as the Windows product ID, drive volume serial number, Windows version and user login credentials. It also steals stored FTP credentials from the Filezilla FTP client.
  • The stolen information is then saved in a .DLL file and uploaded to various command-and-control (C&C) servers.

PE Expire

As usual the best way to protect the systems it is strongly suggested to deploy proper defense mechanisms and keep the entire architecture updated.

Trend Micro confirmed that its products are able to detect the malicious code used for the targeted attack and the C&C servers have been blocked.

(Source: CDM, Pierluigi Paganini, Editor and Chief )

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase