12345

11/05/2011

[Information] Nitro attacks aiming at defense industries and chemical companies

1. Information

Oct 31, 2011, Symantec, one of the largest makers of security software for computers, has reported security threat named Nitro.
Rumor has that this security threat has been reported spreading malicious file with using social engineering technique such as spam-mail and APT(Advanced Persistent Threat) based type.

Based on the report by Symantec, 48 or more defense industries and chemical companies located in United States of America and United Kingdom have been infected by malicious file named Poison Ivy(Remote control function).
Some of chemical companies are known to be involved for manufacturing military vehicles.
In addition, the result of backtracking the epicenter of cyber attacks, the origin address of PC has identified from China.


* Advanced Persistent Threat (by wikipedia)

Advanced persistent threat (APT) usually refers to a group, such as a foreign nation state government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage, but applies equally to other threats such as that of traditional espionage or attack. Other recognised attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.

* The Nitro Attacks : Stealing Secrets from the Chemical Industry (Image by Symantec)

a. Geographic Location of Infected Computers


b. Country of origin of targeted organizations



2. Spreading path and symptoms of infection

Recently reported security threat aiming at certain company or user is the type of attaching malicious file which contains remote control code and sending on spam mail.
When victim executed this malicious program, control permission and useful information of victim's PC can be leaked.
Nitro attack has its feature which is working itself based on interaction between attacker and victim.
This spam mail contains following contents and attachments and additional variants can be found.


[Types of attachments]
  - Antivirus_update_package.7z
  - acquisition,7z
  - offer.7z
  - update_flashplayer10ax.7z

So far, various variants have been found, and currently malicious file related Nitro is expected of generated by automatic generation toolkit.
Furthermore, easily distributing with using Remote Administration Tool such as Poison Ivy and updating integrated module with fortifying function can make security threats higher.

Infected PC can monitor information of victim's PC as following figure.



With some functions of Remote Control Tools such as Poison Ivy, information of victim's PC can be identified.

a. Registry information of victim's PC


b. Screen Capture of victim's PC


c. Other monitoring information

 - Remote Shell
 - Surveillance(Key Logger, Screen Capture, Webcam Capture)
 - Remote Port Scanner
 - WiFi Scanner
 - Remote PC Information(File, Service, Device, Installed Application etc)

Symantec says that these security threats including Nitro, Advanced Persistent Threat, and Social Engineering can damage certain companies. Besides, leaked information can damage significant loss of assets.

3. How to prevent

Nitro can cause various security threats. To prevent from security threats, following business culture is needed.

1. Educate about important documents and information management
2. Maintain the latest security update on OS and applications
3. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
4. Do not execute media from suspicious or unknown user.

* INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

* Diagnosis name

 - Backdoor/W32.Poison.133511
 - Backdoor/W32.Poison.128421.B
 - Backdoor/W32.Poison.128405
 - Backdoor/W32.Poison.177722
 - Backdoor/W32.Poison.135794
 - Backdoor/W32.Poison.132031
 - Backdoor/W32.Poison.128204
 - Trojan-Dropper/W32.Agent.153938
 - Trojan/W32.Agent2.536397
 - Trojan/W32.Agent2.141530
 - Trojan/W32.Chifrax.150357
 - Trojan/W32.Genome.155705
 - Trojan/W32.Inject.136314
 - Trojan-Downloader/W32.Injecter.532499
 - Trojan-Downloader/W32.Injecter.153026
 - Trojan-Downloader/W32.Injecter.159762
 - Trojan-Downloader/W32.Injecter.150937
 - Trojan-Downloader/W32.Injecter.173068
 - Trojan-Downloader/W32.Injecter.154827

No comments:

Post a Comment