MSUpdater Trojan Installed by Spearphishing

After Zscaler and Seculert independently identified targeted attacks that used  Remote Access Tool (RAT) malware to compromise  several government-related organizations, the firms collaborated to analyze the attacks.  Using their combined resources, Zscaler and Seculert were able to link the current attacks to previous  targeted attacks that have been occurring since early 2009.  They identified the threat vector as highly targeted spearphishing emails with malicious attachments, providing several examples of the social engineering that went into creating a compelling email.  They announced their findings in a January 31, 2012 blog posting.  They also issued a detailed joint technical report.

Zscaler and Seculert termed this new class of malware “MSUpdater” Trojan because the malware  attempts to avoid detection by network security products through the use of fake “Microsoft Windows Update” HTTP requests. The fake http requests were found to operate in conjunction with other malware which used a file named “msupdater.exe”.

Because this is a particularly insidious RAT which cleverly avoids detection, Zscaler and Seculert advise:

Use these [technical] indicators to help provide detection and remediation of this threat within your enterprise. This was the overall goal of releasing this information. Note however, that the overall targeted threat will likely adapt and remain a constant adversary – that is, if your particular organization is the target of an attack it is likely that it will continue to be targeted. Use this knowledge to adapt your organization’s security policies and resources appropriately.

We agree that detection and remediation are important responses to the MSUPdater Trojan.  But note the opportunities for PREVENTION:

Based on the information available, the threat arrives in phishing emails with a PDF attachment, possibly related to conferences for the particular targeted industry. The PDF exploits vulnerabilities within Adobe (for example, a 0–‐day exploit was used against CVE–‐2010–‐2883) and drops a series of files to begin communicating with the command and control (C&C).

Spearphishing attacks the people, not systems.  Employees must be empowered to defend against cyberattacks. When the cyberattacks target the human, the human must be hardened. A tool that hardens the human  is available now from Iconix. That tool is SP Guard from Iconix.

SP Guard Inbox

SP Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342, ext 3 or use our online form.



Comments are closed.