Trend Micro’s TrendLabs research arm noted that the attack, which is part of the EXPIRO malware family, uses exploit kits (in particular Java and PDF exploits) to deliver file infectors onto vulnerable systems. It ultimately steals system and user information, such as the Windows product ID, drive volume serial number, Windows version and user login credentials. It also steals stored FTP credentials from the Filezilla FTP client.
“Interestingly, these file infectors have information theft routines, which is a behavior not usually found among file infectors”, researchers noted in a blog. “In addition to standard file infection routines, the variants seen in this attack also have information theft routines, an uncommon routine for file infectors.”
Typically, a user is lured to a malicious site that contains one of several exploit kits, including a Java exploit that uses CVE-2012-1723 or CVE-2013-1493 vulnerabilities, and a PDF exploit.
The result is the loading of a mother file infector onto the affected system, which then seeks out any executable files in the system to infect, across all available drives (including removable, shared and networked drives). The stolen information is then saved in a .DLL file and uploaded to various command-and-control (C&C) servers.
“It is possible that this attack was intended to steal information from organizations or to compromise websites, as the specific targeting of FTP credentials suggests either was possible,” researchers noted. “The combination of threats used is highly unusual, and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools.”
Sophos said that typically, EXPIRO is a family of polymorphic file infectors, meaning that the viral code inserted into each infected file is unique, while still maintaining the same malicious functionality. The viral payload includes functionality to inject malicious code into web pages visited as well as steal login credentials. One variant also has an infection routine has additional code to handle files protected by System File Checker (SFC).
To achieve persistence, the infection routine ensures that it initially infects at least one executable file that already has a pre-existing RunKey associated.
About 70% of total infections are within the United States, TrendLabs noted.
“Since this particular attack used exploits targeting vulnerabilities, we recommend users to update their systems with the latest security patches immediately,” the researchers said.