The main payload is a piece of Javascript code registered in the Windows WMI subsystem. The threat uses fake blogs to discover its C&C servers, which are hosted on Tibet-related domains. The commands sent to ESET test machine infected for the purpose of this investigation were sent manually by the attacker and consisted in collecting information from the file system and the registry. The characteristics of this operation are very similar to previous campaigns of espionage against Tibetan activists such as OS X Lamadai and others.
Win32/Syndicasec uses an exploit to get access to a target computer in the first instance. ESET engine successfully stopped the exploitation attempt but was unable to capture the original exploit itself. ESET looks at the malicious script contained in the ‘__EventConsumer’ object. The code is straightforward to analyze and almost self-documenting once properly formatted.
Observed activity
In parallel with analysis of the code, ESET started to monitor the behavior of a test machine that ESET infected with Win32/Syndicasec. The first few days of monitoring showed no activity whatsoever. ESET then started receiving commands from the C&C. The interaction between the C&C and the bot did not look to be automated at all. Every day would bring different commands sent at non-regular time intervals, making it look just as if someone was sitting behind a console and manually controlling infected hosts.
ESET have included the entire code for only a few interesting calls for the sake of brevity. Basically, the operator was browsing ESET filesystem and looking at detailed settings and operations on the infected machine, such as network settings, attached drives and running programs. The day after this visit, the operator sent another set of commands to gather some system information specific to our infected system.In this session, the commands sent by the operator had roughly the same purpose, but were done differently, strongly suggesting a different operator to the previous day.
Conclusion
This analysis showed an implementation of rather unusual techniques to build a stealthy and flexible backdoor. The lack of built-in commands prevents ESET from discovering the real end-goal of this operation. However, ESET can affirm that the various characteristics observed around this threat are similar to other espionage campaigns against Tibetan activists that ESET have observed.
Related
Tags: 6th version of ESET NOD32 , About ESET | ESET , ACAD projects stealthy ACAD/Medre , According to our global telemetry data , actions , attributes and motives , Benefits of ESET Security for Microsoft SharePoint Server , Cold Call Support Scam Roll on , Cold Call Support Scam Roll on Warns ESET , Companies using ESET Security for Microsoft SharePoint Server are secured , Contacts – ESET , Creative peripherals holi offer , Creative peripherals rapoo regional distributor , Cyber security road map for businesses , Cyberrom holi offer , David Harley Alexandr Matrosov , Dealer meet in jaipur , Dell holi offer 2013 , Dell store in jaipur , Dena bank jaipur customer care no , Desktop holi offer , devices business for Airtel , Dlink holi offer , DNS Hijacking , document.body.lastChild); } , download eset nod32 antivirus 2012 , download nod32 antivirus with keygen , Due to the algorithmic nature of this behavior , ECS holi offer , Eddie Johnson Global Marketing Communication Director at ESET , Elephant festival jaipur help line , Escan antivirus , Escan ceo , Escan holi offer 2013 , Escan india national distributor , Escan india toll free no , Escan latest launch , Escan Mumbai office , ESET , ESET 50% of the business from Enterprise vertical , eset 90 day trial , ESET a global provider of security solutions for businesses and consumers , ESET A New Business Model of Volume Licensing , ESET achieves 80% CAGR. In 2012-13 , ESET allows updates of the seat counts on daily basis , ESET announced the global release of ESET Security for Microsoft SharePoint Server , ESET Antivirus , eset antivirus free download full version 2012 , eset antivirus software free download full version with key , ESET applications and equipment to businesses of all sizes , ESET Appoints Link Telecom As RD For East India , ESET approved by its management , ESET Assess your assets , ESET assets , ESET audit , ESET Awards , ESET Benefits Managed via Remote Administration , ESET Beta Program , ESET breaking news , ESET Build your policy , ESET business security solutions , ESET Business Solutions , ESET businesses and consumers , ESET Buy 1 Get 1 Free offer , ESET by requiring employees to identify and authenticate themselves to the system , ESET Catalog both Digital and Physical assets , ESET Choose your controls to enforce your policies , eset contact , ESET contractors or value-added resellers (VARs) , ESET Cyber security road map for businesses , ESET Deploy the controls , ESET Determine risks in terms of actors , ESET digital threats , eset distribution india , ESET Distributors , ESET Educate employees , ESET Endpoint Antivirus , ESET Endpoint Antivirus powered by proven NOD32 technology , ESET Endpoint Protection Advanced , ESET Endpoint Protection Standard , ESET Endpoint Security , ESET Endpoint Security for Android , ESET Enterprise and Retail product lines , ESET execs , ESET expands its channel partner base in India , ESET File Security , ESET File Security for Linux / BSD / Solaris , ESET File Security for Microsoft Windows Server , ESET flagship products features , ESET flexible monthly billing and management of tens of thousands endpoints , ESET found it will not deliver malicious content if the victim's IP address is in a very long list of blacklisted IP ranges , ESET Further assess , ESET Gateway Security , ESET Gateway Security for Linux / BSD / Solaris , ESET Gateway Security for Microsoft Forefront Threat Management Gateway , ESET generated equal businesses of 50% each , ESET global provider of security solutions , ESET has announced the availability of ESET business security solutions , ESET has been maliciously named as Win32/Syndicasec.A malware , ESET has made further significant discoveries on this sophisticated and stealthy backdoor designed to drive traffic to malicious websites– • ESET have observed more than 400 webservers infected with , ESET has published a tool to dump the configuration of Linux/Cdorked.A if it is found running on a webserver. ESET updated it last week to detect all variants we are aware of , eset holi scheme , ESET identified a growing demand among MSP partners , ESET in Agriculture & development , ESET in Armed forces , ESET in Automation , ESET in Bank , ESET in Education , ESET in Finance sectors , ESET in Freight and Logistics , ESET in government sectors , ESET in Hospitality , ESET in Human consumption , ESET in Industries , ESET in Infrastructures , ESET in IT , ESET in Manufacturing , ESET in Oil corporation , ESET in Petrochemical , ESET in Printing industry , ESET in R&D centers , ESET in Shipping , ESET in Telecommunication , ESET in Television & Media , ESET INDIA , ESET India | LinkedIn , eset india antivirus , ESET India brings Channel Partners scheme online , eset india channel partner , eset india dealer , eset india dealer network , eset india distributor , ESET India goes for Smart Expansion , ESET India launched - ESET Gold Rush - Channel Scheme , eset india national distributor , eset india offer , ESET India selects Link Telecom as regional distributor for east India , eset Indian dealer , Eset ksenia , eset ksenia kondratieva , ESET latest launch , ESET latest news , ESET launch new website , ESET launch of WeLiveSecurity.com , ESET Launches ESET Security for Microsoft SharePoint Server 2013 , ESET launches new antivirus product in India , ESET Launches News and Feature-based Website WeLiveSecurity.com , ESET Licensing , ESET Limit access to specific data to specified individuals , ESET List the resources , ESET LiveGrid® technology , ESET Mail Security , ESET Mail Security for IBM Lotus Domino , ESET Mail Security for Linux / BSD / Solaris , ESET Mail Security for Microsoft Exchange Server , ESET Major contributors across the verticals , ESET malware researchers and research fellows , ESET Managed Service Providers (MSPs) , eset marketing , Eset marketing head ksenia , ESET Mobile Security , ESET Mobile Security Business Edition , ESET network-based IT services , ESET new Program , eset new scheme , ESET New Version 6 , ESET New Version 6 in india , ESET New Version 6 launch today , ESET New Version 6 Products Launch news , ESET New Version 6 Products Launched , ESET New Version 6 Products Launched in India , eset nod32 5 username and password , eset nod32 antivirus , ESET NOD32 Antivirus 4 Business Edition , eset nod32 antivirus 4 free download , eset nod32 antivirus 4 free download full version , eset nod32 antivirus 4 username and password , eset nod32 antivirus 5 free download , eset nod32 antivirus 5 free download full version , eset nod32 antivirus 5 username and password , ESET NOD32 Antivirus Business Edition for Linux , ESET NOD32 Antivirus Business Edition for Mac , ESET NOD32 Antivirus for Kerio Connect , ESET NOD32 Antivirus for Kerio Control , eset nod32 antivirus free download , eset nod32 antivirus free download 2010 , eset nod32 antivirus free download for windows 7 , eset nod32 antivirus free download full version , eset nod32 antivirus free download full version with crack , eset nod32 antivirus free download latest version , eset nod32 antivirus free download with key , eset nod32 serial , eset nod32 username and password , eset nod32 username and password 2013 , eset nod32 username and password facebook , ESET now offers ESET Endpoint Security , ESET Offers "Buy 1 Get 1 Free" on new Version 6 Home Products , ESET offers the following tips to people regarding malicious Websites , eset office location , eset online scanner + proxy configure , eset online scanner for mac , eset online scanner log , eset online scanner proxy error , eset online scanner review , eset online scanner run , ESET Organization needs a high-level commitment to protect the privacy and security of all data handled by the organization , ESET Overview , eset pankaj jain , ESET Partners , eset price , ESET proactive protection for 25-years , eset product launch , eset product price , eset product profile , ESET products and solutions , ESET Program via a single console , ESET recommends keeping browsers , eset regional distributor , ESET Remote Administrator , ESET Remote Administrator ESET Mail Security , ESET Remote Management , ESET resources , ESET rewards channel partners with a trip to Thailand , ESET risks , ESET robust MSP partnership program , ESET says that when people find a link while browsing the internet (blogs websites etc) , eset scheme for channel partner , ESET Secure Authentication , ESET Secure Business , ESET Secure Enterprise , ESET Security Antivirus and Antispyware , ESET Security effectively protect SharePoint servers , ESET Security Eliminates all types of threats including viruses , ESET Security for Microsoft SharePoint Server , ESET Security for Microsoft SharePoint Server Release Candidate , ESET Security From the 5th generation of server products , ESET Security proactive protection for 25-years , ESET Security protected against cyber threats , ESET Security real-time protection of the entire server operating and also the file system , ESET Security rootkits , ESET Security rule-based filtering , ESET Security safeguard sensitive company data and assets stored in databases , ESET Security server line of products , ESET Security smooth operation identification , ESET security solutions , ESET Security worms and spyware , eset shops in india , ESET simpler licensing and management approach , ESET Smart Security 4 Business Edition , eset smart security 4 crack , eset smart security 4 crack expires in 2050 , eset smart security 4 crack free download , eset smart security 4 crack patch , eset smart security 4 keygen , eset smart security 4 username and password , eset smart security 4 username and password 2013 , eset smart security 5 crack , eset smart security 5 username and password , ESET Smart Security 6 , eset smart security crack , eset smart security download , eset smart security full , eset smart security keygen , eset smart security update , eset smart security update download , eset smart security username and password , ESET South and West region contributed highest business , eset store in india , ESET Successfully Achieves 80% CAGR , ESET SysInspector and ESET SysRescue , ESET technology delivers proven protection , ESET Technology ESET Compare with Competition , ESET test , ESET Think before you click , ESET Threatsense.Net , Eset to focus on enterprise in 2013 , ESET to reward Its Exclusive Channel Partners , ESET to support the Managed Service Provider (MSP) channel to market , eset toll free no , eset trial keys , eset trial user , eset trial username and password , eset update online , eset update username and password , eset username and password , ESET Vendor must have a written policy , ESET vendors , ESET widens channel partner network in India , ESET's vast pool of security knowledge , ESET’s telemetry data shows that almost 100000 users of ESET security products have browsed infected websites due to Linux/Cdorked.A redirection , exit.php. , File Security , Finally , Finnish , First , Flashback Trojan or the Linux/Cdorked.A apache webserver backdoor , free download nod32 antivirus trial version , GCA , Hardware , Ignacio Sbampato Chief Sales and Marketing Officer at ESET , In some of the configurations ESET was able to analyze , India , Indian reseller , Industry News , Information Technology , Internet Security Pioneer ESET , Internet Security Pioneer ESET Launches News and Feature-based Website WeLiveSecurity.com , IT , IT News , IT Products , Juraj Vanko Global Product Marketing Manager at ESET , kaspersky online scanner , Kaushik Goswami General Manager Link Telecom , Kazakh or Belarusian , KK Software is ESET's N. India distributor , latest it news , Linux/Cdorked.A malware: Lighttpd and nginx web servers affected reports ESET , ljroujxv=isiuzv&time=1305022208-2007115935&src=141 , military focused Georgian Georbot , Network , nod32 antivirus update , nod32 update , nod32 update download , nod32 update file , nod32 update file free download , nod32 update keys , nod32 update offline , nod32 update server , nod32 v5 update , nor if the victim's internet browser's language is set to Japanese , Online Computer Support Dealer , Online PC Support scam: from cold calling to malware , operating systems , Pankaj Jain Director at ESET India , PDF readers and Flash players fully up-to-date to avoid being infected by this on-going campaign. Use of an antivirus program is also recommended , Phishing is the Click of Death: ESET , Pierre-Marc Bureau , Products included in the ESET MSP Program , protect them and review the threats against them , Righard Zwienenberg , Robert Lipovsky , says ESET , Security Company Urges you to Secure Yourself from Malicious Websites , Software , Stephen Cobb Security Evangelist at ESET , Targeted Espionage Malware in Action , Tech Computer Support , The backdoor has been applied to other webserver daemons. Thanks to the information provided by affected system administrators , the base64 would decode to , The decoding algorithm looks like this , The first page is /index.php with a base64 encoded parameter documented in our last article. In the example in the previous screenshot , the iflag value and the b64str variable provided by the server. The iflag value is set to 1 if the current document is the top window in the browser. The server would likely reject requests in such ca , The Linux/Cdorked.A threat is even more stealthy than it was first thought of: By analysing how the attackers are configuring the backdoor , The malware has drove its way into 50 most popular websites ranked in Alexa's top 100000 , The peculiar format of the subdomains and the fact that they are constantly changing strongly suggested that the DNS servers were also compromised. We did some tests where we modified the characters o , The product offers antivirus and antispyware protection , the team realised that the numbers at the beginning of the domains were simply because the servers hosting these sites were shared hosting servers , The third page , The URLs set on the Linux/Cdorked.A infected servers change frequently. However ESET noticed three things , this operation has been active since at least December 2012 , This third part contains some specific information about the current redirection , trial eset nod32 password , trial eset nod32 update , update eset nod32 antivirus free download , User-Agent: NSISDL/1.2 (Mozilla) , VAR Computer News , var timer=setTimeout("gotime()" , Warns ESET , we have not yet found where it comes for , We Live Security.com is a must-read site , we see no other explanation than the presence of trojanized DNS server binaries on the nameservers involved in Linux/CDorked.A. ESET has notified the affected parties about this issue , we were able to analyze trojanized Lighttpd andnginx binaries in addition to the already documented Apache binaries , WeLiveSecurity marries ESET's global network of expert security , WeLiveSecurity.com a comprehensive source of internet security news , WeLiveSecurity.com appeals to novices and expert security professionals alike , WeLiveSecurity.com daily news content , WeLiveSecurity.com delivering a platform , WeLiveSecurity.com how-to features for a 'security-curious' audience , WeLiveSecurity.com in-depth features , WeLiveSecurity.com providing security tips and education , WeLiveSecurity.com researchers , WeLiveSecurity.com security of their web-connected devices , WeLiveSecurity.com technology expertise , WeLiveSecurity.com various consumer related articles , WeLiveSecurity.com views and insights , WeLiveSecurity.com white papers for more security savvy readers , were the first associated with the IP address of the server , when sorting the domains alphabetically , When visitors are redirected by Linux/Cdorked.A they pass through multiple pages before reaching the Blackhole Exploit kit. The following screenshot shows an example redirection chain
Continue Reading
ESET, global provider of security solutions for businesses and consumers, says malware researchers of ESET found one of the malicious code samples in the name of ESET i.e. ESET named Win32/Syndicasec.A. ESET telemetry systems show that the infection scale is extremely small and strictly limited to Nepal and China. Previous versions of this threat were identified dating back to 2010.