Citrix Apps Used as Lure in Targeted Attack Against Global Airline

The effectiveness of a social engineering lure depends on relevance, and while in past attacks this could mean state-related issues, in some cases, it can be as specific as a particular service.

We recently dealt with a targeted attack aimed at a major global airline that used certain Citrix products and services as its social engineering lure. The use of this particular lure is particularly spot-on as the targeted airline does indeed use Citrix products. The emails used in the attack contained a URL that, at first glance, would appear to be for an organization’s Citrix XenApp login page. Even the format of the URL itself—http:// {domain name} /Citrix/XenApp/auth/Login.aspx—is identical to the format of actual Citrix login pages.

Despite the similarity, the link does not lead to a login page. Instead, it leads to a file named Citrix XenApp Secure Input ActiveX Control.exe, which is the backdoor BKDR_HURIX.A. The path and filename it uses— %AllUsersProfile%\CitrixReceiver\CitrixReceiver.exe — is also used to enhance the false impression of a link to Citrix.

BKDR_HURIX.A appears to have used 2 URLs for its command-and-control server, both related to a fan site of a Hong Kong actress:

  • http:// {C&C server} /news/view.asp?cookie={random}&type={number}&vid={number}
  • http:// {C&C server} /news/photo/{random}.jpg?vid={number}

Through communication with the said C&Cs, it is able to execute the following commands:

  • Execute a command using cmd.exe
  • Drop and execute a file from the C&C server
  • Read a file and send the contents to the C&C server
  • Execute a file using the Windows API function WinExec
  • Uninstall itself
  • Get the malware process ID and file name

BKDR_HURIX.A also appears to check if it is being executed in a virtual machine, as it does not proceed to do its routine unless the mouse is moved and the foreground window is changed. It is very likely that we will see more threats with this behavior moving forward.

Double Trouble

Interestingly so, users who were targeted by this attack were also found affected by another threat: a PlugX variant, BKDR_PLUGX.DUKKW. PlugX has an extensive list of information-stealing routines, and is frequently seen being used in targeted attacks. Earlier this year, attacks using an Adobe Flash zero-day also delivered PlugX malware. As part of its routine, it uses the legitimate application Chrome Frame to load some of its malicious files. (Support for Chrome Frame itself ended in January 2014.) Earlier PlugX attacks also used legitimate software to load malicious files.

The relation between BKDR_HURIX.A and BKDR_PLUGX.DUKKW is unconfirmed at this point, but analysis revealed that both use the same encryption method. Regardless, Trend Micro products and solutions protect against the multiple aspects of this threat.

New Techniques, Same Tools

This incident highlights how threat actors update their attacks to become more relevant and escape detection. By now, “updates” related to events and gatherings are sure to cause suspicion, since it is now well-known how these are used in targeted attacks. By changing their lures, the threat actors hope to lessen the possibility that their attacks will be discovered and mitigated by any targeted organizations.

On the other hand, the usage of familiar tools like PlugX in targeted attacks is just one of the emerging trends we’ve observed when it comes to targeted attacks. Next week, we will be releasing our Targeted Attack Trends report, covering data from the various targeted attack campaigns we observed in the second half of 2013.

With additional analysis from Christopher Daniel So

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Citrix Apps Used as Lure in Targeted Attack Against Global Airline

Read more: Citrix Apps Used as Lure in Targeted Attack Against Global Airline

Story added 15. May 2014, content source with full text you can find at link above.