Sham G20 Summit Email Carries “Split” Backdoor
The said message is purportedly from the event’s planning team and refers to a “pre-summit meeting”:
Figure 1. Spammed message
The email arrives with a RAR attachment containing three files: one LNK file and two other binary files. Based on our analysis, the binary files are actually one file that were split into two. These files may appear to not pose any threat or risk since they are not identified as a valid file.
The LNK file is not a simple shortcut file; it contains custom commands that recontrust the two separated binary files into one file and execute it (detected as BKDR_SISPROC.A). As a backdoor, BKDR_SISPROC.A communicates to its remote servers to execute malicious commands onto the infected system.
More importantly, this backdoor also downloads plugins, which will then execute varous data-stealing behaviors such as screen capture and keylogging. The use of plugins instead of a file has certain advantages pertaining to evading detection. Plugins may not need to be a complete valid file in order to work (similar to BKDR_PLUGX). They are loaded in the malware’s own memory space so no new process is spawned, and are generally smaller in size than whole files.
Overall, the techniques exhibited by this attack do not constitute a new threat. However, as we have predicted and confirmed this year, malicious actors are focused on refining how they distribute threats and evade detections. The splitting of a binary file into two files is a clear manifestation of the ongoing attempts to keep attacks under the radar.
Because the email itself piggybacks on a timely and relevant social engineering lure, it is particularly valuable for organizations to educate its users on how to spot a fraud from the get-go. Trend Micro blocks the related email, URL, and malware.
With analysis from Eruel Ramos and Merianne Polintan.