Categories: SecurityWorkspace

Malware Steals US Government Documents

The crew behind the Kneber botnet that made headlines last year may have surfaced again in a malware campaign targeting employees of various governments.

The botnet, which pushes out the Zeus Trojan, was spotted around Christmas time spamming out malware through a phony holiday message from the White House. Those who received the card and either clicked on a link to an e-card or opened a malicious attachment were compromised.

Data-stealing trojan

That Zeus was stealing data will come as no surprise to anyone familiar with the Trojan; but the idea that a piece of malware most commonly associated with swiping banking credentials was after documents raised some eyebrows.

According to security blogger Brian Krebs, the botnet operators were able to get their hands on more than 2 gigabytes of PDFs, Microsoft Word and Excel documents from dozens of victims, including an employee at the US National Science Foundation’s Office of Cyberinfrastructure and an official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies.

“A targeted-attack against government employees with an add-on that specifically steals documents (Excel files, Word files and PDFs) is not typically the MO of ZeuS operators,” opined Alex Cox, principal research analyst at NetWitness. “They tend to focus on banking credentials, so that makes it unusual.”

Last February, researchers at NetWitness reported uncovering a 75,000-strong botnet built on the back of Zeus. The botnet was dubbed “Kneber” due to a username linking the infected systems, and stole not only banking information, but also credentials for social networks such as Facebook and hi5.

“Success in the botnet world is often measured by infection percentages, so as an operator…getting a large quantity of official documents makes it that much easier to craft a better attack the next time, because I have insider information, jargon and acronyms that may help me ‘legitimise’ my attack,” Cox said. “I can also sell these documents from a purely information gathering standpoint to interested parties.”

Intellectual property theft

Mary Landesman, senior security researcher for Cisco Security Intelligence Operations, noted that while Zeus typically pilfers banking information, there are numerous examples of it being used to steal intellectual property as well.

“Primary targets of Zeus-enabled intellectual property theft have been members of the US Government and military,” she said. “Most of this has come about as a result of spear phishing-style email that purports to be from someone they know, i.e. spoofing some government official/agency.”

According to an analysis by NetWitness, the recent spam downloaded a second-stage executable called ‘pack.exe’. The executable searched the compromised PC for xls, doc and PDF files and uploaded the information to a server based in Belarus that resolved to ‘uploadpack.org’. The botnet detailed in February meanwhile had a second-stage executable known as ‘stat.exe’ that searched for the files and sent them to a server also based in Belarus. Both stat.exe and pack.exe were revealed to be perl scripts that had been converted to executables with the perl2exe tool.

“This, because it is such a small and fairly unknown aspect of the kneber compromise, makes us think that this is indeed the same operator, who is again after documents pertaining to US Government activities,” Cox blogged. “This evidence shows the continuing convergence of cyber-crime and cyber-espionage activities, and how they occasionally mirror or play off one another.”

Zeus remains popular in the cyber-underground. In October, security researchers told eWEEK that the price tag for Zeus can be in the thousands.

“Though Zeus is well known to the security industry, new variants are constantly introduced which can, at least temporarily, defeat signature-based scanners,” Landesman said.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

8 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

9 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

10 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

11 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

14 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

15 hours ago