An advanced persistent threat (APT) malware campaign seen in August and September 2014 is the subject of new research by one of our threat analysts at SophosLabs.
Sophos is calling this malware campaign “Rotten Tomato,” in reference to the Tomato Garden campaign; and because some of the samples were rotten in the sense that they were not effectively executed.
In a new technical paper on the threat, Principal Threat Researcher Gabor Szappanos, of SophosLabs Hungary, writes an interesting dive into the world of the attackers, examining the malware used by cybercriminals in these attacks, and shows how several different groups used the same zero-day Microsoft Word exploit.
“There must have been a staff meeting, where the manager prompted that, in the next malware distribution campaign they should not only use the aging CVE-2012-0158 vulnerability, but the newer CVE-2014-1761 as well,” Gabor writes.
In Rotten Tomato, the groups somehow got hold of a document that exploited the vulnerability, left the exploiting document part and the shellcode intact, and only changed the appended encrypted executable at the end.
Gabor has followed the Plugx malware family for the past two years. By watching the evolution of malware samples over that period, Gabor has special insight into targeted attacks, and the attackers.
In a previous paper, in which Gabor asked “Are APTs the new normal?”, he wrote about how common malware groups copy APTs.
Now the Rotten Tomato campaign shows that APT authors are getting ideas from the common malware groups, Gabor says, as the narrow line between them is even harder to define.
Read Gabor’s research paper by clicking here: The Rotten Tomato Campaign.
About SophosLabs
SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts. Keep up to date with our latest research and technical papers, expert opinion, and security advice at Naked Security.
Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.
那些年,全球经历过的APT事件 – 0xd0e0's blog
[…] Oct 30 – The Rotten Tomato Campaign […]
Resumen de seguridad 2014 de Sophos
[…] un zero day de Microsoft. También se detectaron campañas APT en agosto y septiembre, la llamada “Tomate Podrido” (Rotten Tomato), en las que se detectó posibles reuniones donde acordar qué zero days a utilizar, […]
Why security is failing #1: Incomplete protection | Sophos Blog
[…] We see the results every day, from news headlines like the Sony hack to the thousands of businesses that have been affected recently by Cryptowall and other ransomware, banking Trojans like Vawtrak, and targeted attacks. […]
SophosLabs research uncovers new developments in PlugX APT malware | Sophos Blog
[…] showed that the borrowing of ideas was swinging back the other way, as APT groups in the “Rotten Tomato” campaign showed signs of borrowing code from the Zbot malware […]