The Rotten Tomato Campaign: New SophosLabs research on APTs

CorporateNetworkPartnersSophosLabsAdvanced persistent threatsAPTGabor SzappanosmalwarePlugXRotten TomatoZbot

rotten-tomato-150An advanced persistent threat (APT) malware campaign seen in August and September 2014 is the subject of new research by one of our threat analysts at SophosLabs.

Sophos is calling this malware campaign “Rotten Tomato,” in reference to the Tomato Garden campaign; and because some of the samples were rotten in the sense that they were not effectively executed.

In a new technical paper on the threat, Principal Threat Researcher Gabor Szappanos, of SophosLabs Hungary, writes an interesting dive into the world of the attackers, examining the malware used by cybercriminals in these attacks, and shows how several different groups used the same zero-day Microsoft Word exploit.

“There must have been a staff meeting, where the manager prompted that, in the next malware distribution campaign they should not only use the aging CVE-2012-0158 vulnerability, but the newer CVE-2014-1761 as well,” Gabor writes.

In Rotten Tomato, the groups somehow got hold of a document that exploited the vulnerability, left the exploiting document part and the shellcode intact, and only changed the appended encrypted executable at the end.

Gabor has followed the Plugx malware family for the past two years. By watching the evolution of malware samples over that period, Gabor has special insight into targeted attacks, and the attackers.

In a previous paper, in which Gabor asked “Are APTs the new normal?”, he wrote about how common malware groups copy APTs.

Now the Rotten Tomato campaign shows that APT authors are getting ideas from the common malware groups, Gabor says, as the narrow line between them is even harder to define.

Read Gabor’s research paper by clicking here: The Rotten Tomato Campaign.

About SophosLabs 

SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts. Keep up to date with our latest research and technical papers, expert opinion, and security advice at Naked Security.

Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.

4 Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s