Sophos is calling this malware campaign “Rotten Tomato,” in reference to the Tomato Garden campaign; and because some of the samples were rotten in the sense that they were not effectively executed.
In a new technical paper on the threat, Principal Threat Researcher Gabor Szappanos, of SophosLabs Hungary, writes an interesting dive into the world of the attackers, examining the malware used by cybercriminals in these attacks, and shows how several different groups used the same zero-day Microsoft Word exploit.
“There must have been a staff meeting, where the manager prompted that, in the next malware distribution campaign they should not only use the aging CVE-2012-0158 vulnerability, but the newer CVE-2014-1761 as well,” Gabor writes.
In Rotten Tomato, the groups somehow got hold of a document that exploited the vulnerability, left the exploiting document part and the shellcode intact, and only changed the appended encrypted executable at the end.
Gabor has followed the Plugx malware family for the past two years. By watching the evolution of malware samples over that period, Gabor has special insight into targeted attacks, and the attackers.
In a previous paper, in which Gabor asked “Are APTs the new normal?”, he wrote about how common malware groups copy APTs.
Now the Rotten Tomato campaign shows that APT authors are getting ideas from the common malware groups, Gabor says, as the narrow line between them is even harder to define.
Read Gabor’s research paper by clicking here: The Rotten Tomato Campaign.
About SophosLabs
SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts. Keep up to date with our latest research and technical papers, expert opinion, and security advice at Naked Security.
Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.