Monday, 8 July 2013

Hackers using PRISM-phishing Java RAT to steal government data

Security padlock image
Cyber criminals are targeting government agencies with phishing messages containing a dangerous Java remote access tool (RAT).
Symantec researcher Andrea Lelli reported uncovering the threat, confirming that the messages are designed to entice government workers to download the attachments by masquerading as news announcements and messages about the PRISM scandal.
"We recently came across an attack campaign which looked quite unusual compared to the standard attacks normally seen in the wild. This campaign is targeting government agencies by sending phishing emails with a malicious attachment. Nothing new so far, except for one thing: the malicious payload is a Java remote access tool (RAT)," wrote Lelli on a company blog.
"As we all know, cyber criminals tend to use recent hot media topics to entice users. In the case of this campaign they are using the recent news coverage surrounding the NSA surveillance programme PRISM."
Lelli highlighted the use of the RAT as particularly troubling, as it grants the attackers several advanced powers over compromised machines. "This applet is a RAT named jRat, it is available for free and Symantec detects it as Backdoor.Jeetrat. This threat can give full control of the compromised computer to a remote attacker," wrote Lelli.
"More importantly, because it is a Java applet the threat is able to run on multiple operating systems, not just Windows. In fact, the threat has a builder tool that allows you to build your own customised versions of the RAT, and we can see that when it comes to the targeted operating systems, the choice is very broad."
The Symantec researcher said the malware used is a modified version of one used in a previously detected attack. "This malicious RTF document exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158), detected by Symantec as Bloodhound.Exploit.457," wrote Lelli.
"The attack has been simplified as it does not involve the use of an exploit, nor an executable shellcode/payload, but simply relies on a Java applet. Nonetheless, it is no less dangerous than the older attacks and it can spread more easily since exploits are usually limited to work on specific versions of the vulnerable software and operating system, while this RAT can spread on any system where Java runtime is installed. In fact, not only has the attack been simplified, but it has also become more stable and more virulent, it is a big upgrade."
Despite the troubling news Lelli confirmed there are protection tools available that can ward off the attack. "While this new attack is a little unusual, it can be detected and blocked like older ones. We advise our customers to update their definitions and to be very cautious when receiving suspicious emails," wrote Lelli.
The RAT is one of many evolved cyber attacks targeting UK networks. Most recently Olympic cyber security head Oliver Hoare revealed hackers targeted the electricity grid powering the London 2012 Olympics stadium on the eve of the opening ceremony.

No comments:

Post a Comment