Apart from the targets discussed in the presentation of Anton Cherepanov, the trojan analyzed in the blog post on WeLiveSecurity.com appears to be focused on gathering top secret military and diplomatic information from various institutions mainly in Afghanistan and Tajikistan. “From the subjects of the files used to spread the malware, as well as from the affected targets, it appears that the attackers are interested in gathering intelligence related to Afghan, Tajik and Russian military and diplomatic subjects,” explains Robert Lipovsky in his blog post on WeLiveSecurity.com.
The attacks against the mentioned targets have been ongoing since at least June 2014 and continue through to today.
In these campaigns Korplug RAT utilize two ways of spreading – as a self-extracting archive or as Microsoft Word document, exploiting the vulnerability known as CVE-2012-0158. What’s more, the attackers have also attempted to exploit the newer CVE-2014-1761 vulnerability. To avoid detection, the Korplug RAT uses a DLL side-loading trick, abusing legitimate digitally signed executables. This keeps the malware under the radar, since a trusted application with a valid signature among startup items is less likely to raise suspicion.
In addition to Korplug, most of the victims were also infected by a selection of other trojans. “The use of other Remote Access Trojans with functionality partly overlapping with that of Korplug left us wondering whether the attackers were just experimenting with different RATs or they were supplementing some functionality they were unable to accomplish,” concludes Robert Lipovsky.
Read more about Korplug military targeted attacks: Afghanistan & Tajikistan on WeLiveSecurity.com
About ESET
Since 1987, ESET® has been developing record award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook andTwitter.