Focusing on detections of the Korplug trojan, ESET® researchers lately noticed two larger scale campaigns employing this well-known Remote Access Trojan (RAT). The first one, related to Afghanistan and Tajikistan is analyzed by Robert Lipovsky in his newest blog post on WeLiveSecurity.com. The other one, targeting a number of high-profile organizations in Russia, will be presented at The ZeroNights security conference in Moscow on Friday, November 14th by Anton Cherepanov.
Apart from the targets treated in the presentation of Anton Cherepanov, the trojan analyzed in blog post on WeLiveSecurity.com appears to be focused on gathering top secret military and diplomatic information from various institutions mainly in Afghanistan and Tajikistan.
“From the subjects of the files used to spread the malware, as well as from the affected targets, it appears that the attackers are interested in gathering intelligence related to Afghan, Tajik and Russian military and diplomatic subjects,” explains Robert Lipovsky in his blog post on WeLiveSecurity.com.
The attacks against the mentioned targets have been ongoing since at least June 2014 and continue through to today.
In these campaigns Korplug RAT utilize two ways of spreading – as a self-extracting archive or as Microsoft Word document, exploiting the vulnerability known as CVE-2012-0158. What’s more, the attackers have also attempted to exploit the newer CVE-2014-1761 vulnerability. To avoid detection, the Korplug RAT uses a DLL side-loading trick, abusing legitimate digitally signed executables. This keeps the malware under the radar, since a trusted application with a valid signature among startup items is less likely to raise suspicion.
In addition to Korplug, most of the victims were also infected by a selection of other trojans.
“The use of other Remote Access Trojans with functionality partly overlapping with that of Korplug left us wondering whether the attackers were just experimenting with different RATs or they were supplementing some functionality they were unable to accomplish,” concludes Robert Lipovsky.
Read more about Korplug military targeted attacks: Afghanistan & Tajikistan on WeLiveSecurity.com.