New phishing attacks rely on blogging and social media websites as part of the command and control (C&C) server.
The attacks start with an attachment called “AutoCleanTool.rar,” said researchers at security firm FireEye. When the file unzips and executes, users see a small application window which prompts them to enter their full email address and its associated password.
Once the user logs in the information, the data ends up saved into the Windows registry, after which it transmits to the attackers by the malware.
In the meantime, the program creates a directory structure and a malicious DLL file drops in a couple of locations.
Once the DLL (NetCCxx.dll) loads, the malware first checks to see if it can connect to the Internet by using a GET request.
Then, it starts contacting a number of domains, all of which are on Chinese social media and blogging websites such as baidu.com, zuosa.com, people.com.cn, tongxue.com and alibado.com.
From these websites, the malware starts downloading a series of .jpg image files representing Japanese animation characters.
While the pictures look innocent, in reality they contain an “unknown padding,” 471 bytes in size, after the “Endofimage” marker. This “unknown padding” allows it to update itself.
The data it takes from one image becomes part of a new .ini file that contains configuration details. Another part of the retrieved data contains the URL for an additional image file, which in turn contains more configuration information.
This way, the malware can update itself without the security software noticing it. Furthermore, the data from the .jpg file can also update the entire framework and even add new components.
“Network communications like this could easily slip under the radar. All the domains and URLs accessed by the malware are legitimate. Though they seem to all be Chinese in origin, there is not really enough for most traditional security defenses to detect outright,” FireEye’s J. Gomez said.
“IT security personnel should be aware of these types of threats as they can go undetected for extended periods of time until traditional signature-based security solutions receive detection updates (if at all).”