A few hours ago, EFF posted a blog on their official site about a targeted attack on them. They received Conference Invitation emails with a malicious attachment (in *.hta format - HTML Application).
A preliminary analysis has already been posted on their site here:
https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal
I was checking the executable dropped by it in the %temp% directory. It enumerates the processes on the system and checks for the presence of the following processes:
DF5Serv.exe - DeepFreeze
VBoxService.exe - VirtualBox
It also checks for the presence of Virtual Machines by checking the value of the registry key:
HKLM\System\ControlSet001\Services\Disk\Enum
Checks for the following strings in the value of the above key:
VBOX
VMWARE
VIRTUAL
StrStrIW() is used to perform a case insensitive search. This is a common technique.
It is becoming increasingly common for malwares to detect the presence of Virtual Machines.
c0d3inj3cT
A preliminary analysis has already been posted on their site here:
https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal
I was checking the executable dropped by it in the %temp% directory. It enumerates the processes on the system and checks for the presence of the following processes:
DF5Serv.exe - DeepFreeze
VBoxService.exe - VirtualBox
It also checks for the presence of Virtual Machines by checking the value of the registry key:
HKLM\System\ControlSet001\Services\Disk\Enum
Checks for the following strings in the value of the above key:
VBOX
VMWARE
VIRTUAL
StrStrIW() is used to perform a case insensitive search. This is a common technique.
It is becoming increasingly common for malwares to detect the presence of Virtual Machines.
c0d3inj3cT
0 comments: