Security vendor Trend Micro said it recently discovered a targeted attack campaign that uses RARSTONE, a Remote Access Tool (RAT), in its operations.
This campaign, which targets several entities in the Asia Pacific region, was first noticed by Trend Micro in February of 2013. It also later used the Boston Marathon bombing as social engineering bait in April.
Trend Micro is calling this campaign ?Naikon? based on strings found in related attacks.
?During these past months, we have been monitoring the Naikon Campaign and found some crucial statistics,? said Macky Cruz, the security focus lead of Trend Labs in Trend Micro.
?The targets are mainly industry users. About 60 percent of the victims are from the telecommunications, oil and gas, media/communications or government sectors, while the other 40 percent could either be individual users or other industry users.?
The monitoring results also suggest that the following countries in the APAC region are affected: India, Lao, Malaysia, Myanmar, Singapore, and Vietnam.
?According to our threat analyst Maharlito Aquino, the Naikon campaign infiltrated networks via spear-phishing attacks,? Cruz said. ?Recently, we encountered at least three cleverly designed spear-phishing emails leveraging important inter-nation discussions in APAC.?
The RAT used, which Trend Micro detected as BKDR_RARSTONE, is able to get installer properties from Uninstaller Registry Keys. It knows what applications are installed in the system and how to uninstall them, in the case that these applications inhibit RARSTONE?s functions.
RARSTONE is directly loaded into memory and uses SSL to encrypt its communication with its C&C server, which not only protects that connection but also making it blend in with normal traffic.
These behaviors together make the detection of the malware very difficult, if companies are using only file-based scanning technologies, Trend Micro said.
Trend Micro warned industry users that the Naikon campaign or similar targeted attacks should be taken seriously. They are meant to stay under the radar and steal information from target entities.
Traditional technologies such as blacklisting and perimeter controls are not enough to detect or block the components of these campaigns, said Trend Micro.
The Internet security firm said enterprises need to deploy tools to accomplish the protection and control over their networks in order to identify dubious network traffic.
