ESILE Targeted Attack Campaign Hits APAC Governments
July 28, 2014
The Asia and the Pacific (APAC) region has long been a popular target for organized attacks, mainly due to political motivations. The majority of the targeted attack cases we analyzed in the second half of 2013 were focused on Taiwan and Japan. The media-grabbing EvilGrab campaign had targeted users and organizations in Japan and China in 2013. In the same year, a different attack also targeted Chinese media and government organizations with the goal of stealing email credentials.
Research is ongoing as to why these specific industries are targeted and by whom. But it's not exactly a new trend. According to the 2013 Annual Security Roundup, attackers have constantly focused mostly on targeting government sites throughout the year.
The Esile campaign was named after certain strings found in the unpacked malware file that it sends out. All of the malware related to this campaign are detected as BKDR_ESILE variants.
These variants are mostly Trojan malware that are cloaked by files that users may consciously or unknowingly download when they visit malicious sites. Once these malware gets inside a machine, they can open the door for attackers to send and receive remote commands. In the case of the Esile campaign, these commands include the following:
· create and modify user accounts on computers,
· modify administrator groups,
· display lists of computers and shared resources,
· scan for ports in use,
· display running tasks and processes,
· start a service,
· display detailed configuration information about a computer, etc.
IT managers can identify the Esile campaign by watching for network traffic and malicious file indicators related to it. The Trend Micro 2H 2013 Report on Targeted Attack Trends further details these technical indicators. Companies should be able to mitigate the loss of data with the help of network traffic analysis, which we have long regarded as a useful tool for detecting targeted attack activity.
More than just detecting Esile in the network, companies should also be familiar with common network indicators that show that attackers are already inside the network and are communicating with its malware components.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale