Skip to content ↓ | Skip to navigation ↓

Security researchers have released a research paper detailing Etumbot malware, the backdoor targeted attack code that has been in operation since at least March 2011.

The attacks using Etumbot have been attributed to the Numbered Panda group, also referred to as IXEHSE, DynCalc, and APT-12, and are known to have targeted high profile victims including media outlets, companies in high-tech sectors, and a number of governments around the world.

The analysis of Etumbot’s capabilities reveal that the malware’s dropper in primarily delivered in spear-phishing campaigns which employ the Unicode Right to Left Override technique and faux document icons to obfuscate malicious executables contained in the emails.

The researchers noted that the subject matter used to entice targets is often related to Taiwanese and Japanese topics, and after the dropper has been executed a backdoor is deployed as the file attachment is opened for viewing.

“Once installed, the backdoor connects to it’s Command & Control server and receives an encryption key. RC4 encryption, along with HTTP transactions intended to blend in with typical traffic are used for backdoor communications. Etumbot’s core functionality allows for the execution of commands and the capability to upload and download files,” the researchers said.

“Attackers attempt to obfuscate the malware by using a technique known as ‘byte strings’, also known as ‘string stacking’. Through the use of ASERT tools, these byte strings are deobfuscated and revealed herein.”

The report contains a timeline of distraction documents used, backdoor and dropper indicators to include MD5 hashes, Command & Control server information, file system and process artifacts.

Read More Here (PDF)…