APT reports

Myrtus and Guava, Episode 1

A few days ago, colleagues from the Belarussian antivirus company VirusBlokAda (VBA) announced they’d come across an interesting new malicious program. They published a short analysis of the program which highlighted two innovations:

1. Using lnk files to launch files from USB storage devices, a method which hasn’t been used before.

2.The malicious driver has a valid digital signature from Realtek.

The VBA article is well worth taking a look at – great research, guys!

Over here at Kaspersky, we’ve also taken a look at the malware, and we’ve also come up with a few interesting things.

First of all, the way the Trojan (which we’ve called Trojan-Dropper.Win32.Stuxnet) spreads. It infects USB storage media by creating 4 lnk files:

Copy of Copy of Copy of Copy of Shortcut to.lnk”
– launches .STORAGE#RemovableMedia#7&[ID]&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~WTR4141.tmp

“Copy of Copy of Copy of Shortcut to.lnk”
– launches
.STORAGE#RemovableMedia#8&[ID]&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~WTR4141.tmp

“Copy of Copy of Shortcut to.lnk”
– launches
.STORAGE#Volume#1&19f7e59c&0&_??_USBSTOR#Disk&Ven_&Prod_USB_FLASH_DRIVE&Rev_PMAP#0798018356734E4F&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~WTR4141.tmp

“Copy of Shortcut to.lnk”
– launches
.STORAGE#Volume#_??_USBSTOR#Disk&Ven_&Prod_USB_FLASH_DRIVE&Rev_PMAP#0798018356734E4F&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~WTR4141.tmp

~WTR4141.tmp, by the way, is the main malware file.

Strings from the Trojan code responsible for infecting USB storage media

What’s interesting is that the ID in the first two files is the unique number given to the USB device by the computer on which it’s being accessed.

Up until now, it’s been autorun.inf that’s been responsible for automatically running files from disk. This Windows “feature” has come in for heavy criticism from security experts, and, not surprisingly, has been widely used to spread malware. We classify such malware as Worm.Win32.Autorun – a classification which covers tens of thousands of threats.

But while we’ve got used, more or less, to autorun.inf malware, and learnt what to do about it, the use of lnk files is something really new. We’ll set aside the name “Linkrun”– just in case 🙂

At the moment, we’ve not drawn any final conclusion – maybe this is a real, as yet unknown vulnerability in Windows, or maybe it’s simply the latest “feature” from Redmond. Of course, Microsoft’s been informed of the problem, so we should find out what’s going on in the next couple of days.

So we’ve reached the end of episode one. Upcoming episodes feature more about the malware, and you’ll find out the reason for the post’s title. To give you a hint – it’s not because we’ve taken up gardening in our spare time 🙂

To be continued…

Myrtus and Guava, Episode 1

Your email address will not be published. Required fields are marked *

 

Reports

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

Subscribe to our weekly e-mails

The hottest research right in your inbox