APT reports

Myrtus and Guava, Episode 3

The geographical distribution of Stuxnet infections is just as interesting as the Trojan itself. We detect the rootkit component (the signed drivers) as Rootkit.Win32.Stuxnet, and the other files as Trojan-Dropper.Win32.Stuxnet.

Over the last four days, KSN has identified Trojan components (although the program should really be thought of as a worm, as it spreads via removable storage media) on more than 16,000 computers around the world. A map with infection statistics shows three countries (all starting with the letter I!) are at the centre of the epidemic – Iran, India and Indonesia.

KSN identified more than 5,000 incidents in each of the three countries – in comparison, there were around 150 cases of infection in Russia, and only 5 in China.

There’s no simple explanation for the distribution, but any explanation has to take into account the way Stuxnet spreads – via removable storage media. This isn’t the quickest way to spread malware, but on the other hand, it can ensure that the malware will have a longer life-cycle (one example of this is Sality, which also spread on USB devices). What is quite clear is that the epidemic hasn’t yet reached beyond Asia.

Could the geography help us work out how the rootkit component came to be digitally signed?

Of course, coming up with conspiracy theories isn’t the nicest thing to do, but paranoia is inherent in IT security professionals. So I’ll give myself the freedom to hypothesize:

Realtek is a “hardware” company; writing the software is a subsidiary process which can be optimized by using outsourcers. Which country is the world leader when it comes to outsourcing programming? You’re right – India.

Could an outsourcer creating software for a company have the means to sign programs with that company’s certificate? It’s certainly possible.

So one theory would be that the malware was created in India (just look at the map) and, possibly, without an “insider” amongst the Realtek application developers.

However, if we’re going with that theory, then I wouldn’t throw out the possibility that the driver files are actually legitimate drivers created by Realtek. Yes, they have rootkit functionality, and hide lnk and ~WTRxxxx.tmp files in the root of the storage device. But that doesn’t mean the driver files aren’t legitimate – remember the Sony rootkit incident? And the malware that used the rootkit technology?

Now that we’re nearing the end of episode 3’s, I’ve just realized that I’ve forgotten one important point – the title of my last three posts.

“Myrtus (myrtle) is a genus of one or two species of flowering plants in the family Myrtaceae,” and “The Myrtaceae or Myrtle family are a family of dicotyledon plants, placed within the order Myrtales. Myrtle, clove, guava, feijoa, allspice, and eucalyptus belong here.”

Why the sudden foray into botany? Because the rootkit driver code contains the following string:


Project “Myrtus”. Module “Guava”.

To be continued?

Myrtus and Guava, Episode 3

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox