Shulou(Shulou.com)11/24 Report--

Recently, rising threat intelligence platform captured the APT attack launched by Saaiwc against Philippine government agencies, in which the organization used ISO files (CD-ROM image files) as the carrier of malicious programs and created shortcuts to start remote control backdoor programs in order to steal all private information in the victim's host. At present, rising ESM antivirus terminal security protection system can detect and kill related malicious programs, the majority of users can install and use to resist this kind of risk.

Figure: the backdoor program in the check and kill attack of rising ESM antivirus terminal security protection system

Rising security experts said that the Saaiwc organization, also known as DarkPink, is an APT organization that mainly attacks Southeast Asia. Its attack direction includes military institutions, government, religious organizations and non-profit organizations. The main purpose is to steal confidential documents and carry out corporate espionage activities.

Through the comparative analysis of the infection chain in the past, it is found that the Saaiwc organization still used the phishing email attack method in this attack, using the fake Philippine Armed Forces meeting notice to confuse its government administrative personnel and induce the victims to click on the email attachment, while the email attachment is an ISO file (CD-ROM image file), which contains three files and loads malicious DLL programs in a white and black way.

Rising security experts said that the reason why Saaiwc organizations use ISO files as the carrier of malicious programs is that some security defense systems ignore the detection of such files, so attacking organizations can use this way to evade interception or killing, and the victims will relax their vigilance and fall into the trap of the attacker.

Not only that, the Saaiwc organization also triggers the remote control backdoor program by creating shortcuts to hide attributes and setting corresponding shortcut keys, which will not only steal the victim's host IP address, system version and other information, but also send all the collected information back to the attacker to receive more control instructions.

Rising security experts said that using ISO files as a malicious program carrier and using shortcut keys to trigger self-initiated attacks are unique and highly hidden, which means that attackers have been constantly exploring new attacks to maximize their profits. The majority of users can take the following preventive measures to resist the occurrence of such risks:

1. Do not open suspicious files.

Do not open suspicious files and emails from unknown sources to prevent social engineering and phishing attacks.

two。 Deploy EDR and NDR products.

Use threat intelligence to trace the trajectory of threat behavior, analyze threat behavior, locate the source and purpose of threat, trace the means and paths of attack, solve network threats from the source, and find the attacked nodes in the maximum range, so as to respond and deal with them more quickly.

3. Install effective antivirus software to intercept and kill malicious documents and programs.

Antivirus software can intercept malicious documents and malicious programs, if users accidentally download malicious files, antivirus software can intercept and kill, prevent the virus from running, and protect the terminal security of users.

4. Timely repair system patches and important software patches.

Many malware often use known system vulnerabilities and software vulnerabilities to spread, and timely installation of patches will effectively reduce the impact of vulnerability attacks.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.