The Attack of the Killer Tomatoes presented at CopenhagenCybercrimeConfrence 2015

by Gabor Szappanos,

Summary : Malware authors are not shy about borrowing ideas. One of the most typical cases was the Tomato Garden incident, where several different groups used the same zero-day Microsoft Word exploit leaving the exploiting document part and the shellcode intact, only changed the appended encrypted executable at the end.
Something very similar happened just recently, as part of a longer campaign targeting India. This Rotten Tomato campaign span several months, from August 2014 up to March 2015.
During this time span, different variants of the Plugx backdoor were observed as the final payload, including classic Plugx, next generation Plugx, P2P Plugx, and just recently Plugx with payload in registry. Apparently, this was a continuous operation, where the actors behind it used the latest available versions, as they came out of the factory. Additionally, a few affiliated malware families were distributed to the targets using similar distribution vector. The presentation covers the timeline of development in the Plugx backdoor during the campaign.
Additionally to that, interesting development was observed in the exploitation part as well. The malware authors made multi-step efforts to integrate the CE-2014-1761 vulnerability into their repertoire. The presentation covers the timeline and major steps in this (otherwise unsuccessful) attempt. We were able to track exactly what external sources were used during the development process.