FireEye Reveals that News of Missing MH370 Being Exploited in Advanced Cyberattacks

FireEye, a renowned security vendor, says that a series of sophisticated cyberattacks have exploited the news of missing, ill-fated jetliner MH370 of Malaysia Airlines, which suddenly vanished mid-air on 8th March, 2014 while on its way from Kuala Lumpur to Beijing with 239 people on board, to infiltrate nation-state and other targets.

'Admin@338", a popular Chinese cyber-espionage ensemble distributed the first spear phishing email with subject: "Malaysian Airlines MH370.doc" to a foreign government in Asian pacific region on 10th March, 2014.

Internauts who clicked on the attachment came across an empty document however a variant of the Poison Ivy Trojan was installing in the background and ultimately established a backdoor to www.(.)verizon(.)proxydns(.)com.

Threatpost.com reported on 25th, March, 2014 noting that this cybercriminal group has employed both Poison Ivy and this domain (mentioned above) in attacks committed by them prior to this one.

Poison Ivy is a famous malware, a Remote Access Trojan (RAT) that allows attackers to not only set up backdoor communication with tainted machines but also push extra malicious code to embezzle documents, system details and revolve internally.

FireEye stressed that it saw a second attack from admin@338 end that attacked "US-based think-tank" on 14th March, 2014. Experts said that the maligned attachment faked to be a Flash-video linked to the missing plane and attached a Flash icon to be executable.

FireEye said that this version of Poison Ivy connected to its command and control at dpmc(.)dynssl(.)com:443 and www(.)dpmc(.)dynssl(.)com:80 and the spurious Verizon domain employed in the first attack also resolved to an IP employed by this attack also.

The report underlines the continuing success of spear phishing-led campaigns to penetrate high-level cyber espionage targets.

SCMagazineUK.com published a statement on 25th March, 2014 quoting Jason Steer, Director of Technology Strategy for FireEye EMEA as saying "Spear phishing is triumphant and almost guaranteed because from an organization's angle if you have a team of 50 individuals targeted, then at least one of them will ultimately open something and so odds are piled against them. It costs nothing to launch but it costs a lot to identify and combat."

» SPAMfighter News - 3/31/2014