Researchers have discovered a new method to inject malicious code into Windows systems that could bypass detection by antivirus software and other endpoint security systems. It’s dubbed “Atombombing,” as it exploits the operating system’s atom tables, underlying the mechanism in Windows operating systems. Depending on the process in which the malicious code is injected, the malicious code could allow attackers to access encrypted passwords, take screenshots, or perform Man in the Browser (MitB) attacks.
This attack method doesn’t rely on any vulnerability, therefore, there is no way to patch this hole.
Blackgear, an espionage campaign, which has targeted Taiwan for several years, has shifted its focus to the neighboring country, Japan. The campaign employs a three-stage infection method – 1) infect the victim with a “binder” malware through watering hole attacks or spearfishing attacks, 2) download the second malware through a decoy document, called a downloader, and 3) download the full-on backdoor Trojan. After installation, the backdoor Trojan will connect to Blackgear’s command and control (C&C) servers for further instructions. Instead of connecting to the C&C directly, like most espionage attempts, the malware connects online and downloads a series of blog posts. In the blog posts, are where the IP addresses of the C&C servers hide in an encrypted format. This is when the backdoor Trojans decode the address and connect to the server, giving attackers the ability to search and exfiltrate data from infected targets.
*IP addresses provided by Recorded Future.
Want to learn about Alert Logic products in more detail? Call us direct at +1.877.484.8383, for the UK call +44 (0) 203 011 5533, or complete this form. An Alert Logic representative will contact you soon.