Chinese malware distributors are hammering on a time-honored method for distributing their wares to unsuspecting users, forwarding an attack accompanying an anti-virus program, in this case one offered by industry giant Trend Micro.
Trend Micro itself reported the attack, which is plugged as its own iClean malware removal client but harbors a backdoor-breeding Trojan.
As part of the e-mail being used to distribute the threat, the attackers have copied the anti-virus giant’s marketing materials with a fairly close eye for detail. The attachment that carries the attack itself is cleverly identified as “iClean20.exe.”
And, in fact, the attachment actually holds a copy of the real iClean application, along with the malware program dubbed BKDR_POISON.GO. (Boy, they could have gone to greater lengths to cover up the name of that one … say if they’d called it iClean Assistant or something, right?)
It would also appear that the China-based hackers are targeting the AV vendor with closest proximity to their own operations, as Trend Micro is based in Tokyo and is tops across most markets in the Asia-Pacific region.
At first glance the threat appears to be aimed initially at users in the region as well, as the text of the involved e-mail cited by Trend Micro is offered in Chinese characters — but typically these attacks do spread elsewhere.
As part of its advisory, Trend Micro reminded customers that it will never send its tools or applications through e-mail, and advised people to be generally wary of opening or downloading any attachments from unknown users … even when those users are posing as the AV vendor itself!
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.