IXESHE Is Dangerous, Hard-to-Detect Malware, Trend Micro Says

The IXESHE malware has been around since 2009, and so far has hit organizations in Asia, according to Trend Micro.

Somewhat lost in the blizzard of coverage this week of the Flame malware that set upon Iranian computers was another cyber-weapon uncovered by Trend Micro that has hit businesses and government agencies in Asia, and a German telecommunications company in the region.

Dubbed IXESHE, the difficult-to-detect malware has been around since at least 2009, and gets into the network through a malicious PDF attached to emails that are sent from fake or compromised accounts. Once opened, the malware enables the attackers to easily gain and maintain control of the user€™s system to do everything from terminate or start processes and services, download and upload files, and get victims€™ user names to download and execute arbitrary files, get the system€™s name and domain name, and spawn a remote shell, according to Trend Micro€™s report, released May 30.

By opening the PDF file, the IXESHE (pronounced €œi-sushi€) malware executes into the system. When the PDF is opened, the malware displays a blank screen or shows a €œdecoy document related to the targeted attack,€ Trend Micro researchers said in the report. The emails are sent either from compromised personal accounts or are entirely false, with the latter usually sent from mail servers in the United States or China.

€œThe malware samples used in this campaign were not very complicated by nature but do give the attackers almost complete control over their targets€™ compromised systems,€ the Trend Micro report says.

The IXESHE malware is part of a larger upward trend in the number of targeted attacks, also called advanced persistent threats, or APTs, the company said. Rather than more widespread attacks that go after millions of computer users or computer worms, APTs instead focus on individual organizations, with the goal of stealing valuable data.

The IXESHE victims include government agencies in the Far East, electronics manufacturers in Taiwan and the German telecom firm, the company said.

According to Trend Micro, the IXESHE authors launched two specific attacks€”one in 2009, the other in 2011€”that took advantage of zero-day exploits. The attack vectors primarily exploited flaws in Adobe Acrobat, Reader and Flash Player, though attackers also used an exploit in Microsoft Excel.

The attackers have done a good job of hiding what they€™re doing, making it difficult to detect the malware, according to Trend Micro. Once the IXESHE malware is in the computer, it begins communicating with command-and-control (C&C) servers, with some of those C&Cs being compromised servers within the victim company€™s own network.

€œUsing this approach, the attackers amassed at least 60 C&C servers over time,€ the Trend Micro report says. €œThis technique also allows the attackers to cover their tracks, as having the C&C server in the victims€™ corporate networks means very little C&C traffic leaves them. The attackers€™ deliberate use of compromised machines and dynamic Domain Name System (DNS) services allows them to hide traces of their presence by confusing their activities with data belonging to legitimate individuals.€

According to Trend Micro, almost half of all the C&C servers€”22 percent each€”are in the United States and Taiwan, with others sprinkled around the globe, including in South Korea, Brazil, Hong Kong, Italy and Japan.

The IXESHE attackers€™ methods of operating its C&C servers has made it more difficult than in other attacks for researchers to track them down, though Trend Micro was able to determine that one C&C server was in Guangdong, China.

Trend Micro€™s report notes that early indications were that the people behind IXESHE were from China, but that researchers now believe there is a better chance that they are English-speaking.

€œThe name of the campaign, for one, is most likely a shortened form of €˜manufacturing,€™€ the report states. €œThe OS the C&C server uses is also an English install of Microsoft XP. It is also likely, of course, that the C&C server is a compromised machine so it does not use the attackers€™ first language.€