March 01, 2016

"Open source libraries used in the Mars Rover software are being abused by malware creators as part of a cyber-espionage campaign against the Indian government."

Softpedia: According to Palo Alto Networks, on December 24, 2015, India's Ambassador to Afghanistan received a spear-phishing email that contained a new malware variant, which, if downloaded and installed, would have opened a backdoor on the official's computer. By Catalin Cimpanu

'The email was spoofed and made to look like it was coming from India's Defense Minister, Manohar Parrikar. Attached to the email was an RTF file. Palo Alto researchers say that this file contained malicious code to exploit the CVE-2010-3333 Office XP vulnerability, resulting in the download of a file named "file.exe" from the newsumbrealla[.]net domain. This file was automatically launched into execution and was a simple malware payload dropper that was tasked with downloading the real threat, a new trojan that the researchers christened Rover.

'This malware was given the "Rover" name because it relied on the OpenCV and OpenAL open source libraries, both used in the software deployed with the famous Mars Rover exploration robot. OpenCV is a library used in computer vision applications and image processing while OpenAL is a cross-platform library for working with multichannel audio data.

'The Rover malware needed these two libraries because its main role was to spy on infected targets. Its capabilities included the ability to take screenshots of the desktop in BMP format and send them to the C-C server every 60 minutes, logging keystrokes and uploading the data to the C-C server every 10 seconds, and scanning for Office files and uploading them to the C-C server every 60 minutes. Additionally, there was also a backdoor component that allowed attackers to send commands from the C-C server and tell Rover to take screenshots or start recording video (via webcam) and audio (via microphone) whenever the attacker wanted to.'

No comments: