ESET: Targeted Espionage Malware in Action

11th July 2013 | By Mouseworld Now Correspondent |

Mumbai, India, July 11, 2013: ESET, global provider of security solutions for businesses and consumers, says malware researchers of ESET found one of the malicious code samples in the name of ESET i.e. ESET named Win32/Syndicasec.A. ESET telemetry systems show that the infection scale is extremely small and strictly limited to Nepal and China. Previous versions of this threat were identified dating back to 2010.

The main payload is a piece of Javascript code registered in the Windows WMI subsystem. The threat uses fake blogs to discover its C&C servers, which are hosted on Tibet-related domains. The commands sent to ESET test machine infected for the purpose of this investigation were sent manually by the attacker and consisted in collecting information from the file system and the registry. The characteristics of this operation are very similar to previous campaigns of espionage against Tibetan activists such as OS X Lamadai and others.

Win32/Syndicasec uses an exploit to get access to a target computer in the first instance. ESET engine successfully stopped the exploitation attempt but was unable to capture the original exploit itself. ESET looks at the malicious script contained in the ’__EventConsumer’ object. The code is straightforward to analyze and almost self-documenting once properly formatted.

Observed activity

In parallel with analysis of the code, ESET started to monitor the behavior of a test machine that ESET infected with Win32/Syndicasec. The first few days of monitoring showed no activity whatsoever. ESET then started receiving commands from the C&C. The interaction between the C&C and the bot did not look to be automated at all. Every day would bring different commands sent at non-regular time intervals, making it look just as if someone was sitting behind a console and manually controlling infected hosts.

ESET have included the entire code for only a few interesting calls for the sake of brevity. Basically, the operator was browsing ESET filesystem and looking at detailed settings and operations on the infected machine, such as network settings, attached drives and running programs. The day after this visit, the operator sent another set of commands to gather some system information specific to our infected system.In this session, the commands sent by the operator had roughly the same purpose, but were done differently, strongly suggesting a different operator to the previous day.


This analysis showed an implementation of rather unusual techniques to build a stealthy and flexible backdoor. The lack of built-in commands prevents ESET from discovering the real end-goal of this operation. However, ESET can affirm that the various characteristics observed around this threat are similar to other espionage campaigns against Tibetan activists that ESET have observed.


© Mouseworld Now News Service

Tags: , , ,

Leave your comment

IMPORTANT! To be able to proceed, you need to solve the following simple math

What is 3 + 10 ?
Please leave these two fields as-is:

Mouseworldnow Videos
  • r chandrashekhar president nasscom
  • Anant Maheshwari, President, Microsoft India
  • Suresh_Vaswani-220 by 220

Channel News

  • RP tech India Successfully Conducts Touching Everyone’s Life 2018 more...
  • iValue Appointed Distributor for Arcserve’s Hybrid Cloud Data Protection Solutions more...
  • iValue Registers Impressive growth of 70% in FY2017-18 more...
  • NetRack Showcases iRack Block at DCD Bangalore more...
  • Capillary Technologies to help boost Bata’s Omnichannel CRM strategies in Southeast Asia more...
Subscribe via email

Enter your email address:

What does the mouse ask?

Will the spurt in online video advertisement steal the twinkle from the TV ad platform?

View Results

Loading ... Loading ...
Newsletter Registration