Deep Discovery is Trend Micro’s answer to heightening digital threats to institutions and organizations. It is a platform that immediately detects invasions and responds by adapting and protecting data in real-time.
Deep Discovery is based on the findings on Operation Tropic Trooper, a persistent threat campaign that infiltrates key government organizations and compromises sensitive data. It gets into a system through spear-phising email messages designed for old Microsoft Office vulnerabilities. A user who opens these and downloads the attached images with pieces of maliciouscode can get their data stolen. Moreover, a rootkit will be installed into their system, which kills processes and services, deletes files, and puts systems to sleep.
One of the targets of Operation Tropic Trooper is the Philippine military.
Trend Micro has shared a few facts about this threat which every user must know:
1. Some of the file names of the Operation Tropic Trooper email attachments include:
- 3AD 28 March 2013, SI re ASG Plan Bombing in Zamboanga City.doc
- Troops Disposition 26 FEB 13.doc
- 2nd qtr 2013 AR PF15.doc
- Draft AS-PH MLSA – v3 DAGTS_CFO_ILOG_DSA Clean.doc
2. Targeted attack activity was heaviest in March and dwindled in the succeeding two months.
3. The command-and-control (C&C) servers used in this campaign were located in 4 countries: Taiwan (43% of the servers), USA (36%), Hong Kong (14%) and the UAE (7%).
4. The identities and motivations of the actors behind the campaign have yet to be identified.
5. Steganography or the technique of concealing data was used in this attack. Threat actors were able to insert malicious code in JPEG files popularly used as Windows XP wallpapers.
6. Steganography, although not a new cybercriminal tactic, is not commonly used in targeted attacks. That being stated, there are probable reasons why this kind of technique (malicious code hidden in XP wallpapers) was used in Operation Tropic Trooper:
As of the first half of this year, almost 17% of systems in Taiwan and 13% in the Philippines still run on Windows XP. Given that it takes a longer for larger agencies to upgrade their systems, there is a high probability that the targets of this campaign still use the vulnerable OS. This makes it easier for the threat actors to conceal malicious activity.
The threat actors may have also opted to use this form of steganography because they either still use the legacy OS or have an intimate knowledge of it.
7. As with other targeted attacks, organizations need to implement a custom defense strategy that protects against all stages of an attack.
8. Since Operation Tropic Trooper takes advantage of old existing vulnerabilities, organizations should look into patch management. Organizations also need to invest in threat intelligence gathering so they can block potential threats before they affect them.
For more information on Operation Tropic Trooper and Trend Micro Deep Discovery, visit http://www.trendmicro.com.ph/.
