Targeted Espionage Malware infects Systems in Nepal and China. Has been maliciously named as Win32[SLASH]Syndicasec[DOT]A[SPACE]malware.
ESET, global provider of security solutions for businesses and consumers, cautions about some malicious code samples in the name of ESET i.e. ESET named Win32[SLASH]Syndicasec[DOT]A . ESET telemetry systems show that the infection scale is extremely small and strictly limited to Nepal and China. Previous versions of this threat were identified dating back to 2010.
What the malware looks like?
Win32[SLASH]Syndicasec uses an exploit to get access to a target computer in the first instance. ESET engine successfully stopped the exploitation attempt but was unable to capture the original exploit itself. ESET looks at the malicious script contained in the ‘__EventConsumer’ object. The code is straightforward to analyze and almost self-documenting once properly formatted.
The System infected with the malware for first few days of monitoring showed no activity whatsoever. Then it starts sending from the command-and-control (C&C) Servers. The interaction between the C&C and the bot did not look to be automated at all. Every day would bring different commands sent at non-regular time intervals, making it look just as if someone was sitting behind a console and manually controlling infected hosts.
This analysis showed an implementation of rather unusual techniques to build a stealthy and flexible backdoor. The lack of built-in commands prevents ESET from discovering the real end-goal of this operation. However, ESET can affirm that the various characteristics observed around this threat are similar to other espionage campaigns against Tibetan activists that ESET have observed.