Aveo

Aveo is a backdoor Trojan that gives remote attackers control over reading and writing files on your PC. Associated security issues may provoke the installation of new threats besides Aveo, or help the Trojan's administrators collect confidential information. Defenses against Aveo's campaign that malware experts currently recommend include scanning unidentified e-mail content and using anti-malware products to remove Aveo if it does succeed in installing itself.

Threat's Back Door into the Nation of Japan

In their simplest formats, backdoor Trojans are not extremely sophisticated threats but do include attack features capable of creating enormous security implications. Even ones based on previously-examined families may avoid outdated identification methods while collecting sensitive data, disabling essential settings or installing other programs. For an example specific to a single country, malware analysts can point out Aveo, a variant of DragonOK (or FormerFirstRAT).

Like its predecessor in backdoor attacks, Aveo only targets Japanese PC owners. Its installer is a disguised e-mail attachment that loads a spreadsheet in Japanese text while also installing Aveo, and then using a batch script for removing any file system-based traces of the act. The spreadsheet's contents invoke data related to a research initiative by the Saitama Institute of Technicalnology, providing a possible clue as to which entities are preferred targets.

Features of Aveo that malware analysts found significant include:

• Aveo uses a Registry modification to maintain persistence in your system after any reboots.
• Aveo transfers some essential system information, such as the version of Windows and IP addresses, to a C&C server. Remote attackers may use these identifiers for coordinating other attacks through their backdoor. Aveo conceals this traffic with an RC4 data-encrypting algorithm using a methodology identical to that of its 2015 family, DragonOK/FormerFirstRAT.
• This backdoor Trojan also has simple, but comprehensive access to the infected PC's file system. Aveo may read existent content, write new data, examine drive lists and directories, and analyze any individual file attributes.

Excelling at Blocking Fake Excel Attacks

Besides its highly geographically-specialized campaign, Aveo's infection vectors also show other characteristics making their visual identification possible. PC owners believing themselves at risk should look for attachments using Microsoft Excel's spreadsheet icon, which the campaign uses to hide the fact that the attachment is an intentionally-misnamed executable. Since Aveo's installer includes a document as a distraction from its real purpose, seeing a spreadsheet open after launching the attachment isn't an indication of safety.

Aveo and FormerFirstRAT are not rated as being especially highly-developed threats by malware analysts but do provide fully-functional backdoors through which con artists may access and control your PC. Assume that Aveo is active until you take steps to disable it, such as booting directly from a recovery device. As always, your anti-malware programs, if kept patched, should detect and delete Aveo during their scheduled or manual system scans.

Ordinarily, e-mail is a technicalnological innovation that has provided incalculable benefit to individuals, businesses, governments and NGOs communicate with one another. However, Japanese PC users forgetting that digital communication also may be a threat attack vector soon may find themselves losing control of the PCs they own.

Technical Details