New Trojan Disguised as Windows IME
by Dennis Fisher
There's a new attack technique in use right now that enables attackers to inject Trojan code onto victims' machines by disguising it as a Windows input method editor (IME).
The technique is a twist on the classic attack vector of making malicious code look like something benign. In this case, the attack code is being disguised as an IME, which is a component of Windows that's designed to allow users with one type of keyboard to input characters from other alphabets. The payload in the new attack is a Trojan.
This specific Trojan, when run on a victim's machine, creates a new file in the System folder, named winnea.ime, according to an analysis by Websense researchers. Once it's running on the PC, the Trojan then disables any antimalware software that's present and attempts to delete the executable files associated with the antimalware product, as well.
Continues at Threatpost