Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    February 2014
    S M T W T F S
    « Jan   Mar »
  • Email Subscription

  • About Us

    Archive for February 14th, 2014

    RTF (Rich Text Format) files have been used before by cybercriminals, but of late it seems their use of this format is becoming more creative.

    We’d earlier talked about how CPL files were being embedded in RTF files and sent to would-be victims as an e-mail attachment. These CPL files would then proceed to download malicious files which would be run on the affected samples.

    Earlier samples used instructions in Portuguese, but newer samples now use German:

    Figure 1. German-language RTF document

    Overall, the tactics are still the same – the RTF file contains an embedded “receipt” with instructions to double-click the receipt. Double-clicking this file runs the CPL malware, which downloads the payload.

    Figure 2. Code of RTF document

    In this particular case, the URL is no longer accessible so we cannot be 100% sure what the payload was. However, previous incidents have used information stealers, so in all likelihood that would have been the case here as well. We detect this variant of CPL malware as TROJ_CHEPRTF.SM2.

    A separate case also embedded malware into a RTF file, but this time the embedded malware belonged to the ZBOT malware family. This ZBOT variant is detected as TSPY_ZBOT.KVV; this variant has the capability to steal user names and passwords such as from various sources such as email, FTP and online banking.

    These incidents highlight how cybercrime techniques are always improving. RTF files may have been used in these cases because users may not know that RTF files can be used to spread malware, and even if they do know they may not be able to easily determine which files are malicious and which are not.

    In addition, using RTF files to spread ZBOT is unusual, as it’s typically spread via other means such as downloaders, malicious sites, or spam.  This shows how cybercriminals are willing to embrace new tactics to achieve their goals.

    We encourage users to be careful when opening email messages and attachments. Never download and open attachments unless they can be verified. Businesses should employ a mail scanning solution implemented on the network and enable the scanning of email messages.

    The Trend Micro™ Smart Protection Network™ protects users from this threat by blocking access to all related malicious URLs, and preventing the download and execution of the malicious file.

    Update as of 7:00 PM PST, March 6, 2014

    The hashes of the files involved in this attack are:

    • 38575dba3ef61f3f2ddf0e923e115fb715167498
    • 64865ccf8bac950111de261c9137f336a873c753
    • 114527673e8a89c5eae25d6aad2fcffc52770029
    • ee140fa0683d18cd570c5ea206a3bc54259240e6

    A new zero-day vulnerability in certain versions of Internet Explorer has been identified and is being used in targeted attacks. Microsoft has not released an official bulletin acknowledging this vulnerability yet, but has spoken to news sites and confirmed that both Internet Explorer 9 and 10 are affected. The newest version, Internet Explorer 11, does not suffer from this vulnerability.

    If exploited, this vulnerability allows an attacker to target users with a drive-by download, allowing files to be downloaded and run user systems without any user input needed, beyond visiting a website.

    Two versions of Windows are not affected by this threat: Windows 8.1 (because it includes IE11), and Windows XP (because it only supports up to IE8.) All other versions of Windows are at potential risk, depending on the version of Internet Explorer present on the system.

    This attack was initially spotted on the website of a non-profit organization in the United States. The files used in this exploit are detected as HTML_EXPLOIT.PB, HTML_IFRAME.PB, and SWF_EXPLOIT.PB. The backdoor that was planted on affected machines using this zero-day is detected as BKDR_ZXSHELL.V. No formal bulletin or workarounds have been issued by Microsoft; we recommend that users of Windows 7 or 8 consider upgrading to Internet Explorer 11 to avoid this problem.

    We are currently analyzing both the exploit itself and the payloads used in this attack, and will provide further information as appropriate.

    Update as of 5:00 PM PST, February 16, 2014:

    We have released new Deep Security rules that provide protection against this vulnerability, namely:

    • 1005908 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322)
    • 1005909 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322) – 2
    • 1005911 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322) – 3

    Update as of 11:00 PM PST, February 19, 2014:

    Microsoft has released an advisory acknowledging this attack and confirming that it is limited to Internet Explorer 9 and 10. A workaround has also been provided in the form of a Microsoft Fix It solution.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice