Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    When there are celebrity stories such as the death of Whitney Houston in the press, we expect to see BlackHat SEO attacks and other cybercriminal campaigns using these themes to distribute malware. However, a recent targeted attack caught our attention. The lure in this case was the story of Jeremy Lin, the NBA star whose outstanding play for the New York Knicks has drawn international attention. He recently made the front cover of Time magazine with the simple headline “Linsanity”.

    A malicious document named “The incredible story of Jeremy Lin the NBA new superstar.doc”, detected by Trend Micro as TROJ_ARTIEF.LN, was sent on February 16th 2012. It exploits a vulnerability in Microsoft Office (CVE-2010-3333) in order to drop malware on the target’s system. The dropped malware is detected by Trend Micro as BKDR_MECIV.LN. After successful exploitation, a clean document is opened so that the target doesn’t suspect that anything malicious occurred.

    This attack is actually part of the LURID campaign (often known as Enfal) that we documented last year. The victims of that campaign were primarily in Eastern Europe and Central Asia. This “Linsanity” attack continues that trend.

    We decoded the information that is sent back to the command and control server:

    [host name]:[mac address]
    [ip address]
    windows xp
    1252:0409
    tt
    tb0216
    n
    n
    n
    2.14

    This information contains the host name, MAC address and IP address of the victim along with the operating system and language settings. Moreover, it contains a campaign code “tb0216″ so that the attackers can track their attacks. In this case, the campaign code contains the date of the attack “0216″ and “tb”.

    As we documented in our paper on LURID, this campaign also targets countries in the former Soviet Union. On February 8th 2012 we discovered another attack that targeted a government office in Eastern Europe.

    The attached document, detected by Trend Micro as TROJ_ARTIEF.LN, exploits a vulnerability in Microsoft Office (CVE-2010-3333) in order to drop malware on the target’s system. The dropped malware is detected as BKDR_MECIV.LN. After successful exploitation a clean document is opened. The email and the clean document contain information about a conference organized by an inter-governmental organization.

    We decoded the information transmitted to the command and control server:

    [host name]:[mac address]
    [ip address]
    windows xp
    1252:0409
    svchsot.exe
    0dayfeb03.exe
    n
    n
    n
    2.14

    The campaign code embedded in this attack is 0dayfeb03.exe with the date (February 3 2012), which occurred several days before the targeted email was sent. Despite the designation “0day”, the exploit used in the attack is the older, but reliable CVE-2010-3333.

    These attacks demonstrate that even well-known campaigns may continuously run for long periods of time. The people behind these attacks use variants of the same malware and constantly launch new attacks against their targets. The attackers continue exploiting newsworthy events in order to lure potential victims into executing malicious email attachments.

    We are monitoring this campaign and will update this blog once more information become available.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice