Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    We have recently analyzed a series of emails sent to specific users that leverage a certain prominent socio-political issue.  One of these messages is about the supposed statement from the German Chancellor regarding the protests in Lhasa, Tibet.  The From field indicates that it came from a key officer from the ATC or Australian Tibet Council.  But of course, the email is faked and the email address was just created and used to impersonate the said ATC officer. It also includes a .DOC file that supposedly contains the relevant parts of the statement. Once downloaded, the file detected as TROJ_ARTIEF.AE exploits a vulnerability in Microsoft Word (CVE-2010-3333) to drop other files. This file is detected as TSPY_MARADE.AA. TSPY_MARADE.AA was found to gather network and system information once specific shell commands are executed. These stolen data are then uploaded to malicious sites.

    Click for larger viewWe received another sample with more details in its message. It purportedly comes from the Tibetan Women’s Association Central, which contains the recent speech given by TWA during the 56th Session of the Commission on the Status of Women at the United Nations Commission. Like the first sample, it comes with a .DOC file of the complete speech.  This attachment is detected as TROJ_ARTIEF.CP and drops the malware TROJ_REDOSDR.AH.

    Click for larger viewBased on our analysis, we have reason to believe that these messages are part of a targeted attack.  Both samples use specific political issues as social engineering bait.  We also noticed that the people behind these attacks have a certain level of knowledge about the important figures and organizations in the TibetMovement.  The messages spoofed the organizations TWA Central and Australian Tibet Council to appear credible to intended recipients. This is a common technique used by spammers and those behind targeted attack campaigns and does not necessarily mean that these groups were compromised.  To add to our suspicions that this is a possible targeted attack, the TWA sample email was directed specifically to the email address of a prominent Tibetan figure.

    Below is a list of email we intercepted with malicious attachments related to this incident. This list, however, is not definitive as there may be other variants yet to be seen.

    Email Subject Attachment File Name Attachment Type Attachment Detection Name Dropped File Detection Name
    Germany Chancellor Again Comments on Lhasa protests Germany Chancellor Again Comments on Lhasa Protests.doc .DOC TROJ_ARTIEF.AE TSPY_MARADE.AA
    TWA’s speech in the meeting of the United Nations Commission for Human Rights TheSpeech.doc .DOC TROJ_ARTIEF.CP TROJ_REDOSDR.AH
    Fowarding of TWA message English_Final_Statement.doc, English_Final_Statement_1.doc .DOC TROJ_ARTIEF.DA, TROJ_ARTIEF.DB TROJ_SWISYN.GT
    Open Letter To President Hu Letter.doc .DOC TROJ_ARTIEF.DD TSPY_ROFU.NSS
    Tibetan environmental situations for the past 10 years Tibetan environmental statistics.xls .XLS TROJ_MDROPPR.BJ BKDR_MECIV.AC
    An Urgent Appeal Co-signed by Three Tibetans Appeal to Tibetans To Cease Self-Immolation.doc .DOC TROJ_ARTIEF.CX TROJ_SASFIS.UL
    About TYC Centrex Notice and New email id of TYC Centrex Centrex_Contact.doc .DOC TROJ_ARTIEF.CZ TROJ_SHWOM.A
    [Tanc] JOINS US: March 10, Saturday: 53rd Commemoration of the 1959 Tibetan National Uprising Day. march10.doc .DOC TROJ_ARTIEF.DF TROJ_SHWOM.A
    10th march speech 10th March final.doc, 10th March final.pdf .DOC, .PDF TROJ_ARTIEF.CU BKDR_MECIV.AA, BKDR_MECIV.AD
    FW: Call for End to Burnings Support List.xls .XLS TROJ_MDROPPR.BK BKDR_PROTUX.BK, BKDR_PROTUX.BJ
    Public Talk by the Dalai Lama _ Conference du Dala_ Lama Ottawa, Saturday, 28th April 2012 Public Talk by the Dalai Lama.doc .DOC TROJ_ARTIEF.DG TROJ_SWISYN.GT
    Bonafide Certificate of Miss Tenzin Tselha tentselha.zip (contains tentselha.jpg, tentselha.jpg.lnk, tentselha1.jpg) ZIP (containing LNK, EXE, JPG) TROJ_REDOSDR.AH TROJ_REDOSDR.AH
    TWA mourns the self immolation deaths of two female protesters this past weekend TWA mourns the self immolation deaths of two female protesters.doc .DOC TROJ_ARTIEF.SM3 TSPY_MARADE.AA, TSPY_ZBOT.BPG
    Self-Immolations: New heightened form of Non Violent protests in Tibet TWA looks back at the aftermath and the undercurrents of the 52 years of Chinese rule in Tibet.doc .DOC TROJ_ARTIEF.DH BKDR_AGENT.ZZZZ
    Arrest and protests mar ‘Losar’ week in Tibet.eml an appealing letter to the United Nations.doc .DOC TROJ_ARTIEF.CW TROJ_SWISYN.HV
    UN Human Rights Council publishes written statement on discrimination in Tibet.eml G1210456.doc .DOC TROJ_ARTIEF.CT TROJ_SWISYN.HV
    Students For A Free Tibet !.eml Action Plan for March 10th.doc .DOC TROJ_ARTIEF.JD BKDR_DUOJEEN.A

    The infection chain shown by the two samples above is noticeably similar to a previous attack that used NBA star Jeremy Lin as a social engineering hook. If you check out some of our blog postings on targeted attacks from way back in 2008 such as the ones we wrote about here and here, you will find similarities from past targeted attack campaigns of the same nature. Each scenario involves a malicious .DOC file that exploits a Microsoft Word vulnerability to drop infostealing malware.

    If you see any of these messages in your inbox, please delete them immediately. If you’ve already opened or downloaded the attached files, please coordinate with Trend Micro support team. As a rule, always be cautious with opening your email, especially with opening and downloading attachments. Even mail coming from supposedly trusted sources must be taken with a grain of salt as cybercriminals are crafty with spoofing email addresses to make it appear legitimate.

    We will continue to monitor this campaign and update this blog post with our analysis.

    With additional text by Nart Villeneuve





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice