Using global political news as a social engineering hook is a popular cybercrime tool, particularly used to lure users into their malicious schemes. We have recently found a malicious file leveraging a noteworthy incident, one that leads to systems being infected with a backdoor.
During the second of week of April, the most talked about news was North Korea’s failed attempt to launch a rocket. As expected, the bad guys are on the prowl for the next social engineering bait and the said news item was found the be the fitting choice.
The file we found was named North Korea satellite launch eclipses that of Iran.doc. The said file, detected as TROJ_ARTIEF.DOC, may arrive as an attachment to an email message. Once executed, this Trojan exploits the vulnerability in RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the backdoor BKDR_POISON.DOC onto the system.
This particular backdoor is able to execute some interesting routines. Based on our analysis, this backdoor communicates to a command and control server on TCP Port 443. The remote user may then command the backdoor to perform several commands, including initiating screen capture, webcam and audio file grabbing. This routine enables a remote attacker to monitor users’ activities in the infected system.
This attack is reminiscent of similar cases we’ve reported in the past, wherein cybercriminals use messages with important-looking file names, which turn out to be malware that exploits particular vulnerabilities.
Trend Micro protects users from this attack via products powered by the Trend Micro™ Smart Protection Network™. Moreover, Trend Micro Deep Security and Intrusion Defense Firewall prevents the exploit targeting CVE-2010-33 via rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.
With additional input from Nart Villeneuve