Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    Just a month after the G20 Summit in Russia, threat actors have found another high-profile political event to leverage their schemes. The APEC 2013 Summit – an annual meeting of 21 Pacific Rim countries – in Indonesia can be the perfect lure for their spoofed emails.

    The threat arrives as an email purportedly from “Media APEC Summit 2013” containing two attached Excel files. The sender, message and the recipients of the email lead us to believe that this threat is aimed at individuals who would be interested in the summit (both attendees and non-attendees).

    Figure 1. Screenshot of spoofed APEC email

    As mentioned, the email contains two attachments. Both are disguised as “APEC media list”, however only one of them (APEC Media List 2013 Part 1) was found malicious. The other, non-malicious file serves as a decoy document. Based on our analysis, the malware exploits an old Microsoft Office vulnerability (CVE-2012-0158), an old vulnerability that was also exploited in other targeted attacks, such as the “Safe” campaign.

    This malware then triggers a series of multiple malware dropping and connects to various command-and-control (C&C) servers. The exploit drops and executes the file dw20.t. The said file is a dropper, which drops another file in C:\Program Files\Internet Explorer\netidt.dll.

    This dropped file also communicates to specific C&C servers and sends/receives encrypted data containing system information and infection status. This allows netidt.dll to download the executable _dwr6093.exe. This malware is another dropper that drops and executes downlink.dll. This final dropper leads to the final payload (netui.dll and detected as BKDR_SEDNIT.SM) and responsible for its automatic execution (by creating autostart registry entries).

    BKDR_SEDNIT.SM steals information via logging keystrokes and executes commands from its C&C servers. The malicious actors behind this threat can then use the malware to gather and exfiltrate important data, leading to serious repercussions to the targeted parties.

    Trend Micro detects and deletes the malware cited here as BKDR_SEDNIT.AE, while Deep Discovery detects the malicious network communication of the malware. Users are also protected from the exploits targeting CVE-2012-0158 via Deep Security Rule 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158). Furthermore, organizations can benefit from a good social engineering training among its members.

    News events like these are favored social engineering lures in targeted attacks, which are never easy to defend against. The losses of organizations due to data exfiltration can be significant.

    With additional analysis from Lenart Bermejo.

    Update as of Oct. 10, 2013

    The SHA1 hashes of the related samples are:

    • ac6b465a13370f87cf57929b7cfd1e45c3694585
    • 3814eec8c45fc4313a9c7f65ce882a7899cf0405
    • 2e5b2228f427001e250e2cc36339c7b2c12ffe42
    • e8b3aae37ef0ebbac71a5d40637374aeebdc4a6e
    • ade25a15b8cfa4586a8b4df3601c90bcf2e57032




    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • jmontgomery1@austin.rr.com

      Mp Fp dammit you took my $; where’s my virus protection. You modify your email so I cannot get my proetection. What do I need to do to get my GD protection? Respond Asswipe.
      K

    • Turd Ferguson

      When are you guys going to get with the program and start sharing indicators like everyone else?

    • RolandD

      Nice!



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice