A recent targeted attack was discovered to be using Trojanized MS Word files embedded with malicious codes. The said files are sent as attachments to spammed email messages, albeit through a very limited distribution. What's interesting here, according to Research Project Manager Ivan Macalintal, is that these Trojanized files are related to movements supporting the Tibetan government in exile. He adds that the file names are lifted from actual press releases and news headlines:
- Free Tibet Olympics Protest on Mount Everest.doc
- CHINA';S OLYMPIC TORCH OUT OF TIBET 1.doc
- 2007-07 DRAFT Tibetan MP London schedule.doc
- DIRECTORY OF TIBET SUPPORT GROUPS IN INDIA.doc
- Disapppeared in Tibet.doc
These files are detected, respectively, as the following:
- TROJ_MDROPPER.GJ
- TROJ_MDROPPER.GI
- TROJ_MDROPPER.GK
- TROJ_MDROPPER.GG
- TROJ_MDROPPER.GH
- TROJ_MDROPPER.TG
- TROJ_MDROPPER.TG
The following is a sample screenshot of the Trojanized document file:
This social engineering technique has been seen before. In October, a Trojan detected as TROJ_MDROPPER.WI also rode on the newsworthiness of the monk-led protests in Myanmar by arriving as an attachment to spam, which purported to be a message of support from the Dalai Lama to the monks. The said technique is also a familiar one from WORM_NUWAR's book: leveraging on headline-grabbing events to facilitate its propagation. (Thanks to Maarten of ISC for the heads-up.)