Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Ivan Macalintal (Threat Research Manager)

    Using global political news as a social engineering hook is a popular cybercrime tool, particularly used to lure users into their malicious schemes. We have recently found a malicious file leveraging a noteworthy incident, one that leads to systems being infected with a backdoor.

    During the second of week of April, the most talked about news was North Korea’s failed attempt to launch a rocket. As expected, the bad guys are on the prowl for the next social engineering bait and the said news item was found the be the fitting choice.

    The file we found was named North Korea satellite launch eclipses that of Iran.doc. The said file, detected as TROJ_ARTIEF.DOC, may arrive as an attachment to an email message. Once executed, this Trojan exploits the vulnerability in RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the backdoor BKDR_POISON.DOC onto the system.

    This particular backdoor is able to execute some interesting routines. Based on our analysis, this backdoor communicates to a command and control server on TCP Port 443. The remote user may then command the backdoor to perform several commands, including initiating screen capture, webcam and audio file grabbing. This routine enables a remote attacker to monitor users’ activities in the infected system.

    This attack is reminiscent of similar cases we’ve reported in the past, wherein cybercriminals use messages with important-looking file names, which turn out to be malware that exploits particular vulnerabilities.

    Trend Micro protects users from this attack via products powered by the Trend Micro™ Smart Protection Network™. Moreover, Trend Micro Deep Security and Intrusion Defense Firewall prevents the exploit targeting CVE-2010-33 via rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.

    With additional input from Nart Villeneuve

    Posted in Exploits, Malware, Targeted Attacks | Comments Off on North Korea Rocket Launch Used As Backdoor Lure

    As mentioned in our previous post, the actors behind the targeted attack campaigns we’re monitoring updated, and still are updating, the tools of their trade to further their agenda and achieve exploitation. Using a fairly new vulnerability such as CVE-2012-0158, patched barely 2 weeks ago, may allow these attackers the window of opportunity to effectively infiltrate their targets.

    Moreover, the campaigns we’re seeing target sectors that span on a global scale, unlike the ones first seen and described in our previous post.


    Just this week, the actors behind one campaign that we’ve been seeing/monitoring have started to exploit CVE-2012-0158 via an attachment with an original filename of 子女教育補助費101新版.doc. A snapshot of the malicious email sent can be seen below:


    We’ve also seen this one sent to an industrial corporation in Japan, purportedly coming from another Japanese company:

    We’ve been monitoring attacks against the said corporation for quite some time now and previously, the CVE of choice is CVE-2009-3129. RTF file dropped is 20120420.doc, which could pertain to the date April 20, 2012, a day after the malicious document has been sent.

    Other malicious RTFs, exploiting CVE-2012-0158, that were also seen from Japan are as follows:

    • 献金を受け取る機構及び人のリスト.doc (rough translation – A list of organization and people to receive the donation.doc)

    • Development_plan_canon_2012.doc

    Incidentally, the dropped payload of the aforementioned RTF files, detected as TSPY_GEDDEL.EVL, was also seen as the same payload in this previous attack

    Russia, Vietnam and others…

    Other RTF files, also exploiting CVE-2012-0158, that we’ve seen targeted at a particular geographic audience include one that is supposedly targeted at a particular Russian audience, as the filename of the RTF file is ядерные материалы.doc whose literal translation is “nuclear materials.doc”, and a Vietnamese one with an original filename of Cập nhật tình hình 4.18.doc, meaning “Update 4:18.doc”. There were also submissions coming from India and Thailand as well – all exploiting CVE-2012-0158.

    CVE-2012-0158 – Here To Stay

    All in all, as captured above, as well as those seen by our friends in Contagio, we’ve seen various different targeted attacks now ramping up the usage of CVE-2012-0158 exploitation, in a span of just barely 2 weeks after the said vulnerability was patched by Microsoft. Moreover, the assumption of Contagio that there is an RTF generator being used by these campaigns is highly possible though we haven’t seen one yet. Evidently, this is now becoming a favorite method among those behind these targeted attack campaigns, and we’ll be seeing more of it.

    CVE-2012-0158’s popularity among attackers may be due to the fact that Microsoft owns more than 90% of productivity software market share. This alone increases the target base for cybercriminals. In addition, not everyone owns an update-able (licensed) copy of MS software, which doubles the risk for the targets.

    Trend Micro protects users

    Trend Micro Smart Protection Network ensures that spammed email as well as the malicious attachments are detected and removed immediately from computers. Trend Micro Deep Security users are also protected with the following rules:

    • 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File(CVE-2012-0158)
    • 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
    • 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)

    Those who haven’t patched this vulnerability yet are advised to PATCH NOW. We can never be too sure on who will be targeted next.

    Posted in Bad Sites, Exploits, Malware, Targeted Attacks | Comments Off on CVE-2012-0158 Exploitation Seen in Various Global Campaigns

    Days after Microsoft released six bulletins, we now have just spotted a number of Trojanized RTF files circulating in-the-wild. The said files are exploiting CVE-2012-0158, which is included in MS12-027. That particular bulletin affects a number of Microsoft programs, particularly versions of MS Office, Visual FoxPro, Commerce Server, BizTalk Server, as well as SQL Server.

    We spotted a Trojanized RTF file that came in the following email message as an attachment:

    The email again containing Pro-Tibetan sentiments and sent to a public Tibetan NGO email address that we have also seen being targeted in the past. Again, the said email claims to be coming from a public Tibetan figure.

    The attachment RTF file Inside Information.doc, detected as TROJ_MDROP.GDL, has an embedded EXE file (encrypted) and an embedded decoy DOC file (also encrypted). The dropped EXE payload, detected as TSPY_GEDDEL.EVL, drops and installs a file named fxsst.dll also detected as TSPY_GEDDEL.EVL. Outbound connections are then seen to hosts whose NS record point to China.

    Read the rest of this entry »


    In another turn of interesting events, during the course of my monitoring of targeted attacks, specifically of advanced persistent threats, I came upon an email with a PDF attachment that had just a measly 4 out of 42 generic or heuristic detections.

    I checked out the email and whoa! –  it was an email from a trusted researcher colleague and friend in FireEye who was also monitoring these kinds of campaigns, or to put it accurately, looks like it.

    Looks legit, right? However, my first-hand instinct told me that something was definitely amiss, and I zeroed in first in the email headers and I was expecting to find some spoofing details, which I did.

    Read the rest of this entry »


    Just like what we have reported recently, we have spotted yet another targeted attack campaign that uses Pro-Tibetan sentiments as social engineering ploy for the attackers to infiltrate target systems. And yes, this is again targeting Windows and Mac systems.

    It starts with the email below:

    Users clicking on the link included in the email will be led to a site with a script that determines if the user is using a Windows or a Mac system.

    The site is currently not resolving but we managed to get the code from Google’s cache:

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice