In the course of our threat research, we’ve encountered different types of social engineering lures that aim to trigger different emotions such as fear and happiness. These lures are often effective, as we’ve seen happen in several incidents in the past. However, they are also easily recognizable as they often use a common theme, be it a recent event or an ongoing season.
There are also other techniques that use different, more sober approach. These techniques do not aim to trigger alarm, but instead to try to avoid it. They try to blend into their intended victims’ normal behavior or use their interests in order to get the them into schemes. And though these techniques are far less alarming in terms of the message they bring, they are harder to detect, and often more sinister.
An example of this is the watering hole technique, which was used recently in an attack that ended up affecting companies such as Facebook and Apple. Choosing to use a mobile developer forum as the watering hole, the lure was almost passive — it did not need any means to get the victims to visit the site. The site was strategically chosen because visiting it was already known to be a part of the victim’s normal routine.
Earlier this week, we also saw reports of an attack wherein the name of the report recently released by Mandiant is being used as the lure. The message in related to the attack comes as a recommendation from the sender to read the article, along with a PDF file which supposedly is the report itself (of course in reality the file is malicious — a PDF exploit we detect as TROJ_PIDIEF.EVF). We were also alerted of news regarding another threat using the Mandiant report, which supposedly targeted journalists. Detected as TROJ_PIDIEF.EVE, this malware drops the non-malicious .PDF file, Mandiant_APT2_Report.pdf and a backdoor detected as BKDR_POISON.EVE.
Figure 1. Screenshot of the dropped .PDF file
Figure 2. TROJ_PIDIEF.EVE drops this non-malicious .PDF file
This is a sad irony, because the recipients who might open the file in order to know more about a targeted attack will end up being the victim of one. Another case with a similar turn of events is the Java 0-day, wherein we found malware coming off as the update Oracle issued to address the vulnerability.
In our entry, The Trends in Targeted Attacks of 2012, senior threat researcher Nart Villeneuve tackled how cybercriminals employed research analysis by security researchers as a ploy to deliver malware. This trend was also in 2011 in the Nitro campaign that abused the Symantec report.
Initial attack vector aside, what we need to remember is that social engineering lures of today are no longer limited to things that are new or alarming, and that attacks can start even from the most familiar places. As Martin Roesler explained before, attackers have the upper hand and they will form an attack based on what they know about their intended victim. We must be alert of all times, and train ourselves to have that mindset that we can be a target.
With additional insights from senior threat researcher Nart Villeneuve
Update as of Feb. 22, 2:38 PM PST
TROJ_PIDIEF.EVE has been renamed to TROJ_PIDIEF.VEV.