Just a month after the G20 Summit in Russia, threat actors have found another high-profile political event to leverage their schemes. The APEC 2013 Summit – an annual meeting of 21 Pacific Rim countries – in Indonesia can be the perfect lure for their spoofed emails.
The threat arrives as an email purportedly from “Media APEC Summit 2013” containing two attached Excel files. The sender, message and the recipients of the email lead us to believe that this threat is aimed at individuals who would be interested in the summit (both attendees and non-attendees).
Figure 1. Screenshot of spoofed APEC email
As mentioned, the email contains two attachments. Both are disguised as “APEC media list”, however only one of them (APEC Media List 2013 Part 1) was found malicious. The other, non-malicious file serves as a decoy document. Based on our analysis, the malware exploits an old Microsoft Office vulnerability (CVE-2012-0158), an old vulnerability that was also exploited in other targeted attacks, such as the “Safe” campaign.
This malware then triggers a series of multiple malware dropping and connects to various command-and-control (C&C) servers. The exploit drops and executes the file dw20.t. The said file is a dropper, which drops another file in C:\Program Files\Internet Explorer\netidt.dll.
This dropped file also communicates to specific C&C servers and sends/receives encrypted data containing system information and infection status. This allows netidt.dll to download the executable _dwr6093.exe. This malware is another dropper that drops and executes downlink.dll. This final dropper leads to the final payload (netui.dll and detected as BKDR_SEDNIT.SM) and responsible for its automatic execution (by creating autostart registry entries).
BKDR_SEDNIT.SM steals information via logging keystrokes and executes commands from its C&C servers. The malicious actors behind this threat can then use the malware to gather and exfiltrate important data, leading to serious repercussions to the targeted parties.
Trend Micro detects and deletes the malware cited here as BKDR_SEDNIT.AE, while Deep Discovery detects the malicious network communication of the malware. Users are also protected from the exploits targeting CVE-2012-0158 via Deep Security Rule 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158). Furthermore, organizations can benefit from a good social engineering training among its members.
With additional analysis from Lenart Bermejo.
Update as of Oct. 10, 2013
The SHA1 hashes of the related samples are: