Vulnerabilities, particularly zero-days, are often used by threat actors as the starting point for targeted attacks. This was certainly the case for a (then) zero-day vulnerability (CVE-2014-1761) affecting Microsoft Word. In its security advisory released last March, Microsoft itself acknowledged that the vulnerability was being used in “limited, targeted attacks.” Microsoft has since patched this vulnerability as part of its April Patch Tuesday.
However, the existence of a patch has not deterred threat actors from exploiting this vulnerability. We are still seeing targeted attacks that leverage this particular vulnerability as part of their campaigns.
The Taidoor Connection
We came across 2 attacks that targeted government agencies and an educational institute in Taiwan. The first attack used an email with a malicious attachment supposedly sent by a government employee. The attachment used a title pertaining to a national poll to appear legitimate. The attachment is actually the exploit, detected as TROJ_ARTIEF.ZTBD-R. It drops a file detected as BKDR_SIMBOTDRP.ZTBD-R, which then drops two files — TROJ_SIMBOTLDR.ZTBD-R and TROJ_SIMBOTENC.ZTBD-R. These two files finally lead to the final payload detected as BKDR_SIMBOT.SMC.
Figure 1. Email sample
The second attack targeted an educational institute, also in Taiwan. This run used an email attachment to gain access to the recipient’s computer and network. The email message discussed free trade issues, while the attachment had a title about a work project. Similar to the first case, the attachment is also an exploit detected as TROJ_ARTIEF.ZTBD-PB. It drops a backdoor component detected as BKDR_SIMBOT.ZTBD-PB. Once executed, this malware can perform commands such as search for files to steal, exfiltrate any file of interest, as well as perform lateral movement.
Figure 2. Email sample
We have determined that these two attacks have ties to the Taidoor — a campaign that has been active since 2009 — through the similar network traffic structure. The attacks described above have the same characteristics as previous runs in terms of target, social engineering lure, as well as techniques used (using a zero-day vulnerability).
The PlugX Payload
Another attack we saw used CVE-2012-0158 and targeted a mailing service in Taiwan. Just like the other attacks, this run uses an email attachment as the entry point to the network. The email attachment pretends to be a list about new books from a particular publishing house. This was done to try and pique the recipient’s interest.
Figure 3. Email sample
This attachment is actually the exploit detected as TROJ_ARTIEF.ZTBD-A which drops a PlugX malware detected as TROJ_PLUGXDRP.ZTBD. It drops a file detected as BKDR_PLUGX.ZTBD, which has the capability to perform a wide range of information stealing routines, including:
- Copy, move, rename, delete files
- Create directories
- Create files
- Enumerate files
- Execute files
- Get drive information
- Get file information
- Open and modify files
- Log keystrokes and active window
- Enumerate TCP and UDP connections
- Enumerate network resources
- Set TCP connection state
- Lock workstation
- Log off user
- Restart/Reboot/Shutdown system
- Display a message box
- Perfrom port mapping
- Enumerate processes
- Get process information
- Terminate processes
- Enumerate registry keys
- Create registry keys
- Delete registry keys
- Copy registry keys
- Enumerate registry entries
- Modify registry entries
- Delete registry values
- Screen capture
- Delete services
- Enumerate services
- Get service information
- Modify services
- Start services
- Perform remote shell
- Connect to a database server and execute SQL statement
- Host Telnet server
PlugX malware is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. PlugX may allow remote users to perform data theft routines on the affected system. PlugX can give attackers complete control over a system.
Patching should remain a top priority for regular users and enterprises alike. Installing patches as soon as they are made available can help organizations against attacks that exploit vulnerabilities. Enterprises should also consider virtual patching as they can help mitigate threats in the presence of zero-days and unsupported systems.
Employee education is also a key element in protecting against targeted attacks. For email attacks that still get through, proper end-user training can help identify possible suspicious activity and/or emails. Users need to be taught to make their fellow employees aware of suspect e-mails in order to improve awareness and enhance defenses throughout the organization.
Update as of May 23, 2014, 02:05 A.M. PDT
The detections mentioned in the post have been renamed as following:
- From TROJ_SIMBOTLDR.ZTBD-R to TROJ_SIMBOTLDR.ZTBC-R by OPR 10.689.00
- From BKDR_PLUGX.ZTBD to BKDR_PLUGX.ZTBD-A by OPR: 10.759.00
For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.