Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
    • About Us
    blog.trendmicro.com Sites > TrendLabs Security Intelligence Blog > Malware > Targeted Attacks Hit Asian, European Government Agencies

    Trend Micro researchers have uncovered a targeted attack launched against government agencies in various countries. The email claimed to be from the Chinese Ministry of National Defense, although it appears to have been sent from a Gmail account and did not use a Chinese name.

    Figure 1. Fake message

    The document contains a malicious attachment, which exploits a vulnerability (CVE-2012-0158) in Microsoft Office (all versions from Office 2003 to Office 2010 were affected) that was patched more than a year ago. The exploit is used to drop a backdoor onto the system, which steals login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook. (It also opens a legitimate “dummy” document, to make the target believe that nothing malicious happened.) Any stolen information is uploaded to two IP addresses, both of which are located in Hong Kong.

    This particular attack was aimed primarily at both personnel belonging to Europe and Asia governments. The message was sent to 16 officials representing European countries alone. The topic of the email – and the attached document – would be of interest to these targets. In addition, the information stolen and where it was stolen from – is very consistent with targeted attacks aimed at large organizations that use corporate mainstays like Internet Explorer and Outlook.

    It’s worth noting, however, that Chinese media organizations were also targeted by this attack. The backdoor itself has also been detected in the wild – but, interestingly, it has been most frequently seen in China and Taiwan, with a more limited presence in other Asian countries.

    The vulnerability used in this attack is one that is commonly used by targeted attacks. High-profile campaigns like Safe and Taidoor have made use of this vulnerability; if anything it’s a commonly targeted flaw in sophisticated campaigns.

    Trend Micro products already detect all aspects of this threat – the message and C&C servers are now blocked; the malicious attachment is detected as TROJ_DROPPER.IK and the backdoor itself as BKDR_HGDER.IK. In addition, Deep Discovery was able to protect our customers by heuristically detecting the malicious attachment using the ATSE (Advanced Threats Scan Engine).

    Based on analysis by Jayronn Bucu.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Monday, July 15th, 2013 at 7:42 am and is filed under Malware, Targeted Attacks . Both comments and pings are currently closed.



    • Guest

      Looks like Bifrose to me.

    • HKCERT

      Hi Jonathan Leopando ,

      We are the Hong Kong CSIRT team, we would like to learn more about the details of C2 server in Hong Kong. Would you contact us by email hkcert@hkcert.org
      Regards,
      HKCERT



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice