The use of contextually-relevant emails is one of the most common social engineering tactics employed in targeted attacks. Emails still being the primary mode of business communications are often abused to deliver exploits to penetrate a network that consequently lead to other stages of a targeted attack cycle.
In one of the targeted attacks we’re monitoring, threat actors used the news of a plane crash that killed the deputy prime minister of Laos. The email message bore the subject line BREAKING: Plane Crash in Laos Kills Top Government Officials. Attached in this therein are documents purporting to be news clips of the crash to lure users. We have also observed that the email addresses of the real recipients are masked in the To header by using a Yahoo! email address to hide the intended targets of the said malicious email. Although this technique is an old one, we frequently see this maneuver in other targeted attack-related cases we have analyzed.
The email attachments comprised of two legitimate .JPG files and an archive file which in some cases contain TROJ_MDROP.TRX. When executed, both malware exploit CVE-2012-0158, which is used in several attacks in the past, despite being patched in MS12-027 last 2012. Based on our data, CVE-2012-0158 is the most exploited vulnerability by targeted attacks in the second half of 2013.
Figure 1. Most commonly exploited vulnerabilities related to targeted attacks
Again, this attack highlights the importance of patching and upgrading systems with the latest security updates, given that threat actors usually leveraged old vulnerabilities. Once exploited, it drops a backdoor detected as a BKDR_FARFLI variant. This backdoor executes several commands, including stealing specific information such as:
- Processor/System Architecture Information
- Computer Name/Username
- Network Information
- Proxy Settings
It also uses the following command-and-control (C&C) server, one of which is located in Hong Kong:
- {BLOCKED}injia.vicp.net ({BLOCKED}.{BLOCKED}.68.135)
- {BLOCKED}p-asean.vicp.net ({BLOCKED}.{BLOCKED}.68.135)
For data exfiltration, this targeted attack used the technique POST http request via port 443 (SSL) to avoid network detection. As such, it enables them to move laterally in the network without being notice by IT administrators.
What is interesting about this is that the document exploit it employed has also been seen in other targeted attacks, such as HORSMY, ESILE, and FARFLI campaigns. ESILE targets government institutions in APAC.
Threat actors use this ‘template’ document exploit and modify it according to their intended payload on the system. We can surmise here that the threat actors behind this exploit could have distributed or sold it underground, which would explain why this has also been used in other targeted attack campaigns. Based on our investigation, a person with Asian-like name may be behind or was the first one to create the “template” exploit document we detected as TROJ_MDROP.TRX.
While targeted attacks are hard to detect, the risks it poses to sensitive data can be prevented by an advanced security platform, such as Trend Micro Deep Discovery, that can identify malware, C&C communications, and attacker activities signaling an attempted attack.
For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.
With additional analysis from Maria Manly
