• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Template Document Exploit Found in Several Targeted Attacks

Template Document Exploit Found in Several Targeted Attacks

  • Posted on:June 17, 2014 at 10:00 am
  • Posted in:Exploits, Malware, Targeted Attacks
  • Author:
    Maersk Menrige (Threats Analyst)
1

The use of contextually-relevant emails is one of the most common social engineering tactics employed in targeted attacks.  Emails still being the primary mode of business communications are often abused to deliver exploits to penetrate a network that consequently lead to other stages of a targeted attack cycle.

In one of the targeted attacks we’re monitoring, threat actors used the news of a plane crash that killed the deputy prime minister of Laos.  The email message bore the subject line BREAKING: Plane Crash in Laos Kills Top Government Officials. Attached in this therein are documents purporting to be news clips of the crash to lure users. We have also observed that the email addresses of the real recipients are masked in the To header by using a Yahoo! email address to hide the intended targets of the said malicious email. Although this technique is an old one, we frequently see this maneuver in other targeted attack-related cases we have analyzed.

The email attachments comprised of two legitimate .JPG files and an archive file which in some cases contain TROJ_MDROP.TRX. When executed, both malware exploit CVE-2012-0158, which is used in several attacks in the past, despite being patched in MS12-027 last 2012. Based on our data, CVE-2012-0158 is the most exploited vulnerability by targeted attacks in the second half of 2013.

 

tareport2

Figure 1. Most commonly exploited vulnerabilities related to targeted attacks

Again, this attack highlights the importance of patching and upgrading systems with the latest security updates, given that threat actors usually leveraged old vulnerabilities. Once exploited, it drops a backdoor detected as a BKDR_FARFLI variant. This backdoor executes several commands, including stealing specific information such as:

  • Processor/System Architecture Information
  • Computer Name/Username
  • Network Information
  • Proxy Settings

It also uses the following command-and-control (C&C) server, one of which is located in Hong Kong:

  • {BLOCKED}injia.vicp.net ({BLOCKED}.{BLOCKED}.68.135)
  • {BLOCKED}p-asean.vicp.net ({BLOCKED}.{BLOCKED}.68.135)

For data exfiltration, this targeted attack used the technique POST http request via port 443 (SSL) to avoid network detection. As such, it enables them to move laterally in the network without being notice by IT administrators.

What is interesting about this is that the document exploit it employed has also been seen in other targeted attacks, such as HORSMY, ESILE, and FARFLI campaigns. ESILE targets government institutions in APAC.

Threat actors use this ‘template’ document exploit and modify it according to their intended payload on the system. We can surmise here that the threat actors behind this exploit could have distributed or sold it underground, which would explain why this has also been used in other targeted attack campaigns.  Based on our investigation, a person with Asian-like name may be behind or was the first one to create the “template” exploit document we detected as TROJ_MDROP.TRX.

While targeted attacks are hard to detect, the risks it poses to sensitive data can be prevented by an advanced security platform, such as Trend Micro Deep Discovery, that can identify malware, C&C communications, and attacker activities signaling an attempted attack.

For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

With additional analysis from Maria Manly

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: APTbackdoorC&C serversCVE-2012-0158JapanMalwareMS12-027social engineeringTaiwantargeted attacksvulnerability

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.