Targeted Attacks Hit Asian, European Government Agencies
Trend Micro researchers have uncovered a targeted attack launched against government agencies in various countries. The email claimed to be from the Chinese Ministry of National Defense, although it appears to have been sent from a Gmail account and did not use a Chinese name.
Figure 1. Phishing message
The document contains a malicious attachment, which exploits a vulnerability (CVE-2012-0158) in Microsoft Office (all versions from Office 2003 to Office 2010 were affected) that was patched more than a year ago. The exploit is used to drop a backdoor onto the system, which steals login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook. (It also opens a legitimate “dummy” document, to make the target believe that nothing malicious happened.) Any stolen information is uploaded to two IP addresses, both of which are located in Hong Kong.
This particular attack was aimed primarily at both personnel belonging to Europe and Asia governments. The phishing message was sent to 16 officials representing European countries alone. The topic of the email – and the attached document – would be of interest to these targets. In addition, the information stolen and where it was stolen from – is very consistent with targeted attacks aimed at large organizations that use corporate mainstays like Internet Explorer and Outlook.
It’s worth noting, however, that Chinese media organizations were also targeted by the phishing attack. The backdoor itself has also been detected in the wild – but, interestingly, it has been most frequently seen in China and Taiwan, with a more limited presence in other Asian countries.
The vulnerability used in this attack is one that is commonly used by targeted attacks. High-profile campaigns like Safe and Taidoor have made use of this vulnerability; if anything it’s a commonly targeted flaw in sophisticated campaigns.
Trend Micro products already detect all aspects of this threat – the phishing mail and C&C servers are now blocked; the malicious attachment is detected as TROJ_DROPPER.IK and the backdoor itself as BKDR_HGDER.IK. In addition, our Discovery was able to protect our customers by heuristically detecting the malicious attachment using the ATSE (Advanced Threats Scan Engine).
Based on analysis done by Jayronn Bucu.