Incidents

Military Hardware and Men-s Health

Over the last few months we have seen a series of very similar targeted attacks being blocked in our Linux Mail Security Product. In each case the documents used were RTF and the exploit was CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability).

The attacks seem to be from the same group and most appear to be sent from Australia or Republic of Korea. The sender IP addresses vary but many are sent via mail.mailftast.com. This domain is registered in China:

The documents are in three categories:

  1. The first group of documents are related to articles on the Men-s Health website. These are some example filenames:
  2. The second group are military related:
  3. The third set have Cyrillic filenames:

Most weeks we will see one topic from categories 1 and 2 and several using Cyrillic filenames. The exploit, shellcode and malware used tend to be the same. The only real different is the decoy documents displayed when the exploit runs.

Here are two examples from last week:

847

Stealth Frigate.doc

848

EAT FOR BETTER SEX.doc

The metadata for the decoy documents is the same and it looks like it hasn-t be updated for a while.

849

The title translates as ?The financial result for the first 9 months of 2012¦ and the company name relates to a Russian submarine manufacturer.

When the exploit runs it creates and executes a file called wordupgrade.exe. This executable drops a DLL called usrsvpla.dll into the system32 directory and modifies the WmdmPmSN (Portable Media Serial Number Service) registry key to load the DLL into svchost.exe.

Both wordupgrade.exe and usrsvpla.dll contain the PDB path:

850

The malware installed by these documents is a variant of Enfal/Lurid. We are detecting wordupgrade.exe as Trojan-Dropper.Win32.Datcaen.d and usrsvpla.dll as Trojan.Win32.Zapchast.affv. Our colleagues from Trend have previously described this malware in their papers.

https://blog.trendmicro.com/trendlabs-security-intelligence/modified-enfal-variants-compromised-874-systems/

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf

The samples seen last week contact a C&C server at yui.bcguard.com. This domain has the same registration details a mailftast.com above.

Below are the IP addresses of these domains:

There are several other domains registered to ?liu runxin¦:

Conclusion

The malware used in these attacks is not very advanced or new (Enfal variants have been seen as far back as 2006). However, the attacks are very regular, so it is probably safest not to open attachments related to these topics.

Military Hardware and Men-s Health

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox