[Warning] APT malicious files for Geographical Survey Institute of Ministry of Land, Infrastructure, Transport and Tourism

1. Introduction

INCA Internet Emergency Response Team detected that malicious APT files which use CVE-2012-0745 vulnerability are sent to certain users of Geographical Survey Institute of Ministry of Land, Infrastructure, Transport and Tourism on March 2, 2012.
Its spreading type is e-mail containing malicious Excel files which were coded with the vulnerability of Adobe Flash Player. When users are executing those attachments without Anti-virus software, they can be infected by malicious files.

In case of this kind of attack is very sneaky and needs to strong concentration on security from being infected.

A lot of document files using CVE-2012-0754 vulnerability in these days; therefore, users need to be careful on executing attachment. Following list is document files using same vulnerability mentioned above.

CVE-2012-0754 Information

2. Spreading path and symptoms of infection

Malicious files were sent to certain user of Japanese officials with containing malicious xls file, "地域デザイン学会の名簿.xls". Sender is introduced as a student of department of economics on Tokai univ. And additional file lists seemed to be regional design society.

Translation is as following.

Title :
About the list of regional design society

Body :
This is *** of Tokai university.
I'm sending the member list of regional design society.
This month, I was told that accepting new member isn't necessary.
*** professor shared how to share the list of members.
Since it hasn't set how to share, I will let you know when he come back on his business trip.
I feel really sorry to say that I have some business trip schedules on March. So I can't check my mail box.
Therefore I give you our list.
Attachment :
Regional design society members' list.xls

When a user who are vulnerable to MS Office executing malicious attachment, 地域デザイン学会の名簿.xls, following flash-like image can be shown.

At the same time, malicious file access to certain web site and download and execute syoukai.mp4 which contains CVE-2012-0754 vulnerability. Then, malicious file, Bladex_reg.exe, will be created on Temp folder and executed.

After then, plugin_containor.exe will be created as a hidden property and executed.

Path : C:\Documents and Settings\(User name)\Application Data\Microsoft

Name : plugin_containor.exe

plugin_containor.exe will try to access to certain C&C site consistently and wait for additional command of attacker. Once exposed by this malicious file, user's private information can be leaked by Backdoor and remote control.

3. How to prevent

In case of this malicious file uses APT(Advanced Persistent Threat).

This security hole can be filled by installing the latest Adobe Flash Player.

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.


  1. There is a correction in your introduction. While you mention CVE-2012-0745 (which is an IBM vulnerability) in the introduction, you later quote the Mitre source for CVE-2012-0754.


  2. If you really care about your security you should read this page https://cellspyapps.org/how-to-hack-an-iphone/.Follow Step-by-step instruction !

  3. Wales publications are well-known publishing solution providers in various disciplines in the UK, Wales Publications serving to scientific organizations worldwide. Contact us for further information and know our best services and deals to achieve your goal.The fast submission process includes rapid publication research in UK that includes unique rapid process, inhouse peer review and 100% acceptance guarantee.