12345

3/06/2012

[Warning] APT malicious files for Geographical Survey Institute of Ministry of Land, Infrastructure, Transport and Tourism

1. Introduction

 
INCA Internet Emergency Response Team detected that malicious APT files which use CVE-2012-0745 vulnerability are sent to certain users of Geographical Survey Institute of Ministry of Land, Infrastructure, Transport and Tourism on March 2, 2012.
Its spreading type is e-mail containing malicious Excel files which were coded with the vulnerability of Adobe Flash Player. When users are executing those attachments without Anti-virus software, they can be infected by malicious files.



In case of this kind of attack is very sneaky and needs to strong concentration on security from being infected.

A lot of document files using CVE-2012-0754 vulnerability in these days; therefore, users need to be careful on executing attachment. Following list is document files using same vulnerability mentioned above.



CVE-2012-0754 Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0754

2. Spreading path and symptoms of infection

Malicious files were sent to certain user of Japanese officials with containing malicious xls file, "地域デザイン学会の名簿.xls". Sender is introduced as a student of department of economics on Tokai univ. And additional file lists seemed to be regional design society.



Translation is as following.

Title :
About the list of regional design society

Body :
This is *** of Tokai university.
I'm sending the member list of regional design society.
This month, I was told that accepting new member isn't necessary.
*** professor shared how to share the list of members.
Since it hasn't set how to share, I will let you know when he come back on his business trip.
I feel really sorry to say that I have some business trip schedules on March. So I can't check my mail box.
Therefore I give you our list.
Attachment :
Regional design society members' list.xls

When a user who are vulnerable to MS Office executing malicious attachment, 地域デザイン学会の名簿.xls, following flash-like image can be shown.



At the same time, malicious file access to certain web site and download and execute syoukai.mp4 which contains CVE-2012-0754 vulnerability. Then, malicious file, Bladex_reg.exe, will be created on Temp folder and executed.


After then, plugin_containor.exe will be created as a hidden property and executed.


Path : C:\Documents and Settings\(User name)\Application Data\Microsoft

Name : plugin_containor.exe



plugin_containor.exe will try to access to certain C&C site consistently and wait for additional command of attacker. Once exposed by this malicious file, user's private information can be leaked by Backdoor and remote control.


3. How to prevent

In case of this malicious file uses APT(Advanced Persistent Threat).

This security hole can be filled by installing the latest Adobe Flash Player.
http://get.adobe.com/kr/flashplayer/

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

1 comment:

  1. There is a correction in your introduction. While you mention CVE-2012-0745 (which is an IBM vulnerability) in the introduction, you later quote the Mitre source for CVE-2012-0754.

    Thanks.

    ReplyDelete