[Issue] Several APT attacks on Taipei with time interval
INCA Internet response team detected APT attack for 行政院衛生署(Department of Health (Republic of China)). Department of Health of the Republic of China (Traditional Chinese: 衛生署 Pinyin: Wèishēng Shǔ) is an executive agency of the Executive Yuan responsible for the administration of the public health system, affordable and universal health care, hospitals, pharmaceutical, immunization programs, disease prevention, supervision and coordination of local health agencies in Taiwan.
Since this kind of attack using time difference in a very short time is exotic, we want to share details. When a target gets wind of attacker's plan, attacker will attack consistently. This action is like a stalking.
[Warning] APT malicious files for Geographical Survey Institute of Ministry of Land, Infrastructure, Transport and Tourism
[Caution] APT attack about 53rd anniversary of Tibetan Uprising day on March 10
CVE-2012-0158(MS12-027) exploit was used to APT attack to Korean company.
2. Real cases
This case is based on INCA Internet response team's management and traces system and collected data from overseas. Furthermore, unopened e-mail, which overcame spam filtering, can be shown.
a. E-mail on April 13, 2012 17:20
It is disguised as military secrets of formal governor of Democratic Progressive Party in the Republic of China on Taiwan.
"蘇貞昌涉軍黑資料.doc" contains CVE-2010-3333(MS10-087) exploit. This can be treated by latest office security update.
INCA Internet response team set this APT attack level 2.
The level of APT(Advanced persistent threat)
These contents can use URL link including the body of e-mail and its attachment. Both multi-language and C&C can be used.
Each level is a kind of technical analysis. Based on these levels, attacker can use advance attack. Thus, when sender's mail address is relative as same domain as receivers', the possibility of success attack will be higher. That's why attackers are trying to collect information of victims.
b. E-mail on April 18, 2012 11:21
This secondary e-mail has another contents and attachment. Attacker changed to use exploit from 2010's to 2012's.
This e-mail is disguised as a children's education subsidy. "子女教育補助費101新版.doc" uses CVE-2012-0158(MS12-027) exploit. CVE-2012-0158(MS12-027) is popular on APT attack in these days.
c. E-mail on April 23, 2012 10:46
This e-mail is disguised as sent from 中華郵政 股份有限公司(the official postal service of the Republic of China (ROC)). It contains WebATM, e-mail and E-Bill.
"Email線上電子對帳單.doc" also uses variant of CVE-2012-0158(MS12-027) exploit.
d. E-mail on April 23, 2012 11:08
It seems to attacker tried to attack consistently after failure.
The title of e-mail is "Project progress report". "表1b_306.doc" also uses CVE-2012-0158(MS12-027) exploit. We can assume that attacker has generating malicious tool using CVE-2012-0158(MS12-027).
e. E-mail on April 23, 2012 11:47
This e-mail is disguised as sent from CAAPS(Chinese American Academic and Professional Society) and contains DOC and PDF files. "Final CAAAPS_CAll_for_paper_news_release.pdf" is normal PDF document. "instruction of abstract format.doc" contains CVE-2012-0158(MS12-027) exploit.
f. E-mail on April 23, 2012 12:40
This e-mail is disguised as related alumni and sent by another part of Taiwan government(trts.dorts.gov.tw). "活動安排及部份同學通訊錄.doc" contains CVE-2012-0158(MS12-027) exploit.
g. E-mail on April 23, 2012 12:45
This e-mail is disguised as charity concert. "崇她存摺.doc" contains CVE-2012-0158(MS12-027) exploit.
h. E-mail on April 25, 2012 09:24
This e-mail is disguised as failure of sending e-mail
Various APT attackers are shown in these days. Especially, using CVE-2010-3333(MS10-087) and CVE-2012-0158(MS12-027) exploit is popular. These vulnerabilities can be detected by MS office's latest security update.
Therefore, users need to maintain latest security update from being infected malicious files. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.