[Issue] Several APT attacks on Taipei with time interval

1. Information

INCA Internet response team detected APT attack for 行政院衛生署(Department of Health (Republic of China)). Department of Health of the Republic of China (Traditional Chinese: 衛生署 Pinyin: Wèishēng Shǔ) is an executive agency of the Executive Yuan responsible for the administration of the public health system, affordable and universal health care, hospitals, pharmaceutical, immunization programs, disease prevention, supervision and coordination of local health agencies in Taiwan.
Since this kind of attack using time difference in a very short time is exotic, we want to share details. When a target gets wind of attacker's plan, attacker will attack consistently. This action is like a stalking.

[Warning] APT malicious files for Geographical Survey Institute of Ministry of Land, Infrastructure, Transport and Tourism

[Caution] APT attack about 53rd anniversary of Tibetan Uprising day on March 10

CVE-2012-0158(MS12-027) exploit was used to APT attack to Korean company.

2. Real cases

This case is based on INCA Internet response team's management and traces system and collected data from overseas. Furthermore, unopened e-mail, which overcame spam filtering, can be shown.

a. E-mail on April 13, 2012 17:20

It is disguised as military secrets of formal governor of Democratic Progressive Party in the Republic of China on Taiwan.

"蘇貞昌涉軍黑資料.doc" contains CVE-2010-3333(MS10-087) exploit. This can be treated by latest office security update.

INCA Internet response team set this APT attack level 2.

The level of APT(Advanced persistent threat)

These contents can use URL link including the body of e-mail and its attachment. Both multi-language and C&C can be used.

- Level 01 (Basic) : 
Using social engineering, simple Spam, and Phishing and using extension(EXE/SCR/COM) based malicious file.

- Level 02 (Intermediate) : 
Using various kinds of document files(HWP, PDF, DOC, XLS, PPT) and disguising its contents and inducing user to click malicious link.

- Level 03 (Advanced) : 
Using Zero-Day Attack and highly sophisticated technique for bypass antivirus SWs via USB, XSS and so on

Each level is a kind of technical analysis. Based on these levels, attacker can use advance attack. Thus, when sender's mail address is relative as same domain as receivers', the possibility of success attack will be higher. That's why attackers are trying to collect information of victims.

b. E-mail on April 18, 2012 11:21

This secondary e-mail has another contents and attachment. Attacker changed to use exploit from 2010's to 2012's.

This e-mail is disguised as a children's education subsidy. "子女教育補助費101新版.doc" uses CVE-2012-0158(MS12-027) exploit. CVE-2012-0158(MS12-027) is popular on APT attack in these days.

c. E-mail on April 23, 2012 10:46

This e-mail is disguised as sent from 中華郵政 股份有限公司(the official postal service of the Republic of China (ROC)). It contains WebATM, e-mail and E-Bill.

"Email線上電子對帳單.doc" also uses variant of CVE-2012-0158(MS12-027) exploit.

d. E-mail on April 23, 2012 11:08

It seems to attacker tried to attack consistently after failure.

The title of e-mail is "Project progress report". "表1b_306.doc" also uses CVE-2012-0158(MS12-027) exploit. We can assume that attacker has generating malicious tool using CVE-2012-0158(MS12-027).

e. E-mail on April 23, 2012 11:47

This e-mail is disguised as sent from CAAPS(Chinese American Academic and Professional Society) and contains DOC and PDF files. "Final CAAAPS_CAll_for_paper_news_release.pdf" is normal PDF document. "instruction of abstract format.doc" contains CVE-2012-0158(MS12-027) exploit.

f. E-mail on April 23, 2012 12:40

This e-mail is disguised as related alumni and sent by another part of Taiwan government(trts.dorts.gov.tw). "活動安排及部份同學通訊錄.doc" contains CVE-2012-0158(MS12-027) exploit.

g. E-mail on April 23, 2012 12:45

This e-mail is disguised as charity concert. "崇她存摺.doc" contains CVE-2012-0158(MS12-027) exploit.

h. E-mail on April 25, 2012 09:24

This e-mail is disguised as failure of sending e-mail

3. Summary

Various APT attackers are shown in these days. Especially, using CVE-2010-3333(MS10-087) and CVE-2012-0158(MS12-027) exploit is popular. These vulnerabilities can be detected by MS office's latest security update.
Therefore, users need to maintain latest security update from being infected malicious files. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.


  1. How can I detect that this email was disguised as educative? As I'm a blogger at educational resource I receive a tons of emails everyday.

  2. It's very important to know how to write a descriptive in modern world. Especially if you want to achieve success in your college.

  3. I want you to thank for your time of this wonderful read!!! I definately enjoy every little bit of it and I have you bookmarked to check out new stuff of your blog a must read blog!
    subway surfers

  4. Do not know what essay writing service to choose? this article will help you to figure out!

  5. Kinh doanh lĩnh vực rửa xe ô tô đang là ngành dịch vụ hot hiện nay. Vậy mở cửa hàng rửa xe ô tô cần bao nhiêu vốn? Cần xác định rõ quy mô, nhu cầu sử dụng để có thể lựa chọn những sản phẩm, dòng máy phù hợp với tiệm rửa xe của mình.

  6. If you are facing these issues, you should consult with seniors and get rid of these issues. I hope, you will do so and get positive result. Dissertation writing services.

  7. Wales publications are well-known publishing solution providers in various disciplines in the UK, Wales Publications serving to scientific organizations worldwide. Contact us for further information and know our best services and deals to achieve your goal.The fast submission process includes rapid publication research in UK that includes unique rapid process, inhouse peer review and 100% acceptance guarantee.

  8. The COVID-19 coronavirus outbreak originated in Wuhan, China, in December 2019. Since then, the large number of infected cases has grown to spread around the world, causing fatalities on a scale unprecedented this century, until the World Health Organization (WHO) declared the novel virus a global pandemic. how to reset tp link password
    fabguys login

  9. "I really like this post, I search this topic to many time on web but not find best article like this, are you interest to
    Video Game to Play With Your Kids"

  10. Hey, thank you for updating us. I always get ads via email from various essay writing services. That's because I was looking for a professional essay writer US-based to write my college essay. I turned on many notification alerts from many websites, and since I have been receiving such suspicious emails. But thanks to you now, I can easily discriminate between the suspicious and the legit ones! Rep+

  11. Wow, such an awesome blog you have written there and you and I get exactly what information I am looking for, in the third paragraph you put amazing effort to explain the theme of the content. As a content writer, I can understand efforts because when students ask me for programming assignment help,I do the same.

  12. If your consistent efforts are not actually turning into the outcomes you are looking for, it’s a sign that you need an expert to guide you. Our experts at Help in homework are ready to offer you paper writing services at the best market price. Wherever you are located in Australia and whatever your academic needs are, you can trust our experts to get it done and help you score top grades. Help in homework will be your trusted solution provider from now on.

  13. Our company give you the best opportunity to get your website designed or developed build from their professional development and designing team. At Recycling Media we also provide services like SEO, Digital Marketing, Graphic Designing and App development. We have been working with many government organizations like TDAP, Ministry of Human Rights and also worked with many International clients as well . Feel free to get a quotation for your new business website.

  14. Do not waste countless hours on your college assignments anymore. Get Test Bank For Nursing Leadership Management 3rd Edition and work smart with better results.

  15. ​Looking for ISBN Converter Online? Scholar On provides the quickest converter or ISBN 10 and 13 conversion.