12345

7/22/2012

[Warning] Detected APT attack for Korean famous web portal site (#Update 02)

1. Introduction

INCA Internet response team detected APT type e-mail which is disguised as resume on Korean famous web portal site. This e-mail contains attachment "My resume.doc" which uses CVE-2012-0158 exploit and tries to install another malicious file secretly. If user is exposed by security vulnerability, attacker can collect user PC and user's company's information. 



Usually this kind of attacking method is popular, however, general user hard to recognize of being targeted. Using document file exploit is classical and has been used so far. Users need to be careful on downloading and executing attachment of suspicious e-mail.

INCA Internet response team sent this issue and related information to security manager of that web site.




2. Malicious file attacking procedure and technique

Detail content is as following.

Title : 
FW: Job application

Body :   
Dear (~~):
Good morning. I am honored to be here to get the opportunity to become a potential member of (the name of portal site).
As a college graduate, I believe “where there is a will, there is a way”, and I will try my best to do a good job in my business. So I sincerely hope that I can make a position in your company so that I can serve for the company.
I participated in lots of school activities and social practice during my four years of campus life. And the experience did a good job to improve the skill of communication and enhance the ability of organization. Also, my sense of team spirit is developed. I’m a person who likes challenges.
Specialties:
a. Good command of both oral and writing English, and excellent skills of business negotiation.
b. Special experiences in project coordination, project documentation establishment and management.
c. Able to work under pressure, independent, and strong ability to communicate with various people.
I am enclosing my resume together with my photo, and believe that they may be found satisfactory.. I assure you that if appointed, I will do my best to give your satisfaction.

pass:resume
Very truly yours
san
That'all,thanks for your attentio

attachment :
My resume.doc


(#Update 02)
Same malicious file has been sent to Japanese company.


Its body is as following.

Hello First joined the company is honored to support.I am a graduate of the University, "Where there is a will there is a way saying," and believe, the company recognized that the people I will do my best. In addition, to thank your company would like to contribute.


During my college participated in various extracurricular activities and community service were the basis of these experiences, as well as communications for organizations to adapt I think.In addition, proficient in team play to know where to enjoy the challenge.


Advantages:
a) Good at English speaking and writing and business negotiations.
b) Project management, and plenty of experience in document creation
c) Ability to handle business on my own good and Excellent communication skills.


I enclosed my resume with a picture. If you give the incident a chance I'll do my best every day.


password: resume


Thank you.

Upon executing malicious attachment "My resume.doc", it will create normal "My resume.doc" on temp folder and run. Its content is as following.


It shows MS Word contents, however, it will create several malicious files for infecting system.

rc.exe is normal MS resource compiler file.


Malicious file tries to access on certain host in Hong Kong, and records key logging history on kl.log.

Following image shows key logging test history. With this file, user's working history can be recorded and leaked.


Malicious file will connect user's PC to certain host in Hong Kong and wait additional command which makes user in danger.


3. Summary

Targeting to a specific organization or company's internal staff to malicious files from infecting computer can't be easily found. Especially for general user, they can't find that they were infected. Therefore, users need to be careful from these security threats. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

10 comments:

  1. You guys should also check on this article, if you want to find more info on a topic.

    ReplyDelete
  2. Just try not to get caught by this guys. How can I be sure that my site is safe?

    ReplyDelete
  3. Very awesome!!! When I seek for this I found this website at the top of all blogs in search engine

    ReplyDelete
  4. Wow, Really great post i enjoy it very much here I appreciating your knowledge keep sharing kindly check it out
    10.0.0.1 (default gateway)

    ReplyDelete
  5. Thanks for this great post. This is really helpful for me. Also, see
    Mobdro for PC Download

    ReplyDelete
  6. Oh! This article has suggested to me many new ideas. I will embark on doing it. Hope you can continue to contribute your talents in this area. Thank you.
    shell shockers

    ReplyDelete
  7. شركة مكافحة النمل الابيض بالرياض  http://tiny.cc/xeph5y  أفضل وأسهل الطرق التي تساعدهم في كيفية التخلص من الحشرات المزعجة وعلى رأسهم حشرة النمل الأبيض، من المعروف أن مكافحة الحشرة بالمبيد الحشري ليسهل عليكِ، يقوم فريق العمل به بكل سهولة كما يعتقد الكثير من الأشخاص، فلا يضرك الكثير أن الاستخدام الخاطئ للمبيد، قد ينتج عنه إصابة الإنسان بالعديد من الأمراض الوخيمة.

    فشركتنا حريصة على أن توفر أجود أنواع المبيدات الحشرية المصرح بها من قبل وزاره الصحة والبيئة التي تملك الفعالية الكبيرة للقضاء نهائياً على هذه الحشرة دون أن تسبب أي ضرر على حياة الإنسان ولا الأيدي العاملة، وفريق عمل الشركة لديه خبرة كبيرة قد اكتسبها عبر السنين، مما أصبح من السهل عليه أن يتعامل مع هذه الحشرة المقززة مهما كانت تختبئ في أماكن دقيقة أو مهما كان عددها كثير، وفريق العمل الخاص بالشركة بعون الله قادر على إبادتها نهائياً فور وصوله إلى المنزل مع ضمان عدم العودة من مكان مرة أخرى، كما أن لدى الشركة فريق عمل خاص لتحصين منزلك من دخول حشرة النمل الأبيض قبل البناء من خلال الأرض قبل وضع الأساس بالمبيد الحشري من هنا عدم وصولها إلى منزلك في أي وقت. … اقرأ المزيد

    المصدر: شركة مكافحة النمل الابيض بالرياض

    شركة تنظيف خزانات بالرياض http://tiny.cc/ceph5y  ان عملية تنظيف الخزانات بالرياض تحتاج الى مهندسين متخصصين فى مجال التنظيف الخاص بالمياه حيث أن المياه تعتبر من الأمور الهامة التى تتعلق بالأسرة كلها حيث أنها مورد يصل الى كل فرد من أفراد الأسرة لذلك عميلنا العزيز عليك بالأهتمام بها .
    حيث يصلك مجموعة من المهندسين المختصين بعملية تنظيف الخزانات ويتم تفريغ الخزان نهائياً والقيام بعملية التنظيف باستخدام مجموعة مواد التنظيف التى تعمل على قتل الجراثيم والبكتريا بنسبة 100% ثم يتم ملىء الخزان مرة أخرى والقيام بعملية الاختبار لبيان مدى نظافة ونقاء المياه.… اقرأ المزيد

    المصدر: شركة تنظيف خزانات بالرياض

    ReplyDelete
  8. If you are using Office setup and getting any issue then you can contact at support.office.com/setup. they will resolve your issue and will help you in the installation process.

    ReplyDelete