INCA Internet response team detected APT type e-mail which is disguised as resume on Korean famous web portal site. This e-mail contains attachment "My resume.doc" which uses CVE-2012-0158 exploit and tries to install another malicious file secretly. If user is exposed by security vulnerability, attacker can collect user PC and user's company's information.
Usually this kind of attacking method is popular, however, general user hard to recognize of being targeted. Using document file exploit is classical and has been used so far. Users need to be careful on downloading and executing attachment of suspicious e-mail.
INCA Internet response team sent this issue and related information to security manager of that web site.
2. Malicious file attacking procedure and technique
Detail content is as following.
Same malicious file has been sent to Japanese company.
Its body is as following.
Hello First joined the company is honored to support.I am a graduate of the University, "Where there is a will there is a way saying," and believe, the company recognized that the people I will do my best. In addition, to thank your company would like to contribute.
During my college participated in various extracurricular activities and community service were the basis of these experiences, as well as communications for organizations to adapt I think.In addition, proficient in team play to know where to enjoy the challenge.
a) Good at English speaking and writing and business negotiations.
b) Project management, and plenty of experience in document creation
c) Ability to handle business on my own good and Excellent communication skills.
I enclosed my resume with a picture. If you give the incident a chance I'll do my best every day.
Upon executing malicious attachment "My resume.doc", it will create normal "My resume.doc" on temp folder and run. Its content is as following.
It shows MS Word contents, however, it will create several malicious files for infecting system.
rc.exe is normal MS resource compiler file.
Malicious file tries to access on certain host in Hong Kong, and records key logging history on kl.log.
Following image shows key logging test history. With this file, user's working history can be recorded and leaked.
Malicious file will connect user's PC to certain host in Hong Kong and wait additional command which makes user in danger.
Targeting to a specific organization or company's internal staff to malicious files from infecting computer can't be easily found. Especially for general user, they can't find that they were infected. Therefore, users need to be careful from these security threats. To
use PC safely from security threats of these malicious attachments, we recommend
you download latest security updates and obey following "Security management
tips" for general users.
Internet (Security Response Center / Emergency Response Team) runs responding
system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.
Free installation link of nProtect AVS : http://avs.nprotect.com/