12345

7/22/2012

[Warning] Detected APT attack for Korean famous web portal site (#Update 02)

1. Introduction

INCA Internet response team detected APT type e-mail which is disguised as resume on Korean famous web portal site. This e-mail contains attachment "My resume.doc" which uses CVE-2012-0158 exploit and tries to install another malicious file secretly. If user is exposed by security vulnerability, attacker can collect user PC and user's company's information. 



Usually this kind of attacking method is popular, however, general user hard to recognize of being targeted. Using document file exploit is classical and has been used so far. Users need to be careful on downloading and executing attachment of suspicious e-mail.

INCA Internet response team sent this issue and related information to security manager of that web site.




2. Malicious file attacking procedure and technique

Detail content is as following.

Title : 
FW: Job application

Body :   
Dear (~~):
Good morning. I am honored to be here to get the opportunity to become a potential member of (the name of portal site).
As a college graduate, I believe “where there is a will, there is a way”, and I will try my best to do a good job in my business. So I sincerely hope that I can make a position in your company so that I can serve for the company.
I participated in lots of school activities and social practice during my four years of campus life. And the experience did a good job to improve the skill of communication and enhance the ability of organization. Also, my sense of team spirit is developed. I’m a person who likes challenges.
Specialties:
a. Good command of both oral and writing English, and excellent skills of business negotiation.
b. Special experiences in project coordination, project documentation establishment and management.
c. Able to work under pressure, independent, and strong ability to communicate with various people.
I am enclosing my resume together with my photo, and believe that they may be found satisfactory.. I assure you that if appointed, I will do my best to give your satisfaction.

pass:resume
Very truly yours
san
That'all,thanks for your attentio

attachment :
My resume.doc


(#Update 02)
Same malicious file has been sent to Japanese company.


Its body is as following.

Hello First joined the company is honored to support.I am a graduate of the University, "Where there is a will there is a way saying," and believe, the company recognized that the people I will do my best. In addition, to thank your company would like to contribute.


During my college participated in various extracurricular activities and community service were the basis of these experiences, as well as communications for organizations to adapt I think.In addition, proficient in team play to know where to enjoy the challenge.


Advantages:
a) Good at English speaking and writing and business negotiations.
b) Project management, and plenty of experience in document creation
c) Ability to handle business on my own good and Excellent communication skills.


I enclosed my resume with a picture. If you give the incident a chance I'll do my best every day.


password: resume


Thank you.

Upon executing malicious attachment "My resume.doc", it will create normal "My resume.doc" on temp folder and run. Its content is as following.


It shows MS Word contents, however, it will create several malicious files for infecting system.

rc.exe is normal MS resource compiler file.


Malicious file tries to access on certain host in Hong Kong, and records key logging history on kl.log.

Following image shows key logging test history. With this file, user's working history can be recorded and leaked.


Malicious file will connect user's PC to certain host in Hong Kong and wait additional command which makes user in danger.


3. Summary

Targeting to a specific organization or company's internal staff to malicious files from infecting computer can't be easily found. Especially for general user, they can't find that they were infected. Therefore, users need to be careful from these security threats. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

No comments:

Post a Comment