INCA Internet response team announced Taiwanese APT attack with using time interval April, 2012 and still collects related information. Among them, we found another type of APT attack disguised as sent from airline company(EVA AIR). Attacker aimed for officers who work at Council of Agriculture (Republic of China) and Department of Health (Republic of China).
Malicious file used for attack was disguised as a receipt of e-ticket and its icon as a folder.
INCA Internet response team are chasing for assuming that this attack will be one of previous APT attacks for office workers.
2. APT attack disguised as sent by airline company
Attacking cases for Taiwanese government officers are continuously found still in these days. First of all, attacker attacked to officers who work for marketing team of Council of Agriculture (Republic of China) with sending message as "EVA Airline e-ticket receipt" including malicious files on July 3, 2012.
This e-mail contains compressed file(69380236_10107_receipt.rar) which contains malicious file, "69380236_10107_receipt.exe".
Next day, similar malicious mails sent to officers who work for public health team of Department of Health (Republic of China) with sending message as "Special price of Cathay Pacific Airlines".
We can assume that one attacker or organization made same attack due to same malicious files.
"69380236_10107_receipt.rar" contains malicious file which has folder-typed icon.
Upon executing "69380236_10107_receipt.exe", it will create "atievxx.exe" on (Temp) folder.
And then, it will create "69380236_10107_receipt" folder and 69380236_10107_receipt.pdf" file its inside.
"69380236_10107_receipt.pdf" is locked by password. These days, we got many locked files using for APT attack. Therefore, locked files especially document files including(PDF, HWP, DOC, XLS) has great possibility of malicious file. When you think you are infected, you'd better change your e-mail password and personal information.
"atievxx.exe" will wait additional command and can be exposed by leaking various information and working as a backdoor from attacker after accessed certain host in Hong Kong.
We have to notice that various APT attacks are booming in these days. Besides, users need to be careful from being exposed by security threats. To
use PC safely from security threats of these malicious attachments, we recommend
you download latest security updates and obey following "Security management
tips" for general users.
Internet (Security Response Center / Emergency Response Team) runs responding
system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats
various variant files.
Free installation link of nProtect
AVS : http://avs.nprotect.com/