12345

8/23/2012

[Issue] APT attack from Taiwan related one of Taiwanese airline companies

1. Introduction

INCA Internet response team announced Taiwanese APT attack with using time interval April, 2012 and still collects related information. Among them, we found another type of APT attack disguised as sent from airline company(EVA AIR). Attacker aimed for officers who work at Council of Agriculture (Republic of China) and Department of Health (Republic of China).
Malicious file used for attack was disguised as a receipt of e-ticket and its icon as a folder.

INCA Internet response team are chasing for assuming that this attack will be one of previous APT attacks for office workers.



2. APT attack disguised as sent by airline company

[Issue] Several APT attacks on Taipei with time interval 

Attacking cases for Taiwanese government officers are continuously found still in these days. First of all, attacker attacked to officers who work for marketing team of Council of Agriculture (Republic of China) with sending message as "EVA Airline e-ticket receipt" including malicious files on July 3, 2012.

This e-mail contains compressed file(69380236_10107_receipt.rar) which contains malicious file, "69380236_10107_receipt.exe".


Next day, similar malicious mails sent to officers who work for public health team of Department of Health (Republic of China) with sending message as "Special price of Cathay Pacific Airlines".


We can assume that one attacker or organization made same attack due to same malicious files.


"69380236_10107_receipt.rar" contains malicious file which has folder-typed icon.


Upon executing "69380236_10107_receipt.exe", it will create "atievxx.exe" on (Temp) folder.


And then, it will create "69380236_10107_receipt" folder and 69380236_10107_receipt.pdf" file its inside.


"69380236_10107_receipt.pdf" is locked by password. These days, we got many locked files using for APT attack. Therefore, locked files especially document files including(PDF, HWP, DOC, XLS) has great possibility of malicious file. When you think you are infected, you'd better change your e-mail password and personal information.


"atievxx.exe" will wait additional command and can be exposed by leaking various information and working as a backdoor from attacker after accessed certain host in Hong Kong.


3. Summary

We have to notice that various APT attacks are booming in these days. Besides, users need to be careful from being exposed by security threats. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

1 comment:

  1. I was looking through some of your blog posts on this site and I believe this web site is really informative! Keep on putting up.This site is really helpful for us. and also like it .Very wonderful information can be found on web blog . “The quality of an organization can never exceed the quality of the minds that make it up http://www.religionstube.com/categories/7/Music-Videos

    ReplyDelete