INCA Internet response team detected malicious attack for "Ambassador of France in Chine" while monitoring APT attacks. Attacker inserted malicious file in MS Excel file. But to open excel file and execute malicious file, password is needed. Therefore, user who doesn't know the password can't be exposed by this malicious file. On the contrary to this, targets of this kind of attack, using password, can be narrowed for certain users.
2. Spreading path and symptom of infection
Attacker used simple form of e-mail. Its title is "Application" and its body contains only password.
To heighten attack success rate, attackers have used social engineering technique for getting attractions, however; attacks aiming for global is difficult due to each language and technical preparation. But, security can be easily broken by simple attack.
E-mail used on attack is as following.
Attacker used sina.com's account and receiver's mail address is from France Ministry of Foreign Affairs.
Attached "New Microsoft excel table.xls" has been used several time on various attacks.
If a user downloads and executes attachment "New Microsoft excel table.xls", following password requirement window can be shown and inputting "8861" on its mail can infect user's PC by malicious file.
To input password and press OK, it creates "set.xls" on temp folder. At the same time, it creates "ews.exe" and executes.
"ews.exe" creates its clone on following path for disguising as a Internet Explorer installation file.
C:\Document and Settings\[User Account Name]\Application Data\iexplore.exe
When this malicious file executes, it creates "keybyd.dat" working as keylogger and tries to access on certain host(lixht.gnway.net) in Hong Kong. Besides, alg.exe uses TCP 21(FTP) port and 23(Telnet) port for leaking user personal information.
Attacking case aiming at officials for government organization can snatch confidential information. In case of exposed by this kind of malicious files, attacker can collect internal information and various attacks. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.
Free installation link of nProtect AVS : http://avs.nprotect.com/