12345

9/03/2012

[Issue] APT attack for ambassade de France en chine

1. Introduction

INCA Internet response team detected malicious attack for "Ambassador of France in Chine" while monitoring APT attacks. Attacker inserted malicious file in MS Excel file. But to open excel file and execute malicious file, password is needed. Therefore, user who doesn't know the password can't be exposed by this malicious file. On the contrary to this, targets of this kind of attack, using password, can be narrowed for certain users.



2. Spreading path and symptom of infection

[Warning] Detected APT attack for Korean famous web portal site (#Update 02)
http://en-erteam.nprotect.com/2012/07/warning-detected-apt-attack-for-korean.html

Attacker used simple form of e-mail. Its title is "Application" and its body contains only password.

To heighten attack success rate, attackers have used social engineering technique for getting attractions, however; attacks aiming for global is difficult due to each language and technical preparation. But, security can be easily broken by simple attack.

E-mail used on attack is as following.


Attacker used sina.com's account and receiver's mail address is from France Ministry of Foreign Affairs.

Attached "New Microsoft excel table.xls" has been used several time on various attacks.

If a user downloads and executes attachment "New Microsoft excel table.xls", following password requirement window can be shown and inputting "8861" on its mail can infect user's PC by malicious file.



Other cases, infecting malicious files on executing with using document file's security exploit, are also reported. This makes temp folder and abnormal file. In this case, user is already infected by malicious files. 

To input password and press OK, it creates "set.xls" on temp folder. At the same time, it creates "ews.exe" and executes.

"ews.exe" creates its clone on following path for disguising as a Internet Explorer installation file.

C:\Document and Settings\[User Account Name]\Application Data\iexplore.exe


When this malicious file executes, it creates "keybyd.dat" working as keylogger and tries to access on certain host(lixht.gnway.net) in Hong Kong. Besides, alg.exe uses TCP 21(FTP) port and 23(Telnet) port for leaking user personal information.


3. Summary

Attacking case aiming at officials for government organization can snatch confidential information. In case of exposed by this kind of malicious files, attacker can collect internal information and various attacks. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

1 comment:

  1. Just like every year, Apple is all set to release their brand new operating system iOS 11 in June during the WWDC 2017 event. Check this website to know everything about the upcoming operating system. iOS 11 Download

    ReplyDelete