12345

9/03/2012

[Issue] APT attack for ambassade de France en chine

1. Introduction

INCA Internet response team detected malicious attack for "Ambassador of France in Chine" while monitoring APT attacks. Attacker inserted malicious file in MS Excel file. But to open excel file and execute malicious file, password is needed. Therefore, user who doesn't know the password can't be exposed by this malicious file. On the contrary to this, targets of this kind of attack, using password, can be narrowed for certain users.



2. Spreading path and symptom of infection

[Warning] Detected APT attack for Korean famous web portal site (#Update 02)
http://en-erteam.nprotect.com/2012/07/warning-detected-apt-attack-for-korean.html

Attacker used simple form of e-mail. Its title is "Application" and its body contains only password.

To heighten attack success rate, attackers have used social engineering technique for getting attractions, however; attacks aiming for global is difficult due to each language and technical preparation. But, security can be easily broken by simple attack.

E-mail used on attack is as following.


Attacker used sina.com's account and receiver's mail address is from France Ministry of Foreign Affairs.

Attached "New Microsoft excel table.xls" has been used several time on various attacks.

If a user downloads and executes attachment "New Microsoft excel table.xls", following password requirement window can be shown and inputting "8861" on its mail can infect user's PC by malicious file.



Other cases, infecting malicious files on executing with using document file's security exploit, are also reported. This makes temp folder and abnormal file. In this case, user is already infected by malicious files. 

To input password and press OK, it creates "set.xls" on temp folder. At the same time, it creates "ews.exe" and executes.

"ews.exe" creates its clone on following path for disguising as a Internet Explorer installation file.

C:\Document and Settings\[User Account Name]\Application Data\iexplore.exe


When this malicious file executes, it creates "keybyd.dat" working as keylogger and tries to access on certain host(lixht.gnway.net) in Hong Kong. Besides, alg.exe uses TCP 21(FTP) port and 23(Telnet) port for leaking user personal information.


3. Summary

Attacking case aiming at officials for government organization can snatch confidential information. In case of exposed by this kind of malicious files, attacker can collect internal information and various attacks. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

11 comments:

  1. Just like every year, Apple is all set to release their brand new operating system iOS 11 in June during the WWDC 2017 event. Check this website to know everything about the upcoming operating system. iOS 11 Download

    ReplyDelete
  2. Wow, this is very interesting article. Thanks, guys!

    ReplyDelete
  3. You've probably heard about essay writing services that will give their best in order to meet your requirements about the essay or another kind of academic paper. Well, here we have StudyBay.com – a platform that differs from essay writing services. In this post, I want to share my StudyBay review. If you want to find info about “studybay reddit”, welcome to Scamfighter.

    ReplyDelete
  4. Over 50% of pharmacy school applicants do not get accepted into the programs of their choice. Most of these applicants have excellent scores on entrance exams, as well as an admirable undergraduate grade point average. However, grades are not all there is to the application process. Recommendations from professors and practicing pharmacists play a large part in the overall picture. In the end, however, it is the personal statement that makes you or breaks you. Pharmacy school admission committee members do not want to fill precious spots with mediocre candidates. Instead, they want to place candidates that will excel in this profession, and that success involves perseverance and dedication. Click personal essays for pharmacy school for detailed information.

    ReplyDelete
  5. Paper writing sites have become quite numerous in the internet. Most probably you have seen their advertisement when just browsing Internet. However, to be sure that you will get quality writing paper assistance it is necessary to be careful when choosing a company or an individual, who will write your paper. Best websites that write papers for you have a decent history, good reviews, clear order form and pricing, different specialists for different disciplines, they are opened and communicative and won’t let your questions and requests just hang in the air.

    If you need help writing paper, on our site you will find the best easy paper writing websites rating. These sites have experienced and well-educated authors who will write my papers for me online in the best way in in the shortest time. You can also find authors for serious and time-consuming papers and work in close cooperation with them to keep track on the process and to help them custom the essay to your individual needs. Companies, where you can order paper online to write on can have different specialization, so you might need to choose them based on the discipline you need to write a paper online.

    ReplyDelete
  6. Hello everyone, was interesting to read your article. Usually i'm reading New York Times , but now i will read you too!

    ReplyDelete
  7. It's good that you structure the information in the article and very clearly formulate the data which you can easily use further.

    ReplyDelete
  8. Thanks for sharing, nice post! Post really provice useful information!

    Giaonhan247 chuyên dịch vụ mua hộ hàng hàn quốc và dịch vụ order hàng hàn quốc giá rẻ cũng như vận chuyển hàng trung quốc về việt nam giá rẻ hay dịch vụ order hàng đứcship hàng đức về VN uy tín, hay dịch vụ mua hàng trên amazon nhật bản cũng như bảng giá gửi hàng đi mỹ uy tín.

    ReplyDelete
  9. This is a great little post with some valuable tips. I totally agree. The way you bring passion and engagement into the things you do can really change your outlook on live.

    ReplyDelete
  10. Very good, I think I found the knowledge I needed. I will see and refer some information in your post. thank your post

    ReplyDelete