[Issue] APT attack for ambassade de France en chine

1. Introduction

INCA Internet response team detected malicious attack for "Ambassador of France in Chine" while monitoring APT attacks. Attacker inserted malicious file in MS Excel file. But to open excel file and execute malicious file, password is needed. Therefore, user who doesn't know the password can't be exposed by this malicious file. On the contrary to this, targets of this kind of attack, using password, can be narrowed for certain users.

2. Spreading path and symptom of infection

[Warning] Detected APT attack for Korean famous web portal site (#Update 02)

Attacker used simple form of e-mail. Its title is "Application" and its body contains only password.

To heighten attack success rate, attackers have used social engineering technique for getting attractions, however; attacks aiming for global is difficult due to each language and technical preparation. But, security can be easily broken by simple attack.

E-mail used on attack is as following.

Attacker used sina.com's account and receiver's mail address is from France Ministry of Foreign Affairs.

Attached "New Microsoft excel table.xls" has been used several time on various attacks.

If a user downloads and executes attachment "New Microsoft excel table.xls", following password requirement window can be shown and inputting "8861" on its mail can infect user's PC by malicious file.

Other cases, infecting malicious files on executing with using document file's security exploit, are also reported. This makes temp folder and abnormal file. In this case, user is already infected by malicious files. 

To input password and press OK, it creates "set.xls" on temp folder. At the same time, it creates "ews.exe" and executes.

"ews.exe" creates its clone on following path for disguising as a Internet Explorer installation file.

C:\Document and Settings\[User Account Name]\Application Data\iexplore.exe

When this malicious file executes, it creates "keybyd.dat" working as keylogger and tries to access on certain host(lixht.gnway.net) in Hong Kong. Besides, alg.exe uses TCP 21(FTP) port and 23(Telnet) port for leaking user personal information.

3. Summary

Attacking case aiming at officials for government organization can snatch confidential information. In case of exposed by this kind of malicious files, attacker can collect internal information and various attacks. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/


  1. Just like every year, Apple is all set to release their brand new operating system iOS 11 in June during the WWDC 2017 event. Check this website to know everything about the upcoming operating system. iOS 11 Download

  2. Wow, this is very interesting article. Thanks, guys!

  3. You've probably heard about essay writing services that will give their best in order to meet your requirements about the essay or another kind of academic paper. Well, here we have StudyBay.com – a platform that differs from essay writing services. In this post, I want to share my StudyBay review. If you want to find info about “studybay reddit”, welcome to Scamfighter.

  4. Over 50% of pharmacy school applicants do not get accepted into the programs of their choice. Most of these applicants have excellent scores on entrance exams, as well as an admirable undergraduate grade point average. However, grades are not all there is to the application process. Recommendations from professors and practicing pharmacists play a large part in the overall picture. In the end, however, it is the personal statement that makes you or breaks you. Pharmacy school admission committee members do not want to fill precious spots with mediocre candidates. Instead, they want to place candidates that will excel in this profession, and that success involves perseverance and dedication. Click personal essays for pharmacy school for detailed information.