Backdoor Malware Targets Asian Users

Wednesday, June 12, 2013 @ 02:06 PM gHale

Vietnam, India, China, and Taiwan users were a part of an attack campaign that uses Microsoft Word documents rigged with exploits in order to install a backdoor program that allows attackers to steal information, researchers said.

The targeted attacks used specifically crafted Word documents as bait in spear-phishing emails sent to the intended victims, said researchers from security firm Rapid7. The goal of these documents was to exploit known vulnerabilities that affect unpatched installations of Microsoft Office.

Malware Disguises as Antivirus
Self-Propagating Trojan Lives On
BIND 9 DoS Hole Patched
P2P Botnets Keep Growing

One of the malicious documents found by Rapid7 researchers is in Vietnamese and is about best practices for teaching and researching scientific topics. This suggests the targets of attacks were part of the Vietnamese academic community, Rapid7 researchers Claudio Guarnieri and Mark Schloesser said Friday.

A second document written in English discusses the state of telecommunication infrastructure, including GSM network coverage and Internet broadband availability, in Calcutta, India. The Rapid7 researchers believe this document targeted people working in the telecommunications industry in India or local government representatives.

When opened, the two documents attempt to exploit remote code execution vulnerabilities in the Windows common controls component. Identified as CVE-2012-0158 and CVE-2012-1856, respectively, these vulnerabilities affect Microsoft Office 2003, 2007 and 2010. Microsoft patched these vulnerabilities in 2012 as part of the MS12-027 and MS12-060 security bulletins.

Like a fine wine, these exploits age well as they consistently end up exploited by attackers, especially CVE-2012-0158. Two examples of targeted attacks where CVE-2012-0158 saw use include the NetTraveler and Hangover cyber espionage campaigns.

The malicious documents install a backdoor program called KeyBoy, after a text string found in one of the samples, said Rapid7 researchers. The malware registers a new Windows service called MdAdum that loads a malicious DLL (Dynamic Library Link) file called CREDRIVER.dll, the researchers said.

The KeyBoy malware steals credentials stored in Internet Explorer and Mozilla Firefox and installs a keylogger component that can steal credentials entered into Google Chrome. The backdoor program also allows the attackers to get detailed information about the compromised computers, browse their directories, and download or upload files from and to them, Rapid7 researchers said.

In addition, the malware can open a Windows command shell on the infected computers that can remotely to execute Windows commands, they said.

The backdoor samples collected by the Rapid7 researchers ended up compiled on April 1, suggesting the attacks are recent. The domain names used for the command-and-control servers contacted by the malware registered during April and May.

These attackers are definitely targeting users in several different countries, Guarnieri said. Rapid7 found evidence users in Taiwan, members of minority populations in China and possibly Western diplomats are targets of this campaign, he said.

“The campaign is not particularly sophisticated, the exploits are well known and the malware is fairly simple,” Guarnieri said. “However as we have seen in recent years, sophistication is not necessary for attackers to be successful and meet their ends. In fact the large majority of targeted attacks from and within the Asian region are generally very basic in complexity.”

Antivirus detection rates for the exploits and the backdoor malware are surprisingly low at the moment, he said. “For some reason this group didn’t receive particular attention (at least not publicly) so we expect detection to improve in the next days.”

Leave a Reply

You must be logged in to post a comment.