Phishing Campaign Using Military, Illicit Attachments
Contributed by: Email on 03/29/2013 03:26 PM
[
Comments
]
Look out for email attachments offering better sex tips and news about newly developed Chinese stealth frigates, because they are loaded with malware, according to a Securelist report written by Kaspersky Lab expert, Ben Godwood.
The malware is fairly old and not particularly advanced, but a lot of it has been trying to pass through the Kaspersky security network lately and on a very regular basis. Godwood advises that you just dont open attached documents with titles like: "EAT FOR BETTER SEX.doc," "How to last longer in bed.doc," "6 Awkward Sex Moments, Defused.doc," "9 ways to have better, hotter, and more memorable sex.doc," and "10 Ways to Get More Sex.doc."
Youll also want to avoid these potentially fascinating attachments: Stealth Frigate.doc, The BrahMos Missile.doc, and How DRDO failed India's military.doc
There is also a third category of malicious documents with roughly the same subjects, but written in Cyrillic characters: приоритеты сотрудничества.doc, Список участников рабочей группы
0603-2013).doc, and Список кадров.doc Приглашение МИОМ ТЕЙКОВО 2013.doc
If a user happens to open one of these attachments, he or she will be presented with a decoy document that actually contains what it claims to contain. Godwood posted two of them with his report, one was about a new stealth frigate for the Chinese military and the other had to do with the relationship between a healthy diet and better sex.
The malware hiding inside these attachments are Enfal variants, which researchers from TrendMicro wrote about in their Lurid targeted attacks analysis in September 2011. Back then, Enfals progenitors were trying to snare government ministries and agencies, military and defense contractors, nuclear and energy sectors, space and aviation, and, the Tibetan community. The countries in which the most machines were compromised were Vietnam, Russia, India, China, and Bangladesh.
Godwood said that this second wave of phishing emails appear to be coming from Australia and the Republic of Korea via mail.mailftast.com. That domains IP address is fairly dynamic, according to Godwood, but the domain is registered to a Liu Runxin in Shanghai, China.
When the exploit runs it creates and executes a file called wordupgrade.exe, writes Godwood. This executable drops a DLL called usrsvpla.dll into the system32 directory and modifies the WmdmPmSN (Portable Media Serial Number Service) registry key to load the DLL into svchost.exe.
Kaspersky is detecting the wordupdate.exe file as Trojan-Dropper.Win32.Datcaen.d and the usrsvpla.dll file as Trojan.Win32.Zapchast.affv.
The most recent samples picked up by Godwood phone home to a command and control server at yui.bcguard.com, which has the same registration details as the mail domain above. However, the C&C domains IP address is a Chinese one, while the mail domains IP is in the U.S. Other domains registered to Liu Runxin include timmf.com, bcbtheory.com, bellbuttons.com, atmdzxgs.com, coffeeibus.com, and cymdbd.com.
The malware is fairly old and not particularly advanced, but a lot of it has been trying to pass through the Kaspersky security network lately and on a very regular basis. Godwood advises that you just dont open attached documents with titles like: "EAT FOR BETTER SEX.doc," "How to last longer in bed.doc," "6 Awkward Sex Moments, Defused.doc," "9 ways to have better, hotter, and more memorable sex.doc," and "10 Ways to Get More Sex.doc."
Youll also want to avoid these potentially fascinating attachments: Stealth Frigate.doc, The BrahMos Missile.doc, and How DRDO failed India's military.doc
There is also a third category of malicious documents with roughly the same subjects, but written in Cyrillic characters: приоритеты сотрудничества.doc, Список участников рабочей группы
0603-2013).doc, and Список кадров.doc Приглашение МИОМ ТЕЙКОВО 2013.docIf a user happens to open one of these attachments, he or she will be presented with a decoy document that actually contains what it claims to contain. Godwood posted two of them with his report, one was about a new stealth frigate for the Chinese military and the other had to do with the relationship between a healthy diet and better sex.
The malware hiding inside these attachments are Enfal variants, which researchers from TrendMicro wrote about in their Lurid targeted attacks analysis in September 2011. Back then, Enfals progenitors were trying to snare government ministries and agencies, military and defense contractors, nuclear and energy sectors, space and aviation, and, the Tibetan community. The countries in which the most machines were compromised were Vietnam, Russia, India, China, and Bangladesh.
Godwood said that this second wave of phishing emails appear to be coming from Australia and the Republic of Korea via mail.mailftast.com. That domains IP address is fairly dynamic, according to Godwood, but the domain is registered to a Liu Runxin in Shanghai, China.
When the exploit runs it creates and executes a file called wordupgrade.exe, writes Godwood. This executable drops a DLL called usrsvpla.dll into the system32 directory and modifies the WmdmPmSN (Portable Media Serial Number Service) registry key to load the DLL into svchost.exe.
Kaspersky is detecting the wordupdate.exe file as Trojan-Dropper.Win32.Datcaen.d and the usrsvpla.dll file as Trojan.Win32.Zapchast.affv.
The most recent samples picked up by Godwood phone home to a command and control server at yui.bcguard.com, which has the same registration details as the mail domain above. However, the C&C domains IP address is a Chinese one, while the mail domains IP is in the U.S. Other domains registered to Liu Runxin include timmf.com, bcbtheory.com, bellbuttons.com, atmdzxgs.com, coffeeibus.com, and cymdbd.com.
Comments
