Once again cybercriminals take advantage of the Holidays in what seem like a targeted attack against businesses and government organizations. We spotted samples that bore the filename, PROPOSED CHRISTMAS PARTY 2012.doc. Trend Micro detects this as TROJ_ARTIEF.RTN. When executed, this malware drops a file (temp.doc) that acts as decoy to trick recipients into thinking this is a legitimate document. In the document file we spotted, it looks like a supposedly invitation to a certain government office’s upcoming Christmas party.
Moreover, TROJ_ARTIEF.RTN takes advantage of (MS12-027) Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258) to drop a backdoor which we detect as BKDR_GAMFRIC.A. Once run on the infected system, BKDR_GAMFRIC.A connects to its C&C server, http://{BLOCKED}ws-google.net. It also executes the following commands, which can compromise system security:
- Download and execute arbitrary files
- Get Network Information
- Get Username/Computername
- Get OS Information
- Get running process
- Get Installed Applications
- Perform Shell Command
This backdoor also checks what web browser is used, and creates a hidden process in order to inject its malicious codes. We speculate that this attack uses email message as delivery mechanism in order to penetrate the network of the targeted entity. In our primer, Covert Arrivals: Email’s Role in APT Campaigns, we tackled how email is used by threat actors as one of the entry points of APTs and targeted attacks. These email messages used social engineering techniques to trick users. In this case, the cybercriminals employed Christmas and annual Xmas parties. We’re currently monitoring this threat for any developments.
In the past, we reported various incidents that leveraged the Holidays as seen in the following posts:
- Christmas Theme for Facebook Profile Leads to Malspam
- Merry Christmas, ZeuS
- Old ZeuS Variant Returns for Christmas
- With Holiday Wishes Come Poisoned Searches
Trend Micro protects users from this attack via its Smart Protection Network that detects the malicious files.
Leave a reply
