It’s been weeks now since we’ve watched the destructive effects of Hurricane Sandy to the environment and to the folks living in affected areas. Trend Micro and the security industry have been in the lookout for scams and threats using Sandy as a social engineering ploy to infiltrate targets.
During our tracking of targeted attacks and cybercrime, we have uncovered such a campaign. It seems that during the commotion caused by Sandy, some groups used this event as a social engineering bait to target NATO Special Operations Headquarters (NSHQ) last October 31.
The email message we spotted has the subject “Did Global Warming Contribute to Hurricane Sandy’s Devastation” and contains a .DOC file with the same title. The people behind this scheme appears to have used the title of a recent New York Times blog post about Hurricane Sandy. The sender IP seen ({BLOCKED}.{BLOCKED}.241.144) is found in at least 3 blacklists.
The said attachment, which Trend Micro detects as TROJ_ARTIEF.SDY, exploits the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) which was addressed by Microsoft in November 2010 in MS10-087 to drop the backdoor BKDR_DLDR.A. If you can recall, this vulnerability was the top vulnerability exploited this April. Despite being patched last 2010, attackers have been using this MS Word software bug hence. This proves that attacks need not use zero-day exploits to be effective.
The dropped malware, BKDR_DLDR.A, connects to its command-and-control (C&C) server, domain.{BLOCKED}2.us to send and receive commands from remote attackers. Some of the commands that it can execute include downloading, copying, modifying, creating files and folders, stealing file information, and acquiring time zone information among others. According to senior threat researcher Nart Villeneuve, this backdoor is an Enfal/Lurid variant, which we have documented in the past to have been or is still being used in targeted attack campaigns.
In the past, Trend Micro has reported various incidents where cybercriminals leveraged disasters as part of their social engineering tactic:
- Disasters Present Cybercriminals Multiple Points to Leverage
- 3/11 Japan Earthquake Disaster Scam Watch
- California Bush Fires Spark Blackhat SEO Campaigns
Trend Micro Smart Protection NetworkT protects users from this threat by detecting all related files and spammed message as well as blocking the related URLs. Users are advised to be cautious in opening email messages, specially downloading and executing attachments. For employees, do not readily trust email messages even if they appear to be business-like as attackers are good at spoofing messages.
Trend Micro has already alerted NATO and NSHQ about the said incident. Currently, we cannot confirm if this attack is part of a larger campaign or the exact motivations behind it. However, we are continuously monitoring this and we’ll post an update accordingly. Stay tuned.
Leave a reply
