The Latest in IT Security

ADMM-Plus Related Attack

02
Aug
2012

The ASEAN Defense Ministers’ Meeting – Plus (ADMM-Plus) has recently been held with the 18 member countries of ASEAN, Australia, China, India, Japan, Republic of Korea, New Zealand, Russia, and the United States.

We have discovered a malicious Rich Text Format file (.rtf or .doc), which targets anyone interested in the ADMM-Plus proceedings.

The RTF file exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) to drop a clean MS Word document and open a back door. The clean MS Word document is shown below.

It contains many phone numbers, fax numbers, and email addresses of each country’s military-related personnel. I could not confirm whether the contact details are authentic or just fake, but some of the phone numbers can be found on official websites. The following email domains are listed in the document:

  • mindef.gov.bn (Brunei)
  • kemhan.go.id (Indonesia)
  • mod.gov.my (Malaysia)
  • dnd.gov.ph (Philippines)
  • starnet.gov.sg (Singapore)
  • mofa.gov.vn (Vietnam)
  • defence.gov.au (Australia)
  • defence.govt.nz (New Zealand)
  • mod.go.jp (Japan)
  • korea.kr (Korea)
  • osd.mil (United States)

Unfortunately, I could not trace the document’s origin. However, the same vulnerability has been observed by another researcher (Tibetan-Themed Malware Subverts a Legitimate Application). The back door is dropped as an iexplore.exe file in a temporary folder and a shortcut is created in the Startup folder to execute the back door when the user logs in to the compromised computer. The back door connects to the following domains:

  • hipuc.vicp.cc
  • hipcp.oicp.net

These domains lead to a IP server address in China (222.172.135.xxx).

Symantec detects this RTF file and the back door as Trojan.Dropper and Backdoor.Trojan respectively.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments