In another turn of interesting events, during the course of my monitoring of targeted attacks, specifically of advanced persistent threats, I came upon an email with a PDF attachment that had just a measly 4 out of 42 generic or heuristic detections.
I checked out the email and whoa! – it was an email from a trusted researcher colleague and friend in FireEye who was also monitoring these kinds of campaigns, or to put it accurately, looks like it.
Looks legit, right? However, my first-hand instinct told me that something was definitely amiss, and I zeroed in first in the email headers and I was expecting to find some spoofing details, which I did.
The headers were clearly spoofed. The email address and other contact details of my colleague – even the FireEye company logo – were used as part of a social engineering ploy by the attackers behind this particular campaign.
The email address seen in the Return-Path is dawatsering228@yahoo.com. The email address looks familiar, as I’m sure I saw this somewhere in some previous targeted attack campaigns against Pro-Tibetan public figures and NGOs. Doing some OSINT in Google on the email address, I was led to some results about some Tibetan public figures or activists known with the title of “Dawa Tsering”, or “Moon of Long Life” in Buddhism. However, it is plain impossible that such a figure would be seen to be sending targeted email campaigns! The said email address could have been compromised.
The attachment, a file named Next Generation Threats.pdf is seen to exploit a vulnerability, possibly to drop other malware or execute other routines. The PDF, detected as TROJ_PIDIEF.KFR, is password-protected. The password protection encrypts the body of the file to enable it to hide all details on what vulnerability it exploits. A closer look into the malware reveals that it drops a JavaScript, detected as JS_DROPPR.KFR. This JavaScript then drops the backdoor BKDR_INJECT.KFR, that connects to {BLOCKED}.{BLOCKED}.77.98. The said IP address that looks like its registered in China. The said backdoor communicates the following information to the IP address:
- IM IDs and password
- List of drives and files
- User account names and passwords
This incident, along with the one that our friends from AlienVault reported about the usage of their blog post with a HTML copy of their site for these campaigns, shows that the attackers behind these targeted campaigns are becoming more creative to further their agenda.
We will update this post as soon as we have more information on the malware found in this attack.
Leave a reply
