The Latest in IT Security

Linsanity Leads to Targeted Malware Attacks

28
Feb
2012

When there are celebrity stories such as the death of Whitney Houston in the press, we expect to see BlackHat SEO attacks and other cybercriminal campaigns using these themes to distribute malware. However, a recent targeted attack against Tibetan activists caught our attention. The lure in this case was the story of Jeremy Lin, the NBA star whose outstanding play for the New York Knicks has drawn international attention. He recently made the front cover of Time magazine with the simple headline “Linsanity”.

A malicious document named “The incredible story of Jeremy Lin the NBA new superstar.doc”, detected by Trend Micro as TROJ_ARTIEF.LIN, was sent on February 16th 2012. It exploits a vulnerability in Microsoft Office (CVE-2010-3333) in order to drop malware on the target’s system. The dropped malware is detected by Trend Micro as BKDR_MECIV.LIN. After successful exploitation, a clean document is opened so that the target doesn’t suspect that anything malicious occurred.

This attack is actually part of the LURID campaign (often known as Enfal) that we documented last year. While the victims of that campaign were primarily in Eastern Europe and Central Asia, the same campaign targeted Tibetan activists as well. This “Linsanity” attack continues that trend.

We decoded the information that is sent back to the command and control server:

[host name]:[mac address]
[ip address]
windows xp
1252:0409
tt
tb0216
n
n
n
2.14

This information contains the host name, MAC address and IP address of the victim along with the operating system and language settings. Moreover, it contains a campaign code “tb0216″ so that the attackers can track their attacks. In this case, the campaign code contains the date of the attack “0216″ and “tb” which appears to stand for Tibet.

As we documented in our paper on LURID, this campaign also targets countries in the former Soviet Union. On February 8th 2012 we discovered another attack that targeted a government office in Eastern Europe.

The attached document, detected by Trend Micro as TROJ_ARTIEF.LIN, exploits a vulnerability in Microsoft Office (CVE-2010-3333) in order to drop malware on the target’s system. The dropped malware is detected as BKDR_MECIV.LIN. After successful exploitation a clean document is opened. The email and the clean document contain information about a conference organized by an inter-governmental organization.

We decoded the information transmitted to the command and control server:

[host name]:[mac address]
[ip address]
windows xp
1252:0409
svchsot.exe
0dayfeb03.exe
n
n
n
2.14

The campaign code embedded in this attack is 0dayfeb03.exe with the date (February 3 2012), which occurred several days before the targeted email was sent. Despite the designation “0day”, the exploit used in the attack is the older, but reliable CVE-2010-3333.

These attacks demonstrate that even well-known campaigns may continuously run for long periods of time. The people behind these attacks use variants of the same malware and constantly launch new attacks against their targets. The attackers continue exploiting newsworthy events in order to lure potential victims into executing malicious email attachments.

We are monitoring this campaign and will update this blog once more information become available.

Leave a reply


Categories

THURSDAY, DECEMBER 05, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments