We have recently analyzed a series of emails sent to specific users that leverage a certain prominent socio-political issue. One of these messages is about the supposed statement from the German Chancellor regarding the protests in Lhasa, Tibet. The From field indicates that it came from a key officer from the ATC or Australian Tibet Council. But of course, the email is faked and the email address was just created and used to impersonate the said ATC officer. It also includes a .DOC file that supposedly contains the relevant parts of the statement. Once downloaded, the file detected as TROJ_ARTIEF.AE exploits a vulnerability in Microsoft Word (CVE-2010-3333) to drop other files. This file is detected as TSPY_MARADE.AA. TSPY_MARADE.AA was found to gather network and system information once specific shell commands are executed. These stolen data are then uploaded to malicious sites.
Below is a list of email we intercepted with malicious attachments related to this incident. This list, however, is not definitive as there may be other variants yet to be seen.
|Email Subject||Attachment File Name||Attachment Type||Attachment Detection Name||Dropped File Detection Name|
|Germany Chancellor Again Comments on Lhasa protests||Germany Chancellor Again Comments on Lhasa Protests.doc||.DOC||TROJ_ARTIEF.SV||TSPY_MARADE.AA|
|TWA’s speech in the meeting of the United Nations Commission for Human Rights||TheSpeech.doc||.DOC||TROJ_ARTIEF.CP||TROJ_REDOSDR.AH|
|Fowarding of TWA message||English_Final_Statement.doc, English_Final_Statement_1.doc||.DOC||TROJ_ARTIEF.DA, TROJ_ARTIEF.DB||TROJ_SWISYN.GT|
|Open Letter To President Hu||Letter.doc||.DOC||TROJ_ARTIEF.DD||TSPY_ROFU.NSS|
|Tibetan environmental situations for the past 10 years||Tibetan environmental statistics.xls||.XLS||TROJ_MDROPPR.BJ||BKDR_MECIV.AC|
|An Urgent Appeal Co-signed by Three Tibetans||Appeal to Tibetans To Cease Self-Immolation.doc||.DOC||TROJ_ARTIEF.CX||TROJ_SASFIS.UL|
|About TYC Centrex Notice and New email id of TYC Centrex||Centrex_Contact.doc||.DOC||TROJ_ARTIEF.CZ||TROJ_SHWOM.A|
|[Tanc] JOINS US: March 10, Saturday: 53rd Commemoration of the 1959 Tibetan National Uprising Day.||march10.doc||.DOC||TROJ_ARTIEF.DF||TROJ_SHWOM.A|
|10th march speech||10th March final.doc, 10th March final.pdf||.DOC, .PDF||TROJ_ARTIEF.CU||BKDR_MECIV.AA, BKDR_MECIV.AD|
|FW: Call for End to Burnings||Support List.xls||.XLS||TROJ_MDROPPR.BK||BKDR_PROTUX.BK, BKDR_PROTUX.BJ|
|Public Talk by the Dalai Lama _ Conference du Dala_ Lama Ottawa, Saturday, 28th April 2012||Public Talk by the Dalai Lama.doc||.DOC||TROJ_ARTIEF.DG||TROJ_SWISYN.GT|
|Bonafide Certificate of Miss Tenzin Tselha||tentselha.zip (contains tentselha.jpg, tentselha.jpg.lnk, tentselha1.jpg)||ZIP (containing LNK, EXE, JPG)||TROJ_REDOSDR.AH||TROJ_REDOSDR.AH|
|TWA mourns the self immolation deaths of two female protesters this past weekend||TWA mourns the self immolation deaths of two female protesters.doc||.DOC||TROJ_ARTIEF.SM3||TSPY_MARADE.AA, TSPY_ZBOT.BPG|
|Self-Immolations: New heightened form of Non Violent protests in Tibet||TWA looks back at the aftermath and the undercurrents of the 52 years of Chinese rule in Tibet.doc||.DOC||TROJ_ARTIEF.DH||BKDR_AGENT.ZZZZ|
|Arrest and protests mar ‘Losar’ week in Tibet.eml||an appealing letter to the United Nations.doc||.DOC||TROJ_ARTIEF.CW||TROJ_SWISYN.HV|
|UN Human Rights Council publishes written statement on discrimination in Tibet.eml||G1210456.doc||.DOC||TROJ_ARTIEF.CT||TROJ_SWISYN.HV|
|Students For A Free Tibet !.eml||Action Plan for March 10th.doc||.DOC||TROJ_ARTIEF.JD||BKDR_DUOJEEN.A|
The infection chain shown by the two samples above is noticeably similar to a previous attack that used NBA star Jeremy Lin as a social engineering hook. If you check out some of our blog postings on targeted attacks from way back in 2008 such as the ones we wrote about here and here, you will find similarities from past targeted attack campaigns of the same nature. Each scenario involves a malicious .DOC file that exploits a Microsoft Word vulnerability to drop infostealing malware.
If you see any of these messages in your inbox, please delete them immediately. If you’ve already opened or downloaded the attached files, please coordinate with Trend Micro support team. As a rule, always be cautious with opening your email, especially with opening and downloading attachments. Even mail coming from supposedly trusted sources must be taken with a grain of salt as cybercriminals are crafty with spoofing email addresses to make it appear legitimate.
We will continue to monitor this campaign and update this blog post with our analysis.
With additional text by Nart Villeneuve
Leave a reply