The Latest in IT Security

Symantec Protection for Trojan.FakeSafe


Today, Trend Micro published a report about a targeted attack campaign they’re calling SafeNet (the campaign’s name is unrelated to the security company of the same name). The group behind this campaign is utilizing spear phishing emails with malicious attachments. These attachments are document files that exploit vulnerabilities in Microsoft Word. Some of the documents we’ve observed exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).

If exploitation is successful, the malicious documents drop the following files:

  • smcs.exe
  • SafeExt.dll
  • SafeCredential.DAT

SafeExt.dll contains most of the threat’s functionality while SafeCredential.DAT contains configuration information.

Our telemetry indicates that this is spread across the globe throughout multiple countries:


Symantec products detect the spear phishing word documents as Trojan.Mdropper and Trojan.Dropper, and the dropped files as Trojan.Fakesafe.

As we’re still seeing CVE-2012-0518 used in targeted attacks, users should ensure that software applications are up to date, and avoid clicking on suspicious links and opening suspicious email attachments.

To best protect against targeted attacks, we advise users to use the latest Symantec technologies and incorporate layered defenses.

Leave a reply


MONDAY, JULY 26, 2021

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments