Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Attackers Leverage Iran Nuclear Tensions in Targeted Attack Against U.S. Military Staff

Just yesterday, SecurityWeek reported on a recent incident where senior military and government officials were duped into “friending” someone on Facebook that was pretending to be U.S. Admiral James Stavridis, NATO’s Supreme Allied Commander in Europe. That fake profile was believed to be setup by Chinese hackers interested in gathering email addresses and other information from military and government officials.

Just yesterday, SecurityWeek reported on a recent incident where senior military and government officials were duped into “friending” someone on Facebook that was pretending to be U.S. Admiral James Stavridis, NATO’s Supreme Allied Commander in Europe. That fake profile was believed to be setup by Chinese hackers interested in gathering email addresses and other information from military and government officials. Facebook took the fake account down as soon as it was discovered.

While that reconnaissance effort through Facebook may not have led to an attack, on Monday, researchers from Bitdefender shared details of an attack that appears to be targeting U.S. government and military staff.

Iran Nuclear ProgramAccording to Bitdefender, cybercriminals that appear to be located in China are using rising political tensions over Iran’s suspected nuclear weapons program as a way to sneak malware on to systems belonging to U.S. military staff.

The attack in question comes in the form of a browser exploitation spread through a Microsoft Word (.doc) document attached to an email message. The document, titled “Iran’s Oil and Nuclear Situation.doc”, document contains a Shockwave Flash applet that attempts to load a video filed named “test.mp4” from a web server.

But this MP4 file isn’t your typical video file, Bitdefender says. “It has been crafted to include a valid header so it can legitimately identify itself as MP4, but the rest of the file is filled with 0x0C values. When the file loads and the Flash Player tries to render the MP4, it triggers an exploit in the Adobe Flash plugin (CVE-2012-0754), that ultimately drops an executable file embedded in the initial .doc.”

During the attack, that seemingly innocent MP4 file triggering the exploit is streamed over the web, enabling a system to be exploited before an antivirus engine would normally scan a file. Additionally, the malware embedded inside the .doc file (us.exe) has multiple layers of obfuscation to dodge detection, Bitdefender says.

Bitfedender OfficeNext, the newly downloaded 4.63 MB file is placed in a system’s temporary folder and executed. The file mimics the Java Updater application and appears to originate from China. Inside the file, the malicious code of only 22.5 KB tries to connect to a C & C server that uses dynamic DNS services to permanently change its IP address.

Identified by Bitdefender as “Gen:Variant.Graftor.15447”, once the malware has infected a system, a backdoor starts listening for commands from its command and control server in China.

“This is clearly a targeted attack – it may aim at US military staff involved in Iranian military operations,” Bogdan Botezatu, a researcher at Bitdefender, explained in a blog post. “The malware has not been delivered by mass spam and has not shown up in “honeypots,” or e-mail addresses used by the antivirus industry to attract and catch malware.”

Advertisement. Scroll to continue reading.

“The payload is also an advanced persistent threat – extremely difficult to detect once inside the network. Although it’s more than a week old, the backdoor still has poor detection, with [as of Monday] only 7 of 42 antivirus solutions able to detect it,” Botezatu added.

As usual, Bitdefender encourages users to maintain an updated antivirus solution and keep critical applications to date by installing security fixes as soon as they become available.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...