Just yesterday, SecurityWeek reported on a recent incident where senior military and government officials were duped into “friending” someone on Facebook that was pretending to be U.S. Admiral James Stavridis, NATO’s Supreme Allied Commander in Europe. That fake profile was believed to be setup by Chinese hackers interested in gathering email addresses and other information from military and government officials. Facebook took the fake account down as soon as it was discovered.
While that reconnaissance effort through Facebook may not have led to an attack, on Monday, researchers from Bitdefender shared details of an attack that appears to be targeting U.S. government and military staff.
According to Bitdefender, cybercriminals that appear to be located in China are using rising political tensions over Iran’s suspected nuclear weapons program as a way to sneak malware on to systems belonging to U.S. military staff.
The attack in question comes in the form of a browser exploitation spread through a Microsoft Word (.doc) document attached to an email message. The document, titled “Iran’s Oil and Nuclear Situation.doc”, document contains a Shockwave Flash applet that attempts to load a video filed named “test.mp4” from a web server.
But this MP4 file isn’t your typical video file, Bitdefender says. “It has been crafted to include a valid header so it can legitimately identify itself as MP4, but the rest of the file is filled with 0x0C values. When the file loads and the Flash Player tries to render the MP4, it triggers an exploit in the Adobe Flash plugin (CVE-2012-0754), that ultimately drops an executable file embedded in the initial .doc.”
During the attack, that seemingly innocent MP4 file triggering the exploit is streamed over the web, enabling a system to be exploited before an antivirus engine would normally scan a file. Additionally, the malware embedded inside the .doc file (us.exe) has multiple layers of obfuscation to dodge detection, Bitdefender says.
Next, the newly downloaded 4.63 MB file is placed in a system’s temporary folder and executed. The file mimics the Java Updater application and appears to originate from China. Inside the file, the malicious code of only 22.5 KB tries to connect to a C & C server that uses dynamic DNS services to permanently change its IP address.
Identified by Bitdefender as “Gen:Variant.Graftor.15447”, once the malware has infected a system, a backdoor starts listening for commands from its command and control server in China.
“This is clearly a targeted attack – it may aim at US military staff involved in Iranian military operations,” Bogdan Botezatu, a researcher at Bitdefender, explained in a blog post. “The malware has not been delivered by mass spam and has not shown up in “honeypots,” or e-mail addresses used by the antivirus industry to attract and catch malware.”
“The payload is also an advanced persistent threat – extremely difficult to detect once inside the network. Although it’s more than a week old, the backdoor still has poor detection, with [as of Monday] only 7 of 42 antivirus solutions able to detect it,” Botezatu added.
As usual, Bitdefender encourages users to maintain an updated antivirus solution and keep critical applications to date by installing security fixes as soon as they become available.