Just yesterday, SecurityWeek reported on a recent incident where senior military and government officials were duped into “friending” someone on Facebook that was pretending to be U.S. Admiral James Stavridis, NATO’s Supreme Allied Commander in Europe. That fake profile was believed to be setup by Chinese hackers interested in gathering email addresses and other information from military and government officials. Facebook took the fake account down as soon as it was discovered.
While that reconnaissance effort through Facebook may not have led to an attack, on Monday, researchers from Bitdefender shared details of an attack that appears to be targeting U.S. government and military staff.
According to Bitdefender, cybercriminals that appear to be located in China are using rising political tensions over Iran’s suspected nuclear weapons program as a way to sneak malware on to systems belonging to U.S. military staff.
The attack in question comes in the form of a browser exploitation spread through a Microsoft Word (.doc) document attached to an email message. The document, titled “Iran’s Oil and Nuclear Situation.doc”, document contains a Shockwave Flash applet that attempts to load a video filed named “test.mp4” from a web server.
But this MP4 file isn’t your typical video file, Bitdefender says. “It has been crafted to include a valid header so it can legitimately identify itself as MP4, but the rest of the file is filled with 0x0C values. When the file loads and the Flash Player tries to render the MP4, it triggers an exploit in the Adobe Flash plugin (CVE-2012-0754), that ultimately drops an executable file embedded in the initial .doc.”
During the attack, that seemingly innocent MP4 file triggering the exploit is streamed over the web, enabling a system to be exploited before an antivirus engine would normally scan a file. Additionally, the malware embedded inside the .doc file (us.exe) has multiple layers of obfuscation to dodge detection, Bitdefender says.
Next, the newly downloaded 4.63 MB file is placed in a system’s temporary folder and executed. The file mimics the Java Updater application and appears to originate from China. Inside the file, the malicious code of only 22.5 KB tries to connect to a C & C server that uses dynamic DNS services to permanently change its IP address.
Identified by Bitdefender as “Gen:Variant.Graftor.15447”, once the malware has infected a system, a backdoor starts listening for commands from its command and control server in China.
“This is clearly a targeted attack – it may aim at US military staff involved in Iranian military operations,” Bogdan Botezatu, a researcher at Bitdefender, explained in a blog post. “The malware has not been delivered by mass spam and has not shown up in “honeypots,” or e-mail addresses used by the antivirus industry to attract and catch malware.”
“The payload is also an advanced persistent threat – extremely difficult to detect once inside the network. Although it’s more than a week old, the backdoor still has poor detection, with [as of Monday] only 7 of 42 antivirus solutions able to detect it,” Botezatu added.
As usual, Bitdefender encourages users to maintain an updated antivirus solution and keep critical applications to date by installing security fixes as soon as they become available.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Watch Now: Threat Detection and Incident Response Virtual Summit
- Registration Now Open: 2023 ICS Cybersecurity Conference | Atlanta
- NetRise Adds $8 Million in Funding to Grow XIoT Security Platform
- Virtual Event Today: Zero Trust Strategies Summit
- Virtual Event Tomorrow: Zero Trust Strategies Summit
- Watch: How to Build Resilience Against Emerging Cyber Threats
- Video: How to Build Resilience Against Emerging Cyber Threats
- Webinar Today: Understanding Hidden Third-Party Identity Access Risks
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
