Trend Micro – targeted attack against Europe-Asia government agencies

Trend Micro uncovered targeted attack against European and Asian government agencies to steal login credentials from IE and Microsoft Outlook products.

A new targeted attack has been uncovered by Trend Micro security experts, the hackers hit European government agencies trying to steal login credentials from Internet Explorer (IE) and Microsoft Outlook.

The attackers trying to exploit a vulnerability in Microsoft Office, the hackers through a spear phishing attack trying to trick the victims with email claiming to be from the Chinese Ministry of National Defense. Trend Micro researchers revealed that the email appeared to have been sent from a Gmail account and did not use a Chinese name.

The hackers spread via email a a malicious attachment which exploits a vulnerability (CVE-2012-0158) in Microsoft Office (all versions of Office 2003 to Office 2010 were affected). The vulnerability is dated, it was patched more than a year ago, the hackers exploiting it are able to drop a backdoor onto the victim’s PC to steal login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook. The attachment is detected as TROJ_DROPPER.IK and the backdoor itself as BKDR_HGDER.IK.

“The vulnerability used in this attack is one that is commonly used by targeted attacks. High-profile campaigns like Safe and Taidoor have made use of this vulnerability; if anything it’s a commonly targeted flaw in sophisticated campaigns.“

To hide its presence the backdoor also opens a legitimate “dummy” document, the target will not note any suspicious activity on its machine.  The stolen information is uploaded to two IP addresses located in Hong Kong.

The offensive seems to be politically motivated, the victims of the targeted attack were mainly individuals belonging to European and Asian governments.

“This particular attack was aimed primarily at both personnel belonging to Europe and Asia governments. The message was sent to 16 officials representing European countries alone. The topic of the email – and the attached document – would be of interest to these targets. In addition, the information stolen and where it was stolen from – is very consistent with targeted attacks aimed at large organizations that use corporate mainstays like Internet Explorer and Outlook.” said Jonathan Leopando (Trend Micro Technical Communications).

Every time it is mentioned a targeted attack or it is uncovered a cyber espionage campaign security experts use to blame Chinese state-sponsored hackers, this time the Trend Micro security expert remarked that also Chinese media organizations were targeted and that backdoor has been detected in the wild more frequently in China and Taiwan.

Trend Micro confirmed that its products are able to detect the malicious code used for the targeted attack and the C&C servers have been blocked.

Pierluigi Paganini

(Security Affairs – Targeted attack, cyber espionage, Trend Micro)