Trend Micro – targeted attack against Europe-Asia government agencies

Trend Micro uncovered targeted attack against European and Asian government agencies to steal login credentials from IE and Microsoft Outlook products.

A new targeted attack has been uncovered by Trend Micro security experts, the hackers hit European government agencies trying to steal login credentials from Internet Explorer (IE) and Microsoft Outlook.

The attackers trying to exploit a vulnerability in Microsoft Office, the hackers through a spear phishing attack trying to trick the victims with email claiming to be from the Chinese Ministry of National Defense. Trend Micro researchers revealed that the email appeared to have been sent from a Gmail account and did not use a Chinese name.

The hackers spread via email a a malicious attachment which exploits a vulnerability (CVE-2012-0158) in Microsoft Office (all versions of Office 2003 to Office 2010 were affected). The vulnerability is dated, it was patched more than a year ago, the hackers exploiting it are able to drop a backdoor onto the victim’s PC to steal login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook. The attachment is detected as TROJ_DROPPER.IK and the backdoor itself as BKDR_HGDER.IK.

“The vulnerability used in this attack is one that is commonly used by targeted attacks. High-profile campaigns like Safe and Taidoor have made use of this vulnerability; if anything it’s a commonly targeted flaw in sophisticated campaigns.“

To hide its presence the backdoor also opens a legitimate “dummy” document, the target will not note any suspicious activity on its machine. The stolen information is uploaded to two IP addresses located in Hong Kong.

The offensive seems to be politically motivated, the victims of the targeted attack were mainly individuals belonging to European and Asian governments.

“This particular attack was aimed primarily at both personnel belonging to Europe and Asia governments. The message was sent to 16 officials representing European countries alone. The topic of the email – and the attached document – would be of interest to these targets. In addition, the information stolen and where it was stolen from – is very consistent with targeted attacks aimed at large organizations that use corporate mainstays like Internet Explorer and Outlook.” said Jonathan Leopando (Trend Micro Technical Communications).

Every time it is mentioned a targeted attack or it is uncovered a cyber espionage campaign security experts use to blame Chinese state-sponsored hackers, this time the Trend Micro security expert remarked that also Chinese media organizations were targeted and that backdoor has been detected in the wild more frequently in China and Taiwan.

Trend Micro confirmed that its products are able to detect the malicious code used for the targeted attack and the C&C servers have been blocked.

Pierluigi Paganini

(Security Affairs – Targeted attack, cyber espionage, Trend Micro)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.