English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Military Hardware and Menís Health

Ben Godwood
Kaspersky Lab Expert
Posted March 29, 12:40  GMT
Tags: Targeted Attacks, Spearphishing
0.4
 

Over the last few months we have seen a series of very similar targeted attacks being blocked in our Linux Mail Security Product. In each case the documents used were RTF and the exploit was CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability).

The attacks seem to be from the same group and most appear to be sent from Australia or Republic of Korea. The sender IP addresses vary but many are sent via mail.mailftast.com. This domain is registered in China:

REGISTRANT CONTACT INFO
liu runxin
No.1,Nanjing Road
Shanghai
Shanghai
200001
CN
Phone:         +86.2164415698
Email Address: lishd2011@163.com

The documents are in three categories:

  1. The first group of documents are related to articles on the Menís Health website. These are some example filenames:
    EAT FOR BETTER SEX.doc
    How to last longer in bed.doc
    6 Awkward Sex Moments, Defused.doc
    9 ways to have better,hotter,and more memorable sex.doc
    10 Ways to Get More Sex.doc
  2. The second group are military related:
    Stealth Frigate.doc
    The BrahMos Missile.doc
    How DRDO failed India's military.doc
  3. The third set have Cyrillic filenames:
    приоритеты сотрудничества.doc
    Список участников рабочей группы(0603-2013).doc
    Список кадров.doc
    Приглашение МИОМ ТЕЙКОВО 2013.doc

Most weeks we will see one topic from categories 1 and 2 and several using Cyrillic filenames. The exploit, shellcode and malware used tend to be the same. The only real different is the decoy documents displayed when the exploit runs.

Here are two examples from last week:



Stealth Frigate.doc



EAT FOR BETTER SEX.doc

The metadata for the decoy documents is the same and it looks like it hasnít be updated for a while.

The title translates as ďThe financial result for the first 9 months of 2012Ē and the company name relates to a Russian submarine manufacturer.

When the exploit runs it creates and executes a file called wordupgrade.exe. This executable drops a DLL called usrsvpla.dll into the system32 directory and modifies the WmdmPmSN (Portable Media Serial Number Service) registry key to load the DLL into svchost.exe.

Both wordupgrade.exe and usrsvpla.dll contain the PDB path:

The malware installed by these documents is a variant of Enfal/Lurid. We are detecting wordupgrade.exe as Trojan-Dropper.Win32.Datcaen.d and usrsvpla.dll as Trojan.Win32.Zapchast.affv. Our colleagues from Trend have previously described this malware in their papers.

http://blog.trendmicro.com/trendlabs-security-intelligence/modified-enfal-variants-compromised-874-systems/

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf

The samples seen last week contact a C&C server at yui.bcguard.com. This domain has the same registration details a mailftast.com above.

Below are the IP addresses of these domains:

yui.bcguard.com - 208.115.124.90 (China)
mail.mailftast.com - 142.234.156.3 (US)

There are several other domains registered to ďliu runxinĒ:

timmf.com
bcbtheory.com
bellbuttons.com
atmdzxgs.com
coffeeibus.com
cymdbd.com

Conclusion

The malware used in these attacks is not very advanced or new (Enfal variants have been seen as far back as 2006). However, the attacks are very regular, so it is probably safest not to open attachments related to these topics.


3 comments

Oldest first
Threaded view
 

Galoget Latorre

2013 Mar 31, 09:18
1
 

Interesting

Hi Ben,

This is one more prove that the problem is not the sophistication level of a malware, and shows the real problem, people that doesn't know about basic security policies.

Thanks!

Galoget

Reply    

ahmrashed

2013 Mar 31, 15:09
0
 

help

Trojan.Win32.Starter.yy

how can remove this please help me

Reply    

Galoget Latorre

2013 Apr 08, 12:55
0
 

Re: help

Hi ahmrashed, there are a lot of guides on the Internet in order to remove that threat (including tools), here is one of them: http://www.spyware-solutions.net/trojan/trojan-win32-starter-yy-removal-guide

Hope this helps and Good luck!

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog