The attackers' goal is to drop a version of the PlugX RAT onto the target host
Over the past months, we’ve heard of numerous cyberattacks aimed at Tibetan users, particularly activists. Sophos experts have identified another attack, which employs a few clever techniques to evade being detected by security solutions.The attacks begin with an email that carries an RTF document. When the victim opens the document, he/she is presented with a statement of the Tibetan Youth Congress on World Human Rights Day.
However, in the background, the cleverly crafted document exploits a vulnerability in Microsoft Office in order to drop three files: Nv.exe, NvSmartMax.dll and NvSmartMax.dll.url.
While the Nv.exe file – which is immediately executed after it’s dropped – might appear to be malicious, in reality, it’s a legitimate NVIDIA Smart Maximise Helper application, signed with a valid NVIDIA digital certificate.
This increases the chances of the malicious element to remain undetected by antivirus software.
Nv.exe might be a legitimate app, but the NvSmartMax.dll file is not. The cybercriminals know that when Nv.exe is executed, it will immediately load NvSmartMax.dll.
By placing a malicious version of NvSmartMax.dll in the same folder as Nv.exe, the attacker ensures that the cleverly crafted file is loaded instead of the legitimate one.
NvSmartMax.dll is actually a version of the notorious PlugX Remote Access Trojan (RAT), which has often been used in anti-Tibet campaigns.
However, experts explain that NvSmartMax.dll is only a boot loader for the main component of the attack, NvSmartMax.dll.url. This file is injected by NvSmartMax.dll into the memory.
To ensure that the malware is executed each time the computer is started, Nv.exe is registered as a service in HKLM\SYSTEM\CurrentControlSet\Services\SxS.
It’s worth noting that the RTF vulnerability exploited in this case, CVE-2012-0158, has been patched by Microsoft in April 2012, but the attackers are counting on the fact that many users fail to apply operating system and application updates.
A complete technical presentation of the attack is available on Sophos’ blog.