14 DAY TRIAL // Security experts came across what may be an attempt of the Chinese to spy on members of the US military by relying on the tension that exists between Iran and the US because of the former’s oil supplies and nuclear program.
Bitdefender researchers came across a series of cleverly designed spam emails that promote an apparently harmless Word document entitled “Iran’s Oil and Nuclear Situation.doc”. Experts believe that the campaign targets US military staffers because the pieces of malware it serves haven’t been spotted in mass spam.
When the document is opened, a Shockwave Flash applet contained in the file tries to load a malicious mp4 video, which triggers an exploit in Flash Player that has been addressed by Adobe in February 2012. In the end, an executable file that’s embedded in the shady document is dropped.
Because the mp4 file that triggers the exploit is streamed from the Internet, the antivirus may not get the chance to identify the element as being malicious. Also, the executable that hides inside the document is highly obfuscated to avoid being detected.
Once executed, the payload, identified by Bitdefender as Gen:Variant.Graftor.15447, tries to contact a command and control (C&C) server from China from which it receives further instructions.
In this situation, the payload is also an advanced persistent threat (APT) that is not easy to remove once it finds itself in the network.
This isn’t the first campaign that appears to originate from China, but recent attempts have improved considerably, the clever mechanisms they implement ensuring them a high rate of success.
One thing worth noting is that most of these malicious operations rely on vulnerabilities found in applications. If in this case the security hole that's exploited was patched only more recently, there are still some successful campaigns that leverage weaknesses addressed by vendors years ago.
This is why Internet users are always recommended to ensure that they apply the security updates provided by vendors as soon as they are made available.