APT attackers spoof email sent by malware researcher
Posted on 16.04.2012
Pro-Tibetan activists and organizations currently seem to be one of the most targeted groups when it comes to emails with malicious attachments, and the people behind the attacks are constantly devising new and different schemes aimed at infecting the targeted machines.

An interesting example of such a malicious email has recently been spotted by FireEye researcher Alex Lanstein, who is currently monitoring these spam campaigns.

Interested in analyzing these emails and sharing his findings with the public, Lanstein sent an email to a number of actively targeted individuals whose email addresses he had thanks to VirusTotal, asking them if they would be willing to be mentioned in a blog entry about these types of attacks.

But, one of the individuals on the BCC list to which he sent the email was already compromised, and the attackers lost little time in copying and pasting the text into a new email, spoofing Lanstein's email address, attaching a malicious PDF file and sending the spoofed email to other potential victims (click on the screenshot to enlarge it):



According to Trend Micro researcher Ivan Macalintal, by exploiting a vulnerability, the attachment - Next Generation Threats.pdf - drops a malicious JavaScript that in its turn drops a RAT that connects to a IP address located in China.

It then sends user account names and passwords, a list of drives and files, and IM IDs and passwords to the server on that same address, but also opens a decoy PDF file containing a screenshot of FireEye's official website in order mask the real nature of the attachment.

Once again, there are a few hints that the people behind the attack are Chinese. The email text was recreated under a key official character set of the People's Republic of China, and in the footer of the decoy PDF file a few Chinese characters can be found.






Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //