Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services
Targeted attacks are arguably the most damaging type of internet threat. They take place via email, and are designed to target a specific individual or organisation. The aim is to extract sensitive or valuable information, which could then be used to gain competitive advantage, blackmail, harm reputation, gather intelligence, spy, steal secrets/designs/ideas, and so on. MessageLabs Intelligence experts are skilled at differentiating targeted attacks from other (bulk-mailed or spammed) malicious emails that are blocked by MessageLabs Skeptic anti-malware technology.
The approach attackers often use is to use legitimate details in the email but urge recipients to open a malicious attachment, and therefore have their PC or network compromised in some way. After all, this is the ultimate goal of the attacker. Two thirds of attacks are directed at the very highest seniorities in business and in government (they have access to the most valuable and/or sensitive data).
An effective way that attackers use to capture the recipient’s attention is to give the emails an official, business or political theme, or relate to interesting or newsworthy events. MessageLabs Intelligence first saw a FIFA World Cup related attack at the end of March 2010, and reported that in this blog http://www.symantec.com/connect/blogs/targeted-attack-uses-fifa-world-cup-2010-hook. Other than the FIFA World Cup, we have seen targeted attacks relating to a great variety of newsworthy events, including the recent Iceland Volcano http://www.symantec.com/connect/blogs/icelandic-volcanic-eruption-used-targeted-attacks.
In March 2009 we saw a record number of attacks in a single month, during the G20 summit, when many attackers saw an opportunity to use the event to grab the attention of recipients. When President Obama was inaugurated, and when North Korea performed missile tests, we also saw bursts of similarly themed attacks. We also see more mundane themes too relating to topics such as pensions, and little known corporate meetings or political conferences. However it is important to note that those items may be of great interest to the recipient.
With the World Cup approaching rapidly and with attackers aware that the event is a global hot topic, the tournament is increasingly being used to lure potential victims. In addition to the FIFA World Cup attack we intercepted and reported in March, we have seen three others more recently, the details of which are described below.
The first attack:
This attack was targeted at a small number of users within a large, globally well-known US-based manufacturing business at 1522 GMT on 18/05/2010.
The attack was sent from a free web-based email service. Webmail services such as these are often favoured in targeted attacks as discussed in Tony Millington’s blog at the end of March (http://www.symantec.com/connect/blogs/why-some-webmail-services-may-be-favored-targeted-attacks) and the March MessageLabs Intelligence report (http://www.messagelabs.com/mlireport/MLI_2010_03_Mar_FINAL-EN.pdf). Using webmail adds legitimacy to attacks and often makes it more difficult to trace the location of the sender, depending on which webmail service is used.
The crucial part is the line ‘Enclosed is the full match schedule of South Africa 2010 World Cup, in which American matches are highlighted’. This is known as the ‘hook’ or ‘call to action’ which the attackers add to tempt the recipient into opening the attached file named ‘2010_FIFA_WORLD_CUP.zip’, which contains an Excel document named ‘2010_FIFA_WORLD_CUP.xls’.
It is relatively uncommon to see targeted attacks using Excel documents. Normally we see PDF or Word documents or straight exe files. For the targeted attacks intercepted since the start of April, the attached file types used break down as follows:
It’s also relatively uncommon to see malicious documents contained in a zip archive.
Upon opening the excel file, Excel opens, quickly closes and reopens displaying the World Cup spreadsheet with all the current groups, the teams playing in them and when they are playing, allowing the owner to add in the results as the World Cup happens. In this time, a file (temp.temp), an executable, is dropped in c:\documents & settings\<username>\Local Settings\
When the executable runs it makes an initial connection to a well-known search engine. After that it makes connections to an IP address in Indonesia. This is a ‘backdoor,’ or a method of bypassing normal authentication, which constantly connects to the hacker’s machine to tell it that a computer is accessible. From this point on, the hacker has access to the victim’s computer. This enables the attacker to stealthily access data on the victim’s PC, and/or access other systems on that network. In this scenario the ‘server’ (infected machine) attempts to contact the ‘client’ (attacker).
The second attack intercepted is similar, encouraging recipients to open an attached, malicious, World Cup match schedule. It was targeted at two users, one in a high profile inter-governmental organisation, and one in a globally-recognised charitable organisation.
Again, this attack creates a backdoor to the victim’s machine, enabling the attacker to stealthily help themselves to data on the victim’s PC.
The final attack:
In this email, the attacker simply cut and paste text from a legitimate site set up by the Niall Mellon Township Trust, a charity dedicated to building homes for the poor of South Africa’s Townships (http://www.worldcupprediction.com, safe to visit, shown below). The site contains all the details needed to enter a prediction league which they have set up to raise money for the charity.
<Legitimate World Cup Prediction website>
The attacker downloaded a document from that site (circled above) that contains details of all the tournament matches and allows predictions of game results to be filled in, updating group tables and fixtures (http://www.worldcupprediction.com/uploads/1/3/6/8/1368061/wc-entrysheet-worldcup2010.xls, safe to open, shown below).
Next, the attacker added malicious content to that Excel document, attached it to the email, and mailed it to the targeted recipients. This is very similar to the approach taken in my previous blog http://www.symantec.com/connect/blogs/targeted-attack-uses-fifa-world-cup-2010-hook, where the attacker altered a document downloaded from a legitimate Safari company.
Interestingly the two users targeted in this attack were exactly the same two users that were targeted just six days earlier, in the example above ‘World Cup 2010 Schedule’. This is a fine example of how some recipients are attacked repeatedly. MessageLabs Intelligence frequently see certain users in certain organisations attacked again and again, month after month, either by one gang, or by multiple gangs. The attackers clearly have these particular users in sight, and they are determined to get their attack through to them, and access their sensitive or valuable data.
MessageLabs Intelligence blocked the attacks not using signature based detection (useless on such carefully crafted/fresh attacks), but using its Skeptic anti-malware technology to identify suspicious/malicious characteristics of the email and the excel attachment. We also pay special attention to users or organisations that we know to be repeatedly targeted. At the time of the attacks above, just 10-20 percent of other security vendors would have blocked them.
Detecting targeted attacks (arguably one of the most damaging threats to businesses/organisations) is among MessageLabs Intelligence’s specialties. For more information about targeted attacks, take a look at the whitepaper, ‘Targeted Trojans take aim’ http://tinyurl.com/2duvl87.