Federal Friday - 3.28.14 - History Repeats in Current Phishing Campaigns

Blog Post created by jschim Employee on Mar 26, 2014

Happy Friday, federal friends! Spring has Sprung! While some of us had a touch of winter this week, we avoided the big hit and it looks like nothing but sunshine on the horizon which means summah is around the corner! Speaking of summer, who's going to Vegas for BackHat, B-Sides and Defcon? Drop me a line here if you are!


Attackers, being the solid humans they are, have decided to pile on the recent tragedy around Malaysian Flight MH 370. In the wake of this aviation disaster, FireEye has issued a report in their blog around two known spear-phishing attacks targeting government institutions and think tanks. The report states that a foreign government in Asia Pacific was the target of a campaign involving a .doc attachment that triggered background code and dropped a variant of Poison Ivy into the affected machine. The doc they used appeared to contain information pertaining to the flight and given the flurry of misinformation coming from multiple sources this nasty little attachment was bound to be clicked. Especially since it was sent 2 days after MH 370 went missing. However the decoy they used was actually blank, which could indicate that this campaign was pushed out in a hurry to capitalize on the chaos immediately after the disappearance. FireEye documented that they've seen this tactic before and from the same group, which they have named Admin@338.


In a second related attack, Admin@338 targeted a major U.S. based think-tank a few days later. Their tactics here were a little more sophisticated as the attachment appeared to be a video clip from CNN with information relating to the incident. They even went as far as to disguise the malware-laced-attachment by using a Flash icon to the executable. The malware in this instance, while still delivering Poison Ivy, actually ended up behaving slightly different than the earlier attack by utilizing a feature only available beginning with Windows 7. The silver lining here? If you you are still running XP machines you simply need to reboot the machine as  will mitigate the risk of this malware version. Noted in the FireEye report is the fact that this effort was more complex than a blank .doc file, it seemed rushed as well. Even though it was a full 6 days after MH 370 went missing, and some aspects of the campaign changed, the end result was still sloppy.


That being said, just because these were rushed and not overly sophisticated spear-phishing campaigns, it doesn't mean it won't affect your organization.


Another threat materialized within the last week from Microsoft and a Zero-Day affecting MS Word and Office. While this attack uses a complex chain of exploits, the kicker comes from Outlook. Simply previewing a malicious email can infect your computer with the Zero-Day, as Microsoft noted on Tuesday. This is a big issue because while this is geared for Word 2010 the same exploits lays in wait on the '03, '07, '13 and '13RT (for tablets running ARM processors). The exploit is launched via a sneaky RTF file, specially crafted for Outlook. While these exploits target a vulnerability that was not known until these attacks began, the exploit was discovered in a similar manner as a campaign that was launched last year. On top of all that, this Zero-Day targets both Windows and OSX creating a field of fire where just about everyone is in range.


Stay ever-vigilant folks, the hits just keep on coming.



Speaking of hits, remember this one?


movie animated GIF