Researchers say members of the North Atlantic Treaty Organization were targeted during the holidays by a unique document-based attack that evades discovery by lying dormant when it detects a security researcher’s test environment.
Characteristics of this attack, according to researchers at Cisco Talos, also include a complex workflow process that includes distinct “nested” objects embedded within each other. “The analyzed document is a RTF document with a succession of embedded objects,” wrote David Maynor, Paul Rascagneres, Alex McDonnell and Matthew Molyett, each of whom contributed to the report.
Cisco Talos believes the objective behind the attacks is to perform reconnaissance on NATO members, and at the same time avoid detection by sandbox systems.
This nested framework begins with an RTF document called “NATO Secretary meeting.doc” that includes an OLE object, also known as Object Linking and Embedding, used for linking to additional documents or objects. In the case of this OLE, contains a Adobe Flash object, according to Cisco Talos.
The use of OLE embedding to deliver malicious files is becoming more common. Last year, Microsoft warned of an uptick in reported cases where malware authors were using malicious documents that misuse the legitimate Office object linking and embedding capabilities in Word documents in order trick users into enabling and downloading malicious content.
“The purpose of the Adobe Flash (object) is to extract a binary blob embedded in itself via ActionScript execution,” researchers wrote. In turn, the ActionScript contains the URL of the command-and-control servers and also utilizes HTTP connections to send system profile information (OS version and Adobe Flash version) to the command and control server.
“This information can be used by the attacker as a decision point regarding the interest in the victim. If the infected system looks like a sandbox or a virtual machine, the operator could ignore the request and the ActionScript is finished,” the researchers wrote.
Next, if the system is deemed desirable and not suspected of being a security researcher’s test environment, the malicious activity continues with the function “expLoaded()” (or exploit loaded) executed.
That triggers the decryption of a nested SWF Adobe Flash object. Here the ActionScript is utilized to unpack and decrypt the SWF file and at the same time query via HTTP to retrieve the payload, Cisco said.
“The Adobe Flash requests a payload and an Adobe Flash exploit which is loaded and executed on the fly. This approach is extremely clever, from the attacker point of view, the exploit is not embedded in the document making it more difficult to detect for some security devices than the standard Word (document) Trojan,” researchers wrote.
Lastly, a second malicious Adobe Flash file is decyrpted and executed via the flash.display.Loader() API, according researchers. However, details on the actual payload are scant. Cisco Talos will only say: “The malicious payload has recently been replaced to return a substantial amount of junk data to inhibit investigation.”
Researchers said that during their analysis they believe the cyber criminals were aware security researchers were investigating their infrastructure and decided to booby-trap the infrastructure to create research roadblocks by generating the junk data.
“These are the characteristics of reasonably advanced attackers who have designed an efficient minimalist framework that was able to adapt purposes on the fly,” Cisco Talos researchers wrote.
Researchers believe that NATO members were targeted based on the file name of the document which is “NATO Secretary meeting.doc”.
(Correction: This story removed all previous descriptions of this attack method as being related to macro-based malware.)