Phishing Campaign Using Military, Illicit Attachments

Look out for email attachments offering better sex tips and news about newly developed Chinese stealth frigates, because they are loaded with malware, according to a Securelist report written by Kaspersky Lab expert, Ben Godwood.

Look out for email attachments offering better sex tips and news about newly developed Chinese stealth frigates, because they are loaded with malware, according to a Securelist report written by Kaspersky Lab expert, Ben Godwood.

The malware is fairly old and not particularly advanced, but a lot of it has been trying to pass through the Kaspersky security network lately and on a very regular basis. Godwood advises that you just don’t open attached documents with titles like: “EAT FOR BETTER SEX.doc,” “How to last longer in bed.doc,” “6 Awkward Sex Moments, Defused.doc,” “9 ways to have better, hotter, and more memorable sex.doc,” and “10 Ways to Get More Sex.doc.”

You’ll also want to avoid these potentially fascinating attachments: “Stealth Frigate.doc,” “The BrahMos Missile.doc,” and “How DRDO failed India’s military.doc”

There is also a third category of malicious documents with roughly the same subjects, but written in Cyrillic characters: “приоритеты сотрудничества.doc,” “Список участников рабочей группы(0603-2013).doc,” and “Список кадров.doc Приглашение МИОМ ТЕЙКОВО 2013.doc”

If a user happens to open one of these attachments, he or she will be presented with a decoy document that actually contains what it claims to contain. Godwood posted two of them with his report, one was about a new stealth frigate for the Chinese military and the other had to do with the relationship between a healthy diet and “better sex.”

The malware hiding inside these attachments are Enfal variants, which researchers from TrendMicro wrote about in their Lurid targeted attacks analysis in September 2011. Back then, Enfal’s progenitors were trying to snare government ministries and agencies, military and defense contractors, nuclear and energy sectors, space and aviation, and, the Tibetan community. The countries in which the most machines were compromised were Vietnam, Russia, India, China, and Bangladesh.

Godwood said that this second wave of phishing emails appear to be coming from Australia and the Republic of Korea via “mail.mailftast.com.” That domain’s IP address is fairly dynamic, according to Godwood, but the domain is registered to a Liu Runxin in Shanghai, China.

“When the exploit runs it creates and executes a file called ‘wordupgrade.exe,'” writes Godwood. “This executable drops a DLL called ‘usrsvpla.dll’ into the system32 directory and modifies the ‘WmdmPmSN’ (Portable Media Serial Number Service) registry key to load the DLL into svchost.exe.”

Kaspersky is detecting the “wordupdate.exe” file as “Trojan-Dropper.Win32.Datcaen.d” and the “usrsvpla.dll” file as “Trojan.Win32.Zapchast.affv.”

The most recent samples picked up by Godwood phone home to a command and control server at “yui.bcguard.com,” which has the same registration details as the mail domain above. However, the C&C domain’s IP address is a Chinese one, while the mail domain’s IP is in the U.S. Other domains registered to Liu Runxin include “timmf.com,” “bcbtheory.com,” “bellbuttons.com,” “atmdzxgs.com,” “coffeeibus.com,” and “cymdbd.com.”

Suggested articles