Researchers at anti-malware company F-Secure say they have found the actual infected Excel file that was used in the attack on RSA earlier this year, eventually forcing the company to replace millions of its SecurID tokens. The Outlook email message containing the malicious file apparently was uploaded to Virustotal in March and the researchers dug it out this week.
If the message and attachment that F-Secure researcher Timo Hirvonen found is indeed the same one used in the RSA attack–and the file name and description do fit what RSA has said publicly–then neither the attack nor the message’s social engineering tactics appear to very sophisticated. The subject line of the email is “2011 Recruitment Plan” and the Excel attachment had the same name. The email appeared to come from the address “webmaster [at] beyond dot com”, a job recruitment site.
The email itself contains just one line of text, which in the grand tradition of phishers everywhere, is in fourth-grade English:
“I forward this file to you for review. Please open and view it.” That’s the entire contents of the message. Once the victim double-clicked on the Excel file, it opened a spreadsheet with no real contents other than the malicious Flash object that then exploited a Flash vulnerability. The exploit then plants the Poison Ivy backdoor on the machine and the attack is over.
“After this, Poison Ivy connects back to it’s server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time. Once the connection is made, the attacker has
full remote access to the infected workstation. Even worse, it has full
access to network drives that the user can access. Apparently the
attackers were able to leverage this vector further until they gained
access to the critical SecurID data they were looking for,” F-Secure Chief Research Officer Mikko Hypponen wrote in a blog post.
A Virustotal employee said on Twitter Friday morning that the same file, albeit with a different name, was submitted to the malware-checking service by a separate user, as well.
The details of the RSA attack and the message used to execute it show how difficult it can be to prevent intrusions, even when they involve relatively simplistic tactics. RSA officials have said that the message was sent to four of its employees and it was in fact caught by the company’s spam filters. However, one of the targeted employees pulled the email from the spam folder, opened it and opened the attachment. That’s just simple human error, which was then combined with a Flash zero-day vulnerability to compromise RSA and its SecurID product.
“The
attack email does not look too complicated. In fact, it’s very simple.
However, the exploit inside Excel was a zero-day at the time and RSA
could not have protected against it by patching their systems,” Hypponen wrote. “The email wasn’t advanced. The backdoor they
dropped wasn’t advanced. But the exploit was advanced. And the ultimate
target of the attacker was advanced. If somebody hacks a security vendor just to gain
access to their customers systems, we’d say the attack is advanced, even
if some of the interim steps weren’t very complicated.”