“Not a day passes by without hearing of someone hit by a targeted attack,” said Rapid7 researcher Claudio Guarnieri, in a blog post. “Recently, the growth of amount and scale of targeted attacks has come to the point where they are starting to look more like opportunistic carpet bombings rather than ninja strikes. It's common to observe attacks pulled off successfully without any particular sophistication in place, including [these].”
He noted that it’s also difficult to attribute the attacks to any state-sponsored unit, because there's a generic lack of strong evidence in such incidents. But “frankly also because almost anybody could operate such campaigns and be reasonably successful,” he said. “The only differentiation between actors at this point exclusively relies on identifying the motivations and the context.”
Motivation in KeyBoy’s case seems to be credential theft, indicating typical criminal activity. Both attacks operate in the same way, installing a backdoor that does several things, including stealing credentials from Internet Explorer and Mozilla Firefox, installing a keylogger for intercepting credentials on Google Chrome, and operating in an interactive mode to allow the attacker to perform additional investigation on the compromised system and exfiltrate data.
The Southeast Asian attack is spread via spam containing a malicious Word document, written in Vietnamese, which appears to be reviewing and discussing best practices for teaching and researching scientific topics.
“We have no knowledge on the identity of the target, but we can assume he might part of the Vietnamese academic community,” said Guarnieri. “The document is named to Nguyen Anh Tuan, which is presented as author of this crafted text.”
The document is leveraging vulnerabilities patched with MS12-060, but when opened with a vulnerable version of Microsoft Word, the exploit will initiate the infection routine.
Rapid7 also identified another document exploiting CVE-2012-0158, this time targeting Indian individuals. The bait in that case is related to the state of telecommunication infrastructure in the district of Calcutta in India, discussing the coverage of GSM networks and availability and stability of broadband connections.
“Also for this intrusion we can't know the identity of the target, but our hypothesis is either someone in the telecommunications industry or a representative of the local government,” said Guarnieri. “In this case, this crafted document pretends to be authored by someone called Amir Kumar Gupta.”
The attacks are not widespread, and Rapid7 urges that, “as in any other targeted attack case, we should not create alarmism for threats that are likely irrelevant for the majority of organizations.” Guarnieri noted that “just because these attacks are conceptually targeted, it doesn't necessarily mean that they should have a higher priority than any other threat on your security program. Our suggestion remains the same: identify your core assets, recognize the most impactful threats to such assets and inform and protect yourself accordingly.”
The simplest way to identify an infection on a given Windows system is to look for the existence of the file C:\WINDOWS\system32\CREDRIVER.dll, or of a service called MdAdum.