The email contains a malicious attachment, which exploits a known and patched vulnerability (CVE-2012-0158) in Microsoft Office (all versions from Office 2003 to Office 2010 were affected). Though the flaw was patched more than a year ago, apparently updates are still not being made.
In fact, the vulnerability used in this attack is one that is commonly used by targeted attacks. High-profile campaigns like Safe and Taidoor have made use of this vulnerability, and “if anything it’s a commonly targeted flaw in sophisticated campaigns,” TrendLabs researchers noted in a blog.
The exploit is used to drop a backdoor onto the system, which steals login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook. It also opens a legitimate dummy document, to make the target believe that nothing malicious happened.
The email appears to have been sent from a Gmail account and did not use a Chinese name, but Trend Micro uncovered that stolen information is uploaded to two IP addresses, both of which are located in Hong Kong.
“This particular attack was aimed primarily at both personnel belonging to Europe and Asia governments,” TrendLabs researchers said. “The message was sent to 16 officials representing European countries alone. The topic of the email – and the attached document – would be of interest to these targets. In addition, the information stolen and where it was stolen from – is very consistent with targeted attacks aimed at large organizations that use corporate mainstays like Internet Explorer and Outlook.”
Interestingly, Chinese media organizations were also targeted by this attack. The backdoor itself has also been detected in the wild and has been most frequently seen in China and Taiwan, with a more limited presence in other Asian countries.
Trend Micro recently found that targeted and advanced persistent threat (APT) attacks – certainly those against government agencies and large corporations – are almost entirely dependent upon spear-phishing emails. While it may not be surprising that spear-phishing is the opening gambit of an APT attack, it is perhaps more surprising that the infection vector is so predominantly (94%) a malicious attachment rather than a drive-by lure. (These figures may well be different for mass mail scams rather than targeted attacks.) In all, a full 91% of attacks start with a socially engineered email.