Chinese malware takes advantage of Iran nuclear tension

Cybercriminals from China appear to be exploiting the rising political tension over Iran’s suspected covert nuclear weapons program to sneak malware to computers, a computer security firm reported this week.

 

BitDefender said the latest targeted attack uses a browser exploitation spread through a Word (.doc) document bundled with spam mail.

 

"The English-language document - titled 'Iran's Oil and Nuclear Situation.doc' - bets on user curiosity over political tension between the West and Iran," it said in a blog post.

 

"This is clearly a targeted attack – it may aim at US military staff involved in Iranian military operations. The malware has not been delivered by mass spam and has not shown up in 'honeypots,' or e-mail addresses used by the antivirus industry to attract and catch malware," it added.

 

Also, it said the malware comes from China and connects to command-and-control servers hosting many other Chinese websites.

 

"We have seen multiple attacks on the US government coming from China – from the notorious Operation Aurora to the massive phishing of US and Taiwanese officials," it said.

 

BitDefender said the document in the mail contains a Shockwave Flash applet that tries to load a video file (.mp4) from an IP address.

 

The video was crafted to include a valid header so it can legitimately identify itself as MP4, but the rest of the file is filled with 0x0C values.

 

"When the file loads and the Flash Player tries to render the MP4, it triggers an exploit in the Adobe Flash plugin (CVE-2012-0754), that ultimately drops an executable file embedded in the initial .doc," it said.

 

It said thi smeans the PC will be exploited by the time an antivirus would generally scan a file.

 

Also, the malicious file delivered inside the doc file (us.exe) has multiple layers of obfuscation to dodge detection.

 

BitDefender said the dropped file, a 4.63-MB file, is stored in the temporary folder and executed.

 

It mimics the Java Updater application and appears to originate from China.

 

The malicious code inside the file tries to connect to a C & C server that uses dynamic DNS services to permanently change its IP address, BitDefender said.

 

"After it infects the computer, the backdoor (identified by Bitdefender as Gen:Variant.Graftor.15447) starts listening for commands from its master," it said.

 

On the other hand, BitDefender said the payload is also an advanced persistent threat - extremely difficult to detect once inside the network.

 

"Although it’s more than a week old, the backdoor still has poor detection, with only 7 of 42 antivirus solutions able to detect it," it noted.

 

It said application exploitation may not be the newest means of delivering malware to end-users, but it is among the most effective.

 

"Browser plugin exploitation, although it requires hundreds of hours of research, has become idiot-proof by widespread availability of exploit packs that can be purchased by any script kiddie for the price of a week’s allowance," it said.

 

It suggested users protect their PCs and the data on them by implementing safety measures.

 

These include making sure their antivirus solution is updated, and installing a software firewall to fight exploits.

 

"Also, keep your critical applications up to date by installing security fixes as soon as they become available," it said. — TJD, GMA News