Experts at SophosLabs are recommending that businesses and organisations check that they are keeping up-to-date with their security patches, in the light of a malware attack that was seen today – targeting a defence contractor.
The attack is similar in nature to one which SophosLabs intercepted a couple of years ago, where a malicious PDF file claiming to be about the Trident D-5 missile, launched from nuclear submarines, was sent to a military contractor.
The latest attack was sent to the contractor – whose name is not being made public by Sophos – embedded inside a file called Details.Doc, attached to the following email:
It is so nice to contact you!
We write to inform you that we are some question for your.
View attached document for the detail.
Looking forward to hearing from you soon!
Many thanks and best regards!
The email pretends to be from a YAHOO.COM.TW address but the headers show that emails did not come from YAHOO.
The IP is actually from a personal computer:
Received: from travwhanpc (61-220-44-2xx.HINET-IP.hinet.net [184.108.40.206xx])
The email’s attachment – titled Details.doc – exploits the CVE-2012-0158 vulnerability.
Unusually, the file really is an OLE2 format DOC file, despite the majority of files exhibiting this vulnerability being RTF files.
The boobytrapped file tries to drop and execute executable code (in the form of an .EXE file) which will install the ‘PittyTiger’ backdoor onto the victim’s Windows PC.
SophosLabs have seen large number of files exploiting the CVE-2012-0158 vulnerability being emailed to companies in a diverse number of sectors – not just those in defence.
The Microsoft security patch, MS12-027, has been available for 3 months now and there are really no excuses for not having applied it.
Gas mask image from Shutterstock.