Poisoned DOC file used in targeted malware attack against military contractor

Filed Under: Featured, Malware, SophosLabs, Spam, Vulnerability

Gas mask. Image from ShutterstockExperts at SophosLabs are recommending that businesses and organisations check that they are keeping up-to-date with their security patches, in the light of a malware attack that was seen today - targeting a defence contractor.

The attack is similar in nature to one which SophosLabs intercepted a couple of years ago, where a malicious PDF file claiming to be about the Trident D-5 missile, launched from nuclear submarines, was sent to a military contractor.

The latest attack was sent to the contractor - whose name is not being made public by Sophos - embedded inside a file called Details.Doc, attached to the following email:

Targeted email attack

Dear Sir,

It is so nice to contact you!

We write to inform you that we are some question for your.
View attached document for the detail.
Looking forward to hearing from you soon!

Many thanks and best regards!


The email pretends to be from a YAHOO.COM.TW address but the headers show that emails did not come from YAHOO.

Part of the email's header

The IP is actually from a personal computer:

Received: from travwhanpc (61-220-44-2xx.HINET-IP.hinet.net [])

The email's attachment - titled Details.doc - exploits the CVE-2012-0158 vulnerability.

Unusually, the file really is an OLE2 format DOC file, despite the majority of files exhibiting this vulnerability being RTF files.

The boobytrapped file tries to drop and execute executable code (in the form of an .EXE file) which will install the 'PittyTiger' backdoor onto the victim's Windows PC.

Malicious code hex dump

SophosLabs has released detection for the DOC file as Troj/DocDrop-AF and the EXE as Troj/BckDrPT-AA.

SophosLabs have seen large number of files exploiting the CVE-2012-0158 vulnerability being emailed to companies in a diverse number of sectors - not just those in defence.

The Microsoft security patch, MS12-027, has been available for 3 months now and there are really no excuses for not having applied it.

Gas mask image from Shutterstock.

You might like

5 Responses to Poisoned DOC file used in targeted malware attack against military contractor

  1. Greg Carttar · 1162 days ago

    And a Defense contractor is dumb enough to fall for this???????

  2. Richard Steven Hack · 1162 days ago

    Given the pathetic nature of the email, any one in a military contractor who is dumb enough to open that document deserves what they get... :-)

  3. colcool007 · 1160 days ago

    Too many of the contractors are more savvy with how much blast their kit will absorb than IT security. And when IT security raises its head, too many of them are ostrich followers...

  4. Barbless · 1159 days ago

    I'm curious to know if turning on macro protection in Office helps prevent this kind of thing from activating? (Same question for whatever it was that was in the spreadsheet that kicked off the RSA attack.)

  5. Andy · 1159 days ago

    Hi Barbless,

    That is actually one good question.Technically, I don't think this particular case has nothing to do with Macro Protection Enable.Although in many other cases you may find Enabling that option is a sane idea.I do it personally every time.

    Sophos has already included how to protect yourself from such kind of threats.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.