Security Update

Email-based Phishing Attack Detected on Check Point Customers' Networks


Summary

 On Friday May 10, 2013 a phishing email attack employing then-unknown malware was detected by Check Point’s Threat Emulation Software Blade on several organizations’ networks. At detection, attack information was automatically uploaded to the Check Point ThreatCloud, which then propagated AV signatures to all Check Point customers that have current AV update subscriptions.

The malicious emails have titles such as “Merchant Statement”, and include attachments with names such as “Statement ID 4657-345-347-0332.doc”. When opened, the attachment infects the targeted machine with several malicious executables, resulting in the machine being placed under control of a remote "botnet" command and control center.


Details

This attack is a variation on a similar one that was conducted last year, and takes advantage of a vulnerability in Microsoft's Windows Common Controls as described in CVE-2012-0158.  Due to the fact that the variant has a different cryptographic ”hash” than the original, no anti-virus tools had detected it up to that point in time, since AV signatures use the hashes of known malware to detect them. In contrast, the Threat Emulation Software Blade evaluates files in a virtual machine/operating system and determines if the file exhibits behavior that is different than what is normally expected for that type of file. This allows new exploits to be detected as soon as they are encountered.

The attack can successfully infect both Windows 7 and Windows XP platforms. Additional variants are in the wild, as evidenced by at least one additional one being detected within 48 hours of the first. It uses a similar subject line and attacks the same vulnerability described in CVE-2012-0158. Some of these emails purport to have been sent from financial institutions such as Citibank and Bank of America. 


Analysis

Analysis by the Check Point Malware Research team revealed that the attack infects and propagates as follows:

  1. When the attachment is opened, the user is presented a message that says: “Error 327 – Content could not be rendered in your version of Office”
  2. Behind the scenes, the malware
    1. Installs a bot agent
    2. Opens network ports and the Windows firewall for ongoing communication with both bot command and other infected peers
    3. Steals user credentials used to access websites
    4. Propagates itself by sending emails with the infected attachment to other victims
    5. Runs silently, awaiting further instructions from the bot C&C

Analysis by the Threat Emulation Software Blade revealed a long list of interactions between the malware executables and the infected machine’s operating system. For instance, the following processes were spawned by or accessed by the malware:

C:\Program Files\Windows Mail\WinMail.exe
C:\Users\admin\AppData\Local\Temp\paw.exe
C:\Users\admin\AppData\Roaming\Uceso\uppu.exe

These systems files were changed:

C:\Users\admin\AppData\LocalLow\ofukd.ism
C:\Users\admin\AppData\Local\Temp\paw.exe
C:\Users\admin\AppData\Local\Temp\paw.exe
C:\Users\admin\AppData\Roaming\Uceso\uppu.exe
C:\Users\admin\AppData\Roaming\Uceso\uppu.exe
C:\Users\admin\AppData\Roaming\Uceso\uppu.exe

The following Windows Registry keys were modified:

HKCU\Software\Microsoft\Keyvb\15fg6gj5
HKCU\Software\Microsoft\Keyvb\19bc8hhb
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

For more detailed information about how this infection interacts with a targeted machine, you can download the full Threat Emulation Malware report here.

Recommendations

Check Point recommends the following:

  • Educate or remind your users that they should never open any attachments received in email originating from external senders
  • Ensure that the Microsoft Update described in MS12-027 has been deployed to all endpoint machines in your network
  • Ensure that your Check Point Update Services subscription is current and that the latest signatures have been deployed