![]() |
Email-based Phishing Attack Detected on Check Point Customers' Networks
On Friday May 10, 2013 a phishing email attack employing then-unknown malware was detected by Check Point’s Threat Emulation Software Blade on several organizations’ networks. At detection, attack information was automatically uploaded to the Check Point ThreatCloud, which then propagated AV signatures to all Check Point customers that have current AV update subscriptions. The malicious emails have titles such as “Merchant Statement”, and include attachments with names such as “Statement ID 4657-345-347-0332.doc”. When opened, the attachment infects the targeted machine with several malicious executables, resulting in the machine being placed under control of a remote "botnet" command and control center.
This attack is a variation on a similar one that was conducted last year, and takes advantage of a vulnerability in Microsoft's Windows Common Controls as described in CVE-2012-0158. Due to the fact that the variant has a different cryptographic ”hash” than the original, no anti-virus tools had detected it up to that point in time, since AV signatures use the hashes of known malware to detect them. In contrast, the Threat Emulation Software Blade evaluates files in a virtual machine/operating system and determines if the file exhibits behavior that is different than what is normally expected for that type of file. This allows new exploits to be detected as soon as they are encountered. The attack can successfully infect both Windows 7 and Windows XP platforms. Additional variants are in the wild, as evidenced by at least one additional one being detected within 48 hours of the first. It uses a similar subject line and attacks the same vulnerability described in CVE-2012-0158. Some of these emails purport to have been sent from financial institutions such as Citibank and Bank of America.
Analysis by the Check Point Malware Research team revealed that the attack infects and propagates as follows:
Analysis by the Threat Emulation Software Blade revealed a long list of interactions between the malware executables and the infected machine’s operating system. For instance, the following processes were spawned by or accessed by the malware: C:\Program Files\Windows Mail\WinMail.exe C:\Users\admin\AppData\Local\Temp\paw.exe C:\Users\admin\AppData\Roaming\Uceso\uppu.exe These systems files were changed: C:\Users\admin\AppData\LocalLow\ofukd.ism C:\Users\admin\AppData\Local\Temp\paw.exe C:\Users\admin\AppData\Local\Temp\paw.exe C:\Users\admin\AppData\Roaming\Uceso\uppu.exe C:\Users\admin\AppData\Roaming\Uceso\uppu.exe C:\Users\admin\AppData\Roaming\Uceso\uppu.exe The following Windows Registry keys were modified: HKCU\Software\Microsoft\Keyvb\15fg6gj5 HKCU\Software\Microsoft\Keyvb\19bc8hhb HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2} For more detailed information about how this infection interacts with a targeted machine, you can download the full Threat Emulation Malware report here. Recommendations Check Point recommends the following:
|