Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Email Spoofed from Japanese Government Agency Targets Japanese Companies

Created: 14 Apr 2008 22:16:03 GMT • Updated: 23 Jan 2014 18:41:19 GMT
Shunichi Imano's picture
0 0 Votes
Login to vote
Today, April 14th, 2008, Symantec Security Response received reports from a number of our customers regarding a possible targeted spam attack against several Japanese companies.

The spam email associated with this attack spoofs itself as an email from a Japanese government agency and entices the user to open the attached .zip file to check recent organizational changes. The attached .zip file contains 2 files: 0414.xls and 0414.exe. 0414.xls is a legitimate file containing a list of names, addresses, and personnel positions that may or may not really exist. There is no evidence to suggest that any exploit attempts are made on this file.

However, the other file, 0414.exe, is a variant of Backdoor.Darkmoon, which has a keylogging capabilities. At the time of writing, we have seen several variants of Backdoor.Darkmoon associated with this spam attack. One variant saves stolen information as the filename msvidctl, sends it to the remote attacker, and awaits further commands from cyhk.3322.org. Another variant sends information as the filename taskame to hi222.3322.org and opens a back door to the same site.

In the past, similar types of attack have occurred many times. We urge you to take extra caution and not to open attachments unless they are expected and come from a known and trusted source.



Message Edited by SR Blog Moderator on 04-16-2008 01:14 PM