Posted on behalf of Jo Hurcombe AV Operations Engineer, Symantec.cloud
Today, I identified a new targeted attack that for the first time makes reference to a discussion on the economic stakes in Libya’s current Crisis.
The email itself is very simple and is designed to appear as part of a discussion about the economic stakes in Libya's current crisis, with the sender claiming to agree with points raised in the attached document, as seen in the example given below.
Example of targeted email
The first example of this targeted attack was intercepted by Symantec.cloud on February 24, 2011 at 12:52 GMT. These attacks were targeted in nature and in total 27 individuals were targeted within six organizations. The emails were sent from four separate domains. All of the organizations targeted are involved in promoting human rights, supporting humanitarian aid or are think-tanks for foreign affairs and economic development.
In most cases, the email headers were spoofed to appear to come from the same domain as the recipient, a familiar social engineering technique used in so-called "spear phishing" attacks. This approach tries to trick the recipient into believing the email was sent from someone internally. Further analysis of email headers suggest the originating IP address is from a computer based in Romania.
The attachment to the email appears to be an office document file with a DOC extension, but it is actually and RTF formatted document that is infected with an exploit for a known vulnerability (CVE-2010-3333: "RTF Stack Buffer Overflow Vulnerability"), which is an RFT parsing vulnerability. This exploit allows remote attackers to execute arbitrary code on the infected computer via crafted RTF data in the document.