Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Symantec Protection for Trojan.FakeSafe

Created: 17 May 2013 11:30:57 GMT • Updated: 23 Jan 2014 18:07:16 GMT • Translations available: 日本語
Symantec Security Response's picture
+1 1 Vote
Login to vote

Today, Trend Micro published a report about a targeted attack campaign they’re calling SafeNet (the campaign’s name is unrelated to the security company of the same name). The group behind this campaign is utilizing spear phishing emails with malicious attachments. These attachments are document files that exploit vulnerabilities in Microsoft Word. Some of the documents we’ve observed exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).

If exploitation is successful, the malicious documents drop the following files:

  • smcs.exe
  • SafeExt.dll
  • SafeCredential.DAT

SafeExt.dll contains most of the threat’s functionality while SafeCredential.DAT contains configuration information.

Our telemetry indicates that this is spread across the globe throughout multiple countries:


Symantec products detect the spear phishing word documents as Trojan.Mdropper and Trojan.Dropper, and the dropped files as Trojan.Fakesafe.

As we’re still seeing CVE-2012-0518 used in targeted attacks, users should ensure that software applications are up to date, and avoid clicking on suspicious links and opening suspicious email attachments.

To best protect against targeted attacks, we advise users to use the latest Symantec technologies and incorporate layered defenses.