Contributor: Roberto Sponchioni
It’s well known that hot political topics make enticing lures for cyberattacks and, as such, Symantec is constantly on the lookout for attacks using this tactic. Recent monitoring of the global political landscape led us to observe a malicious campaign piggybacking on the coup d’état that occurred in Thailand three weeks ago (May 19, 2014) after months of turmoil in the country. We have seen the emergence of a limited and targeted spam campaign against government officials in Southeast Asia.
The malicious emails claim to be from a well-known media institution based in Myanmar and come in three variations where only the attached Word document’s name changes:
Figure 1. Malicious email example
The attached malicious .doc file (detected as Trojan.Mdropper or Bloodhound.Exploit.457) exploits an old Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). On successful exploit, it will drop back door threat detected as Backdoor.Klabcon.
Analysis of the back door shows basic recon capabilities but, interestingly, later the malware downloads an additional file which has been confirmed to be an updated version (1.1) of itself. This new version, detected as Backdoor.Klabcon.B, has more capabilities than its previous version (0.2). Backdoor.Klabcon.B’s capabilities include the following:
- Open a back door
- Collect CPU information and processor name
- Download files from a specified URL
- Collect drive information
- Enumerate services
- Collect memory usage information
- Get disk space information
- Download additional modules/plugins
- Run and stop additional downloaded malware
Following our analysis of the list of recipients found in the malicious emails, we can confirm that it contains numerous people of interest working for Southeast Asian embassies including Thailand, Myanmar, Bangladesh, and Vietnam among others. We believe that Klabcon is linked to an espionage campaign rather than a cybercrime campaign that is used purely for monetary gain.
Figure 2. Backdoor.Klabcon detection heatmap
This campaign shows all the signs of a classic multi-staged targeted attack campaign. Looking at Backdoor.Klabcon.B’s capabilities, we believe that there may be additional components used in this campaign. Symantec is continuing to monitor activity surrounding this targeted attack campaign.
Symantec advises users to be cautious when dealing with suspicious emails and to avoid clicking on suspicious links or opening suspicious attachments.
Symantec has the following antivirus, reputation, and heuristic detections in place to protect against this threat:
Symantec customers that use the Symantec.Cloud service are also protected against these threats.