Video Screencast Help
Security Response

Thailand's Coup d’État Used in Targeted Attack

Created: 11 Jun 2014 08:16:05 GMT • Updated: 11 Jun 2014 13:57:56 GMT
Lionel Payet's picture
+1 1 Vote
Login to vote

Contributor: Roberto Sponchioni

It’s well known that hot political topics make enticing lures for cyberattacks and, as such, Symantec is constantly on the lookout for attacks using this tactic. Recent monitoring of the global political landscape led us to observe a malicious campaign piggybacking on the coup d’état that occurred in Thailand three weeks ago (May 19, 2014) after months of turmoil in the country. We have seen the emergence of a limited and targeted spam campaign against government officials in Southeast Asia

The malicious emails claim to be from a well-known media institution based in Myanmar and come in three variations where only the attached Word document’s name changes:

  • The_Military_situation_in_Thailand.doc
  • Thai_Coup_Leader_Says_He_Has_Received_King.doc
  • Thai_Military_Focuses_on_Economy_Warns_Anti_Coup_Protesters.doc 

Fig1.png
Figure 1. Malicious email example

The attached malicious .doc file (detected as Trojan.Mdropper or Bloodhound.Exploit.457) exploits an old Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). On successful exploit, it will drop back door threat detected as Backdoor.Klabcon

Analysis of the back door shows basic recon capabilities but, interestingly, later the malware downloads an additional file which has been confirmed to be an updated version (1.1) of itself. This new version, detected as Backdoor.Klabcon.B, has more capabilities than its previous version (0.2). Backdoor.Klabcon.B’s capabilities include the following: 

  • Open a back door
  • Collect CPU information and processor name
  • Download files from a specified URL
  • Collect drive information
  • Enumerate services
  • Collect memory usage information
  • Get disk space information
  • Download additional modules/plugins
  • Run and stop additional downloaded malware

Following our analysis of the list of recipients found in the malicious emails, we can confirm that it contains numerous people of interest working for Southeast Asian embassies including Thailand, Myanmar, Bangladesh, and Vietnam among others. We believe that Klabcon is linked to an espionage campaign rather than a cybercrime campaign that is used purely for monetary gain. 

Fig2.png
Figure 2. Backdoor.Klabcon detection heatmap

This campaign shows all the signs of a classic multi-staged targeted attack campaign. Looking at Backdoor.Klabcon.B’s capabilities, we believe that there may be additional components used in this campaign. Symantec is continuing to monitor activity surrounding this targeted attack campaign. 

Protection
Symantec advises users to be cautious when dealing with suspicious emails and to avoid clicking on suspicious links or opening suspicious attachments. 

Symantec has the following antivirus, reputation, and heuristic detections in place to protect against this threat: 

Symantec customers that use the Symantec.Cloud service are also protected against these threats.