Targeted attacks occur when cybercriminals launch malware against a specific organisation, industry or government department. In recent years we’ve often seen these distributed in the form of booby-trapped Word documents or malformed Adobe PDF files.
Overnight we intercepted an attack against a firm working in the defence industry (which we will not name for obvious reasons). The emails carried a malicious PDF file claiming to be about the Trident D-5 missile, launched from nuclear submarines.
The emails we saw read as follows:
Subject: TRIDENT D-5 MISSILE TECHNICAL REPORT
Message body:
Dear all,Attached Trident D-5 Missile Explosive Propellant Hazards.
(Please note that this summary does not discuss the conventional explosive material inside the Trident W76 and W88 nuclear warheads, which is an additional hazard.This previously unpublished report was prepared in support of our environmental lawsuit against the Trident D-5 missile upgrade at Bangor, filed in federal court on June 11,2009)
Attached file: TRIDENT D-5 MISSILE.zip
As is normal, the malicious hackers behind the attack forged the “from:” address, pretending that the email was a communication from an employee of another defense contractor. In this case they used the real name, email addresss and phone number of one of this contractor’s PR team – details which can be found easily on the web – to make the message appear more plausible.
Opening the ZIP attachment is, of course, a very bad idea. It contains a file called “TRIDENT D-5 MISSILE.PDF”, which itself contains embedded JavaScript and SWF code to exploit vulnerabilities and deliver a malicious payload to the recipient’s computer. The purpose appears to be to open a backdoor on the infected computer through which the hacker will be able to remotely access sensitive information.
There are two bits of good news. The first is that Sophos detects the attack as Troj/PDFJs-KY. :) The second is that unless you work at the targeted company (or one that works in a similar industry) you are unlikely to encounter this particular targeted email.
Of course, the same exploit could be used with a variety of other disguises and it is possible that your firm – whether it be big or small – may be in the gunsights for other targeted attacks.
So ensure that you keep your computers and servers up-to-date with appropriately configured security software, that you make it a habit of rolling out security updates for commonly used applications such as your browser, Adobe Flash, PDF Reader and Microsoft Office products, and teach your staff to always be suspicious of unsolicited attachments and unexpected links.