10/31/2014, Author: Paul Rascagneres

Operation "TooHash": how targeted attacks work

Data stealing campaign with two RATs identified

The experts of G DATA’s SecurityLabs discovered a cyber-espionage campaign that perfectly exemplifies the way how targeted attacks work. The purpose of this campaign was to steal valuable documents from the targeted entity. We entitle this operation “TooHash”.

The attackers’ modus operandi is to carry out spear phishing using a malicious Microsoft Office document as an attachment. The attackers do not choose their targets indiscriminately, which we derive from the fact that they sent specially crafted CV documents, probably to human resources management employees. Naturally, the recipients are inclined to open such documents on a daily base.

The majority of discovered samples were submitted from Taiwan. As part of the documents are in Simplified Chinese which is used in the Chinese mainland and others in Traditional Chinese which is used in Hong Kong, Macao and Taiwan, these malicious documents might have been used against targets in the whole Greater China area.

The Malware used

The attached documents exploit a well-known and rather aged vulnerability (CVE-2012-0158) to drop a remote administration tool, or RAT for short, onto the targeted user’s computer. During the campaign, we identified two different pieces of malware. Both include common cyber-espionage components such as code execution, file listing, document exfiltration and more.

We discovered more than 75 command and control servers, all used to administrate infected machines. The servers were mainly located in Hong Kong and the USA. Furthermore, the administration panel’s language, used by the attackers to manage infected systems, was partly written in Chinese and partly in English.

The exploit used by the attackers is identified and blocked by G DATA’s Exploit Protection technology and G DATA’s security solutions detect the dropped binaries as Win32.Trojan.Cohhoc.A and Win32.Trojan.DirectsX.A respectively.

Information Stealing

Nowadays, trade secrets describe one of the major values of almost every company. Therefore, begrudged competitors may be tempted to steal valuable sensitive information for their purposes. The leak of sensitive documents can be a disaster for a company and lead to large financial losses. Furthermore, governmental entities use sensitive, private or classified documents. Intelligence agencies may be interested to obtain such documents.

-------------------

Find the whole analysis and case study in our English paper:
https://secure.gd/dl-en-toohash

 


Share this article

G DATA | Trust in German Sicherheit