We are receiving more reports about targeted attacks claiming to be from the Better Business Bureau. The spam always comes with an RTF attachment. Does this ring a bell? If you’re a frequent reader of ISC you might remember that I already post an analysis of such an attack back in March – you can find it here: http://isc.sans.org/diary.html. BBB also posted an alert about this quite a while ago (http://www.bbb.org/alerts/article.asp).
Basically the attackers use an application called Object Packager to embed an executable in a RTF document. The executable is typically a downloader which, when executed, downloads a second stage malware. The attackers keep changing both the downloader and second stage malware, together with sites they are using. It is worth pointing again that this attack does not exploit any Office vulnerability; instead it relies on social engineering (see the screenshots in the old diary).
While the attack itself is not very interesting, what is interesting is that the spam e-mails carrying this seem to be targeted. In fact, almost all reports we’ve received lately (and Sunbelt blogged about the same thing at http://sunbeltblog.blogspot.com/2007/05/seen-in-wild-extremely-dangerous-better.html) claimed that only couple of users in attacked organizations received this and that they were almost always CEOs or CFOs.
So what can we do here? As you can see from my old diary, AV detection of embedded objects in RTF documents seems to be very weak. The detection of the downloader I extracted at that point in time was a bit better but this was still far away from perfect, especially when we’re talking about the last line of defense – the AV program on the desktop machine.
If possible, you can block RTF files on your e-mail gateways, but this might have a counterproductive effect as we’ve been encouraging users for years to use “more friendly” text formats such as RTF (and who thought that objects can be embedded this easily in them).
As always, the best defense here is user education. Besides general awareness, it might be good to warn your users (especially the C*O levels) about this particular attack as it does rely purely on social engineering (the user has to confirm that he wants the executable opened).
May 25th 2007
May 25th 2007
1 decade ago