Researchers: New backdoor malware 'KeyBoy' used in targeted attacks in Asia
Users from Vietnam, India, China, Taiwan and possibly other countries, were targeted as part of an attack campaign that uses Microsoft Word documents rigged with exploits in order to install a backdoor program that allows attackers to steal information, according to researchers from security firm Rapid7.
The targeted attacks used specifically crafted Word documents as bait in spear-phishing emails sent to the intended victims. These documents were rigged to exploit known vulnerabilities that affect unpatched installations of Microsoft Office.
One of the malicious documents found by Rapid7 researchers is written in Vietnamese and is about best practices for teaching and researching scientific topics. This suggests that the targets of attacks where this document was used are part of the Vietnamese academic community, Rapid7 researchers Claudio Guarnieri and Mark Schloesser said Friday in a blog post.
A second document written in English discusses the state of telecommunication infrastructure, including GSM network coverage and Internet broadband availability, in Calcutta, India. The Rapid7 researchers believe that this document was used to target people working in the telecommunications industry in India or local government representatives.
When opened, the two documents attempt to exploit remote code execution vulnerabilities in the Windows common controls component. Identified as CVE-2012-0158 and CVE-2012-1856, respectively, these vulnerabilities affect Microsoft Office 2003, 2007 and 2010, and were patched by Microsoft in 2012 as part of the MS12-027 and MS12-060 security bulletins.
Despite being relatively old, such vulnerabilities, especially CVE-2012-0158, are commonly exploited in targeted attacks. Two examples of recent targeted attacks where CVE-2012-0158 was used include the NetTraveler and HangOver cyberespionage campaigns.
The malicious documents install a backdoor program that Rapid7 researchers have dubbed KeyBoy, after a text string found in one of the samples. The malware registers a new Windows service called MdAdum that loads a malicious DLL (Dynamic Library Link) file called CREDRIVER.dll, the researchers said.
The KeyBoy malware steals credentials stored in Internet Explorer and Mozilla Firefox and installs a keylogger component that can steal credentials entered into Google Chrome. The backdoor program also allows the attackers to get detailed information about the compromised computers, browse their directories, and download or upload files from and to them, the Rapid7 researchers said.
In addition, the malware can be used to open a Windows command shell on the infected computers that can be used remotely to execute Windows commands, they said.
The backdoor samples collected by the Rapid7 researchers were compiled on April 1, suggesting that the attacks are reasonably recent. The domain names used for the command-and-control servers contacted by the malware were registered during April and May.
These attackers are definitely targeting users in several different countries, Guarnieri said Monday via email. Rapid7 found evidence that users in Taiwan, members of minority populations in China and possibly Western diplomats have also been targeted as part of this campaign, he said.
“The campaign is not particularly sophisticated, the exploits are well known and the malware is fairly simple,” Guarnieri said. “However as we have seen in recent years, sophistication is not necessary for attackers to be successful and meet their ends. In fact the large majority of targeted attacks from and within the Asian region are generally very basic in complexity.”
That said, the antivirus detection rates for the exploits and the backdoor malware are surprisingly low at the moment, he said. “For some reason this group didn’t receive particular attention (at least not publicly) so we expect detection to improve in the next days.”