Trend Micro says that Cybercriminals Exploit Mass Killing in China to Distribute Malware

Security experts of security firm Trend Micro reveal that cybercriminals are leveraging the recent incident in which many people were stabbed to death at a railway station in Kunming, China to distribute a piece of malware to infect computers.

The incident happened in the beginning of March 2014 and 33 people in total were apparently stabbed to death with many others were also injured.

Trend Micro has spotted malicious emails entitled: "Fw: Knife attack at Kunming railway station leaves 33 dead and more than 130 injured."

The emails describe the incident by citing many sources and ask recipients to open the attachments to know more.

There are total five files attached to the emails consisting four image files and one document. The image files are harmless but the document actually hides a Trojan which is designed to exploit an old Microsoft Office vulnerability (CVE-2012-0158) to drop a backdoor.

The threat, BKDR_GHOST.LRK which is better known as Gh0st RAT is designed to facilitate cybercriminals in taking control of infected machine and can also be used to capture information via keylogging, screen grabs and audio recording.

A closer observation on BKDR_GHOST.LRK reveals remarkable fact: when it communicates to its C&C server, the malware uses the string "LURKO". This string was associated with a malware variant that was used in GhostNet campaign which was an old cyber espionage operation conducted by Chinese actors against Tibetan institutions.

The configuration file also contains the marker "default" and is often used to find which campaign a malware belongs to. However, researchers of Trend Micro have encountered old samples bearing the same markers dating back to 2012.

Regular users can be victims of this attack in spite of its intended target. Email attacks often use "click-worthy" or interesting topics to convince users in clicking links or open attachments which could lead to various threats.

Users are advised to not to open any attachments and not to click on links coming with unsolicited emails. Trend Micro suggests that they should also visit reputed and trusted news sites to update themselves with latest news and events.

» SPAMfighter News - 3/25/2014