The ASEAN Defense Ministers' Meeting - Plus (ADMM-Plus) has recently been held with the 18 member countries of ASEAN, Australia, China, India, Japan, Republic of Korea, New Zealand, Russia, and the United States.
We have discovered a malicious Rich Text Format file (.rtf or .doc), which targets anyone interested in the ADMM-Plus proceedings.
The RTF file exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) to drop a clean MS Word document and open a back door. The clean MS Word document is shown below.
It contains many phone numbers, fax numbers, and email addresses of each country’s military-related personnel. I could not confirm whether the contact details are authentic or just fake, but some of the phone numbers can be found on official websites. The following email domains are listed in the document:
- mindef.gov.bn (Brunei)
- kemhan.go.id (Indonesia)
- mod.gov.my (Malaysia)
- dnd.gov.ph (Philippines)
- starnet.gov.sg (Singapore)
- mofa.gov.vn (Vietnam)
- defence.gov.au (Australia)
- defence.govt.nz (New Zealand)
- mod.go.jp (Japan)
- korea.kr (Korea)
- osd.mil (United States)
Unfortunately, I could not trace the document's origin. However, the same vulnerability has been observed by another researcher (Tibetan-Themed Malware Subverts a Legitimate Application). The back door is dropped as an iexplore.exe file in a temporary folder and a shortcut is created in the Startup folder to execute the back door when the user logs in to the compromised computer. The back door connects to the following domains:
- hipuc.vicp.cc
- hipcp.oicp.net
These domains lead to a IP server address in China (222.172.135.xxx).
Symantec detects this RTF file and the back door as Trojan.Dropper and Backdoor.Trojan respectively.