Internet Users Hit by New Backdoor Malware in India and Vietnam, Rapid7 Claims

A spate of attacks hitting users in India and Vietnam are infecting recipients with a backdoor Trojan made to grab mass amount of information from them, as per security firm Rapid7.

The attacks are employing a malicious Word document that abuses flaws in Microsoft's Office to infect systems with malware called KeyBoy, according to Rapid7 researchers.

The malicious attachments, in particular, exploit the vulnerabilities CVE-2012-0158 AND CVE-2012-1856 that were fixed by Microsoft in MS12-027 and MS12-60 bulletins, respectively. The first Word document is scribbled in Vietnamese language and talks about modifying and discussing top most practices for researching and teaching scientific subjects, claimed, Rapid7's Researcher Claudio Guarneri, as published by securityweek.com dated June 10, 2013.

The second document penned in English is associated to the telecom infrastructure in Kolkata, India, covering GSM (Global System for Mobile) networks and stability and availability of broadband.

The documents if opened will install KeyBoy, christened after a string available in the malware sample.

The malware enroll a fresh Windows service called MdAdum that loads a malicious DLL file known as CREDRIVER.dll, the researchers highlighted.

This KeyBoy malware embezzles details stored in IE (Internet Explorer) and Mozilla and installs a keylogger that can embezzle credentials entered into Chrome. The backdoor helps the crooks to receive detailed information regarding infected computers, and upload or download files from and to them, Rapid7 researchers claimed.

The malware also assists in opening a Windows command shell on the tainted machines, which can be remotely employed for executing Windows commands, they said.

The attackers involved in this campaign are striking users in many different countries. Rapid7 got facts suggesting that Internauts in China, Taiwan, and most likely diplomats based in Western countries have also been struck in this campaign.

Beware however, just because this campaign is theoretically targeted, it does not essentially mean that this campaign should have an enhanced priority than any other malicious threat on your system. Rapid7's suggestion remains unchanged: recognize your main assets, identify the most troubling threats to such resources and inform and shield yourself accordingly, Rapid7 concluded, as published by community.rapid7.com on June 7, 2013.

» SPAMfighter News - 6/21/2013