Matt Posted July 16, 2013 Report Posted July 16, 2013 A TARGETED ATTACK launched against European government agencies has been uncovered by security company Trend Micro, which warned of its ability to steal login credentials from Internet Explorer (IE) and Microsoft Outlook.The attack takes advantage of a vulnerability in Microsoft Office and was launched in the form of an email claiming to be from the Chinese Ministry of National Defense, although Trend Micro said it appeared to have been sent from a Gmail account and did not use a Chinese name.The email contained a malicious Microsoft Word attachment that exploits vulnerability CVE-2012-0158 in all versions of Microsoft Office 2003 to Microsoft Office 2010, despite having been patched by Microsoft over a year ago."The exploit is used to drop a backdoor onto the system, which steals login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook," Trend Micro's Jonathan Leopando said in a blog post on Monday. "It also opens a legitimate 'dummy' document, to make the target believe that nothing malicious happened."Any stolen information is then uploaded to two IP addresses, both of which are located in Hong Kong."The security firm said that the attack was aimed at personnel working for both European and Asian governments, and was sent to at least 16 officials representing European countries.The attackers made it more likely that the document would be opened by the targets by ensuring the topic of the email would be of interest to them."In addition, the information stolen and where it was stolen from - is very consistent with targeted attacks aimed at large organizations that use corporate mainstays like Internet Explorer and Outlook," Trend Micro added.Though the email claims to be from Chinese Ministry of National Defense, it was found that Chinese media organisations were also targeted in the attack, so it is unclear where the attack actually came from.Trend Micro said that its products already detect all aspects of this threat, with the message and C&C servers being blocked, and the malicious attachment detected as TROJ_DROPPER.IK and the backdoor itself as BKDR_HGDER.IK.Sursa TheInquirer.net Quote
