Christmas 2012 - Malicious Word document circulating in targeted attacks
Trend Labs warns of a malicious Word document circulating in targeted attacks
QUOTE: Once again cybercriminals take advantage of the Holidays in what seem like a targeted attack against businesses and government organizations. We spotted samples that bore the filename, PROPOSED CHRISTMAS PARTY 2012.doc. Trend Micro detects this as TROJ_ARTIEF.RTN. When executed, this malware drops a file (temp.doc) that acts as decoy to trick recipients into thinking this is a legitimate document. In the document file we spotted, it looks like a supposedly invitation to a certain government office’s upcoming Christmas party. Moreover, TROJ_ARTIEF.RTN takes advantage of (MS12-027) Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258) to drop a backdoor which we detect as BKDR_GAMFRIC.A. This backdoor also checks what web browser is used, and creates a hidden process in order to inject its malicious codes. We speculate that this attack uses email message as delivery mechanism in order to penetrate the network of the targeted entity.