New backdoor 'KeyBoy' malware hits Asia with targeted attacks
ID: IRCNE2013061872
Date: 2013-06-11
According to "computerworld", users from Vietnam, India, China, Taiwan and possibly other countries, were targeted as part of an attack campaign that uses Microsoft Word documents rigged with exploits in order to install a backdoor program that allows attackers to steal information, according to researchers from security firm Rapid7.
The targeted attacks used specifically crafted Word documents as bait in spear-phishing emails sent to the intended victims. These documents were rigged to exploit known vulnerabilities that affect unpatched installations of Microsoft Office.
When opened, the two documents attempt to exploit remote code execution vulnerabilities in the Windows common controls component. Identified as CVE-2012-0158 and CVE-2012-1856, respectively, these vulnerabilities affect Microsoft Office 2003, 2007 and 2010, and were patched by Microsoft in 2012 as part of the MS12-027 and MS12-060 security bulletins.
The malicious documents install a backdoor program that Rapid7 researchers have dubbed KeyBoy, after a text string found in one of the samples. The malware registers a new Windows service called MdAdum that loads a malicious DLL (Dynamic Library Link) file called CREDRIVER.dll, the researchers said.
The KeyBoy malware steals credentials stored in Internet Explorer and Mozilla Firefox and installs a keylogger component that can steal credentials entered into Google Chrome. The backdoor program also allows the attackers to get detailed information about the compromised computers, browse their directories, and download or upload files from and to them, the Rapid7 researchers said.
In addition, the malware can be used to open a Windows command shell on the infected computers that can be used remotely to execute Windows commands, they said.
- 2