Messaging app LINE used as a decoy for targeted attack

Targeted attacks, also known as advanced persistent threats (APTs), have intensified over the past year alongside newly identified techniques according to Trend Micro’s s latest Targeted Attack Trends 2014 Annual Report. In the latest news, popular mobile messaging application, LINE, was used as a bait to lure targets in a targeted attack which hit the Taiwan government.
AddLine
Intended targets received a spear-phishing email that uses LINE as its subject and has .ZIP file attachment with the filename, add_line.zip. The said email message purports to come from the secretary of a political figure supposedly asking recipients (in a Taiwan government office) to join a specific LINE group, and to provide some information for profiling purposes. Once users open the .ZIP file, it contains an executable file (add_zip.exe), which Trend Micro detects as BKDR_MOCELPA.ZTCD-A.
Further investigation revealed that this targeted attack is suspected to be connected to Taidoor because it makes use of the same encryption to hide the network traffic. Taidoor is a campaign which employs malicious .DOC files that shows a legitimate document but executes the malware payload in the background. One particular sample exploited CVE-2012-0158, a vulnerability in Windows Common Controls. It targeted US Defense contractors as well as Japanese companies. Just last year alone saw two Taidoor-related zero-day exploit attacks targeting CVE-2014-1761 which hit government agencies and an educational institution in Taiwan.
This reinforces the need for enterprises and large organizations to adapt more than ever to the risks posed by targeted attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *