Security researchers from Trend Micro have found that the cybercriminals that target pro-Tibet activists and non-governmental organizations (NGOs) have changed their tactics. They are impersonating an expert from security firm FireEye to spread a malicious Trojan.
The email that carries the piece of malware looks legitimate at first glance. It bears the FireEye logo, the researcher’s signature, email address and even phone number.
Apparently originating from a legitimate FireEye email address, the message basically asks the recipient for approval to publish a blog post regarding some cyberattacks in which his/her name is mentioned.
The request is allegedly made after the user submitted a number of “targeted malicious attachments” to Virus Total.
“I would love to write a blog entry at my corporate site about a few attacks and mention you by name. Keep in mind that I already have this information, but I would like your permission in addition, as it might not have been an IT person who uploaded the file, not specifically you,” part of the email reads.
In reality, the email address is spoofed, the real sender address being one that is used in other malicious campaigns.
The attachment that comes with the message is a PDF file that hides a malevolent element identified by Trend Micro as TROJ_PIDIEF.KFR. In order to avoid detection by antivirus software, the PDF is password-protected.
The backdoor connects to a server located in China to which it sends information such as instant messaging IDs and passwords, a list of all drives and files, and other account credentials.
The experts are still analyzing the piece of malware that fuels these attacks. In the meantime, make sure to avoid opening shady-looking attachments, even if the emails that carry them purport to come from reputable security firms.
Update. Initially we’ve missed the original report that came from the FireEye expert whose name was used in the malicious emails.
Senior System Engineer at FireEye, Alex Lanstein, sent out the legitimate email to Tibetan activists who were targeted by pieces of malware. Apparently, one of the recipients’ email accounts was compromised and that’s how the cybercriminals came up with the idea of sending out phony notifications on his behalf.
Also, it seems that in some variants of the malicious email, the PDF attachments are not password-protected.
Alex Lanstein’s detailed blog post is available here.