Malware From China Uses Iran Nuclear Tension to Target Military Staff

Three distinct technologies work together to craft the perfect firebomb on PCs

Cyber criminals from China are seizing on rising political tension over Iran’s suspected covert nuclear weapons program to sneak malware on to computers, possibly in the hopes of infecting US military staff.

The latest targeted attack comes in the form of a browser exploitation spread through a Word (.doc) document bundled with spam mail. The English-language document – titled “Iran’s Oil and Nuclear Situation.doc” – bets on user curiosity over political tension between the West and Iran.

The document contains a Shockwave Flash applet that tries to load a video file (.mp4) from hxxp://208.1xx.23x.76/test.mp4. This MP4 file isn’t your regular YouTube video. It has been crafted to include a valid header so it can legitimately identify itself as MP4, but the rest of the file is filled with 0x0C values. When the file loads and the Flash Player tries to render the MP4, it triggers an exploit in the Adobe Flash plugin (CVE-2012-0754), that ultimately drops an executable file embedded in the initial .doc.

The operation is covert: the MP4 file triggering the exploit is streamed from the web, which means the PC will be exploited by the time an antivirus would generally scan a file. Further, the malicious file delivered inside the doc file (us.exe) has multiple layers of obfuscation to dodge detection.

This dropped file is stored in the temporary folder and executed. It is a 4.63 MB file that mimics the Java Updater application and appears to originate from China. Inside the file, the malicious code of only 22.5 KB tries to connect to a C & C server that uses dynamic DNS services to permanently change its IP address.

After it infects the computer, the backdoor (identified by Bitdefender as Gen:Variant.Graftor.15447) starts listening for commands from its master.

This is clearly a targeted attack – it may aim at US military staff involved in Iranian military operations. The malware has not been delivered by mass spam and has not shown up in “honeypots”, or e-mail addresses used by the antivirus industry to attract and catch malware.

It also comes from China and connects to C&C servers hosting many other Chinese websites. We have seen multiple attacks on the US government coming from China – from the notorious Operation Aurora to the massive phishing of US and Taiwanese officials.

The payload is also an advanced persistent threat – extremely difficult to detect once inside the network. Although it’s more than a week old, the backdoor still has poor detection, with only 7 of 42 antivirus solutions able to detect it.

Application exploitation may not be the newest means of delivering malware to end-users. But it is among the most effective. Browser plugin exploitation, although it requires hundreds of hours of research, has become idiot-proof by widespread availability of exploit packs that can be purchased by any script kiddie for the price of a week’s allowance.

To protect your PC and the data on it, implement a couple of safety measures. Make sure you install an antivirus solution and keep it updated. A software firewall will also play an important role in fighting exploits, as software firewalls can scan files as they get streamed from the web to the vulnerable application. Also, keep your critical applications up to date by installing security fixes as soon as they become available.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.