Targeted attacks on arms manufacturers continue

Explodes when opened: in the background, the professionally designed PDF document installs a backdoor on the victim's computer
Source: F-Secure

Mikko Hypponen from F-Secure reports that professional hackers are continuing their targeted attacks on arms manufacturers. Last week, the researcher discovered a specially crafted PDF file that impressively demonstrates how the perpetrators carry out these targeted attacks. The cyber-criminals send professionally designed emails advertising an American Institute of Aeronautics and Astronautics (AIAA) conference to the employees of specific arms manufacturers; the document allegedly appears to be authentic and invites recipients to submit papers for the forthcoming conference, classified as "secret", by 30 July.

Hypponen says that if the unsuspecting recipient opens the document, the specially crafted file exploits a known JavaScript hole in Adobe Reader to inject a backdoor called lsmm.exe into the victim's computer. The malware then attempts to establish a connection to two IP addresses, 59.7.56.50 and 59.19.181.130, in order to open a backdoor into the victim's corporate network for the attackers. There, the intruders can potentially infect further computers and can, at worst, steal highly sensitive corporate secrets such as weapon construction plans.

In March 2011, unknown attackers used a similar "spear phishing" attack to infiltrate systems at RSA and steal secret information relating to the SecurID two-factor authentication system. However, in that case they used an Excel file with an embedded Flash file that exploited a vulnerability in the Flash Player that was, at the time, unpatched. The criminals subsequently used the harvested data to break into the systems of US arms manufacturer Lockheed Martin.

(ehe)