Tibetan-Themed Malware Subverts a Legitimate Application

Analysis by: Hiroshi Shinotsuka

Recent malware campaigns that used Tibet-related issues as bait have been well documented and it should come as no surprise that we have seen another Tibetan-themed attack using a malicious Word document. The emails involved in the attack are in English and were sent to a clothing company in the United States.

While they appear to come from Tibet-related organizations, the email headers revealed that they were sent from a mail server in Russia.

Recently, we discovered a file that differs to other malware in that it uses a well-known graphics card manufacturer’s legitimately signed program as an attack vector.

After opening the attached document file, a vulnerability—CVE-2012-0158—is exploited and three files NvSmart.exe, NvSmartMax.dll, and boot.ldr are dropped upon successful exploitation. Of those three files, NvSmart.exe is a digitally signed program.

When I started my analysis, I thought that there was a possibility that the file NvSmart.exe was malware signed by a stolen signature. However, as I continued to analyze the file, I discovered that the file was actually legitimate.

Normally, when NvSmart.exe runs, it loads NvSmartMax.dll, which is from an external library. However, in this case, it loads a fake NvSmartMax.dll file, which in turn executes boot.ldr file, which contains the malicious code. NvSmart.exe is then added to the registry so that it runs every time the computer starts.

In the past, we have seen malware that overwrites a legitimate DLL file with a fake DLL file and automatically loads it when the computer starts. As the legitimate file is overwritten and becomes a completely different file, the user may notice that something is wrong. In this instance, a new file is created and a new registry entry is also added, so the user is tricked into thinking that it is a new file. When the computer starts, the Run registry subkey that is loaded is a program that is signed by a valid digital signature of a well-known graphics card manufacturer. However, the fake NvSmartMax.dll and boot.ldr files are not registered as services or added to the registry so most users may not notice that malicious code is executed when the computer starts. Malware writers are always looking for new ways to delay the discovery of their creations.

Symantec products detect NvSmartMax.dll and boot.ldr as Backdoor.Trojan. These files record keystrokes, send information about the compromised computer to the remote attacker, and also enable the computer to be controlled remotely.

The method to load malicious files through a legitimate file is not restricted to the file NvSmart.exe. We expect this tactic will be used for other legitimate files in future attacks.

Symantec will continue to monitor for new threats and methods that malware author’s devise, such as those detailed in this blog. We also recommend that users refrain from executing any programs that are suspicious and that you also keep your system and antivirus software up-to-date.