Symantec Protection for Trojan.FakeSafe

Today, Trend Micro published a report about a targeted attack campaign they’re calling SafeNet (the campaign’s name is unrelated to the security company of the same name). The group behind this campaign is utilizing spear phishing emails with malicious attachments. These attachments are document files that exploit vulnerabilities in Microsoft Word. Some of the documents we’ve observed exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).

If exploitation is successful, the malicious documents drop the following files:

  • smcs.exe
  • SafeExt.dll
  • SafeCredential.DAT

SafeExt.dll contains most of the threat’s functionality while SafeCredential.DAT contains configuration information.

Our telemetry indicates that this is spread across the globe throughout multiple countries:


Symantec products detect the spear phishing word documents as Trojan.Mdropper and Trojan.Dropper, and the dropped files as Trojan.Fakesafe.

As we’re still seeing CVE-2012-0518 used in targeted attacks, users should ensure that software applications are up to date, and avoid clicking on suspicious links and opening suspicious email attachments.

To best protect against targeted attacks, we advise users to use the latest Symantec technologies and incorporate layered defenses.