Targeted attacks are a daily occurrence and attackers are fast to employ the latest news stories in their social engineering themes. In a recent targeted attack, delivering a payload of Backdoor.Korplug and caught by our Symantec.cloud services, we observed an attacker taking advantage of a recently published article by the Washington Post in relation to chemical attacks in Syria. The attacker took the full text of the article and used it in their own malicious document in an effort to dupe victims into believing the document was legitimate.
Figure 1. Part of malicious document containing the stolen text
The attack follows the standard Backdoor.Korplug modus operandi, which we have previously blogged about, of delivering an attached malicious .doc file containing a vulnerability, Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551 - Bloodhound.Exploit.497), to the target through email.
Figure 2. Example of targeted email using chemical attack in Syria theme
Symantec will continue to monitor for new and similar threats, such as those detailed in this blog. We also recommend that users refrain from opening any suspicious emails and, as always, we advise customers to use the latest Symantec technologies and incorporate the latest Symantec Consumer and Enterprise solutions to best protect against attacks of this kind.