Malicious RTF Document in Targeted Email Exploit

Discussion in 'malware problems & news' started by Rmus, Jun 10, 2009.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    This was a targeted exploit against organizations, where users receive email attachments daily. The email asks the user to verify a wire transfer, which is the attached .rtf document.

    Upon opening the attachment, an error message appears:

    rtf.gif

    The text and icon are an Object Package:

    rtf-pkg.gif

    The label is the message that displays in the document.
    The Content is the embedded .scr file.

    rtf-2.gif

    If the user clicks to open the content, an embedded executable (.scr) file attempts to run.
    Any White List software will easily catch this:


    rtf-1.gif

    Being a Package Object explains the use of Packager.exe to launch the executable file.
    And the exploit fails.

    rtf-3.gif


    REFERENCE

    Targeted e-mail attacks asking to verify wire transfer details
    http://isc.sans.org/diary.html?storyid=6511



    ----
    rich
     
    Last edited: Jun 10, 2009
  2. benton4

    benton4 Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    158
    Location:
    Oregon
    Thanks for the info.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.