Malicious RTF Document in Targeted Email Exploit

Discussion in 'malware problems & news' started by Rmus, Jun 10, 2009.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This was a targeted exploit against organizations, where users receive email attachments daily. The email asks the user to verify a wire transfer, which is the attached .rtf document.

    Upon opening the attachment, an error message appears:

    rtf.gif

    The text and icon are an Object Package:

    rtf-pkg.gif

    The label is the message that displays in the document.
    The Content is the embedded .scr file.

    rtf-2.gif

    If the user clicks to open the content, an embedded executable (.scr) file attempts to run.
    Any White List software will easily catch this:


    rtf-1.gif

    Being a Package Object explains the use of Packager.exe to launch the executable file.
    And the exploit fails.

    rtf-3.gif


    REFERENCE

    Targeted e-mail attacks asking to verify wire transfer details
    http://isc.sans.org/diary.html?storyid=6511



    ----
    rich
     
    Last edited: Jun 10, 2009
  2. benton4

    benton4 Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    158
    Location:
    Oregon
    Thanks for the info.
     
Loading...
Thread Status:
Not open for further replies.