“Over the last few months we have seen a series of very similar targeted attacks being blocked in our Linux Mail Security Product,” said Kaspersky Lab expert Ben Godwood, in a blog. “In each case the documents used were RTF and the exploit was CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability).”
There are three groups of documents that are being employed: the first is a group of sexual health-related articles from Men's Health magazine; the second relate to frigates and other military topics; and the third are written in the Cyrillic alphabet.
When the exploit runs it creates and executes a file called wordupgrade.exe, which then drops a DLL file and the rest of the infection plays out.
The malware installed by these documents is a variant of Enfal/LURID. Last fall, Trend Micro found modified versions of the Enfal malware, which the security vendor said infected more than 800 systems in 33 countries worldwide. Enfal variants are known to communicate to specific servers that give potential attackers access and even full control of infected systems.
“Enfal was the malware used in the LURID targeted attacks, which we documented last September 2011,” Trend Micro said. “The malware was also linked to attacks going back to 2006 and possibly even 2002.”
So, the malware used in the new attacks is not very advanced or new. However, “the attacks are very regular, so it is probably safest not to open attachments related to these topics,” Godwood warned.