According to Trend Micro’s s latest Targeted Attack Trends 2014 Annual Report, targeted attacks – otherwise known as advanced persistent threats (APTs), have intensified over the past year alongside newly identified techniques. In the latest news, popular mobile messaging application, LINE, was used as a bait to lure targets in a targeted attack which hit the Taiwan government.
LINE has a global reach of more than 490 million registered users, with certain government officials said to be among the stat who use it for communication purposes in the office.
What was the attack cycle
Intended targets received a spear-phishing email that uses LINE as its subject and has .ZIP file attachment with the filename, add_line.zip. The said email message purports to come from the secretary of a political figure supposedly asking recipients (in a Taiwan government office) to join a specific LINE group, and to provide some information for profiling purposes. Once users open the .ZIP file, it contains an executable file (add_zip.exe), which Trend Micro detects as BKDR_MOCELPA.ZTCD-A.
Further investigation revealed that this targeted attack is suspected to be connected to Taidoor because it makes use of the same encryption to hide the network traffic. Taidoor is a campaign which employs malicious .DOC files that shows a legitimate document but executes the malware payload in the background. One particular sample exploited CVE-2012-0158, a vulnerability in Windows Common Controls. It targeted US Defense contractors as well as Japanese companies. Just last year alone saw two Taidoor-related zero-day exploit attacks targeting CVE-2014-1761 which hit government agencies and an educational institution in Taiwan.
Defending your network
This reinforces the need for enterprises and large organizations to adapt more than ever to the risks posed by targeted attacks. Aside from endpoint solutions which leverage behavior monitoring to detect this type of threat, organizations can go beyond endpoint solutions to specifically address targeted attacks with a custom defense strategy that follows ‘detect-analyze-respond’ life cycle in order to mitigate and break the attack cycle. Aside from a custom defense strategy, enterprises are advised to build their threat intelligence and create an incident response team. Through these efforts, IT administrators can determine the indicators of compromise (IoCs) and use it as basis when monitoring the network for any suspicious activities thus preventing attacks from reaching data exfiltration stage.
More information can be found in the Trend Micro blogpost.