Last Updated: 2009-01-12 15:29:09 UTC
by Lenny Zeltser (Version: 6)
We received a report of a Swedish company that was just subjected to a targeted attack. The company's high-ranking executives received an email message with an attached executable file named "Likviditetsrapport december prel.xls .exe". (This translates to "Liquidity report December prel.xls .exe".) The file's icon looked like that for an Excel document.
The targeted company employs has approximately 6,000 users; however, no one besides the executives received the message. The message was very well written in Swedish, and had a polished feel to it.
If the executable was launched on the victim's system, it would connect to an IP address on TCP port 3460 using a hostname hosted at the dynamic DNS provider no-ip.org. (See the ThreatExpert report.)
According to the VirusTotal scan, only two vendors consider the file malicious, tagging it as a dropper.
Update 1: Steven Adair identified the executable as a variant of the Poison Ivy trojan that acts as a backdoor and lets the attacker fully control the infected system. For additional information, see the F-Secure write-up and page 28 of this whitepaper. This trojan uses the default mutex "
Update 2: I initially reported that the emails were in the form of bounced messages. This is not the case. The targeted emails were forged to look like coming from one company executive to the other. Due to validity checks, they bounced and, apparently, did not arrive at their destination.
Update 3: Thanks to Patrik Runald from F-Secure for correcting the error in the translation of the attachment's filename. (I updated the filename above accordingly.
Security Consulting - Savvis, Inc.
Lenny teaches a SANS course on analyzing malware.