Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Safe - Tools, Tactics and Techniques SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Safe - Tools, Tactics and Techniques

Trend Micro published a report last week on a spear-phishing emails campaign that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

This paper identified specific targets:

  • Government ministries
  • Technology companies
  • Media outlets
  • Academic research institutions
  • Nongovernmental organizations

According to the report, "While we have yet to determine the campaign’s total number of victims, it appears that nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (C&C) infrastructures related to Safe.[1]" Another fact of interest is the author of the malware is probably a professional software developer that reused legitimate source code from an Internet services company. Based on the information collected, they found "One key indicator that can be used to detect this network communication is the user-agent, Fantasia."[1] Additional information is available in the report.

If you have collected some malware matching this description, we would be interested to get some samples. You can submit them via our contact form.



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


512 Posts
ISC Handler
May 20th 2013

Sign Up for Free or Log In to start participating in the conversation!