Flattr this!

The company’s specialists AlienVault found a Trojan that spreads from MS Office files and installed in a system with a critical vulnerability MS09-027 in Microsoft Office. The vulnerability is dated the year 2009, but is still used. According to the AlienVault, sending malicious files involved in the same organization, which had previously been seen in the attacks on Tibetan non-governmental organizations .

The researchers say that this is one of the rare occasions when they actually saw the Trojans used on the Mac, introduced in the office files. These occur only rarely. The program can work effectively if gets in as an administrator, or its functionality is limited.

In this case, the DOC-file message is sent under the guise of “Tibetans all over the world” (see the text of the message ). After opening the file, the shell code to write malicious code in the directory / tmp / (bash-file, the normal doc-file, binary). Bash-script is launched for execution (/ tmp / launch-hs):

fstat ( 0 × 2 , 0xBFFF4CD0 , 0 × 200 )

fstat ( 0 × 24 , 0xBFFF4CD0 , 0 × 200 )
lseek ( 0 × 24 , 0 × 6600 , 0 × 0 ) # File Offset on the doc
” #! / bin / SH \ n / tmp / Launch-hse & \ NoPen / tmp / file.doc & \ n \ n \ 0 ” 0 × 32 ) write ( 0 × 26 , ” #! / bin / SH \ n / tmp / launch-hse & \ nopen / tmp / file.doc & \ n \ n \ 0 ” 0 × 32 ) … … … close ( 0 × 28 ) vfork () execve ( 0 × 28 , 0xBFFF4B80 , 0 × 0 )

C & C server is the first of two Trojans at the following address:

– 2012.slyip.net: 173.255.160.234
173.255.160.128 – 173,255,160,255
Black Oak Computers Inc – New York – 75 Broad Street
New York, NY, US

The second Trojan, which has an internal name MacControl, creates the file / Users / {User} / Library / LaunchAgents / com . Apple . FolderActionxsl . pslist and run when the system is rebooted.

It sends to a remote server with some information about the victim: the user name, host name, the version of the system, and then waits for commands from a remote server, working as a classic RAT.

In this case, the command server is located at address 114,249,207,194 in China:

114.240.0.0 – 114,255,255,255
China Unicom Beijing Province network
China Unicom

None of these malicious programs on the current anti-virus is not detected (zero visibility).