‘KeyBoy’ Malware Used in Targeted Attacks in Asia

A spate of attacks targeting users in Vietnam and India are infecting users with a backdoor designed to steal massive amounts of information.

According to researchers with Rapid7, the targeted attacks are using a malicious Microsoft Word document that exploits vulnerabilities in Microsoft Office to compromise computers with malware known as KeyBoy.

Specifically, the malicious attachments exploit CVE-2012-0158 and CVE-2012-1856, which were both patched by Microsoft in the MS12-027 and MS12-60 bulletins, respectively. The first document is written in Vietnamese, and is about “reviewing and discussing best practices for teaching and researching scientific topics,” Rapid7 researcher Claudio Guarnieri explained in a blog post.

The second document is written in English, and is related to the telecommunications infrastructure in Calcutta, India, including the coverage of GSM networks and availability and stability of broadband connections. Other attacks related to the campaign appear to have targeted at Taiwan, certain ethnic groups in China and various Western diplomats located abroad.

“We don’t know how many people have been infected in this attack,” Guarnieri toldSecurityWeek via email, explaining the company has only been able to identify some attacks as part of a campaign that is “long-running and very prolific.”

“From what we can tell, the victims seem to be diversified: academics, telecommunication corporations, diplomats and politicians,” he added.

Once opened, the documents install KeyBoy, so-named after a string present in one of the malware samples. KeyBoy works by registering a new Windows service known as MdAdum. At that point, the dropper launches the service with the DLL located at C:\WINDOWS\system32\CREDRIVER.dll and deletes itself.

According to Rapid7, the malware steals credentials from the local storage of Internet Explorer and Mozilla Firefox, and installs a keylogger for stealing data from Google Chrome.  The malware also enables the attackers to poke through the compromised computers in other ways and exfiltrate data.

“Recently the growth of amount and scale of targeted attacks has come to the point were they are starting to look more like opportunistic carpet bombings rather than ninja strikes,” Guarnieri blogged. “It’s common to observe attacks pulled off successfully without any particular sophistication in place, including the incidents described in this post.”

“Beware though, just because these attacks are conceptually targeted, it doesn’t necessarily mean that they should have a higher priority than any other threat on your security program,” the researcher added. “Our suggestion remains the same: identify your core assets, recognize the most impactful threats to such assets and inform and protect yourself accordingly.”

A more detailed analysis of the malware can be found here.

Comments are closed.