Targeted attack against Tibetan activists abuses Nvidia file to load malware

The attack uses an Nvidia tool vulnerable to DLL preloading, Sophos researchers say

Security researchers from antivirus vendor Sophos have uncovered a Tibet-themed attack campaign that abuses a legitimate and digitally signed Nvidia file to load malware on computers.

The attack delivers a RTF (Rich Text Format) document via email that's rigged with an exploit for a Microsoft Office vulnerability patched in April 2012. The document masquerades as a statement from the Tibetan Youth Congress.

If opened on a system that doesn't have the corresponding Microsoft Office patch, the exploit drops and executes a self-extracting WinRAR archive that deploys three files called Nv.exe, NvSmartMax.dll and NvSmartMax.dll.url. Nv.exe is subsequently executed.

The interesting thing about Nv.exe is that it's actually a clean and digitally signed application from graphics chip maker Nvidia called the "Nvidia Smart Maximise Helper Tools."

The version of Nv.exe dropped by this exploit is vulnerable to an attack called DLL preloading -- also known as DLL sideloading, DLL hijacking, or binary planting.

DLL preloading vulnerabilities occur when an application is programmed to load a specifically named DLL file, but the developer didn't specify the full path to the file in the code or the directory from where it should be loaded. In such cases Windows will automatically search for the DLL in different directories in a certain order, starting with the application's working directory.

In this case, Nv.exe is programmed to load NvSmartMax.dll, which the attackers have replaced with a malicious one. When the legitimate Nv.exe is executed, it will automatically load the malicious NvSmartMax.dll located in the same directory as itself.

The rogue NvSmartMax.dll is programmed to further load NvSmartMax.dll.url, which is a copy of a known remote access tool (RAT) called PlugX. "The attack is designed to compromise the target computer and provide the attacker with remote access," said Gabor Szappanos, principal malware researcher at Sophos, in a blog post published Wednesday.

The use of the legitimate and clean Nv.exe as a pre-loader for the malware is intended to make it harder for users and possibly some security software to detect the compromise.

The first lesson to learn from this attack is to keep software up to date, Szappanos said. The fact that a Microsoft Office vulnerability patched in April 2012 is still being used in attacks as of Jan. 2013 is a clear indication that many users are not taking the first basic steps towards security, he said.

"The second lesson is mainly for application developers," Szappanos said. "Even if you are not developing security applications, you must consider the risks that your software introduces to your customers' networks."

"In this attack, Nvidia's software was abused but it could just as easily have been any of a thousand other developers," he said, pointing out that Microsoft has published advice on how to avoid DLL search path issues that could lead to DLL preloading.

This is not the first time that DLL preloading issues have been exploited by malware. The Stuxnet cybersabotage malware was programmed to drop a copy of itself as a specifically named DLL file in directories containing industrial engineering projects created with the Siemens Step 7 software.

Older versions of the Step 7 software automatically loaded this DLL when opening the infected projects, which allowed the malware to spread to other machines due to project project sharing.

On Tuesday, security researchers from Symantec reported about a malware attack that targeted users in Japan and exploited a DLL preloading vulnerability in Ichitaro, the second-most popular word processor software in Japan after Microsoft Word.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Mobile

Exec

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?