New backdoor malware 'KeyBoy' used in targeted attacks in Asia, researchers say

The malware steals credentials and allows attackers to execute commands on infected computers, researchers from Rapid7 said

Users from Vietnam, India, China, Taiwan and possibly other countries, were targeted as part of an attack campaign that uses Microsoft Word documents rigged with exploits in order to install a backdoor program that allows attackers to steal information, according to researchers from security firm Rapid7.

The targeted attacks used specifically crafted Word documents as bait in spear-phishing emails sent to the intended victims. These documents were rigged to exploit known vulnerabilities that affect unpatched installations of Microsoft Office.

One of the malicious documents found by Rapid7 researchers is written in Vietnamese and is about best practices for teaching and researching scientific topics. This suggests that the targets of attacks where this document was used are part of the Vietnamese academic community, Rapid7 researchers Claudio Guarnieri and Mark Schloesser said Friday in a blog post.

A second document written in English discusses the state of telecommunication infrastructure, including GSM network coverage and Internet broadband availability, in Calcutta, India. The Rapid7 researchers believe that this document was used to target people working in the telecommunications industry in India or local government representatives.

When opened, the two documents attempt to exploit remote code execution vulnerabilities in the Windows common controls component. Identified as CVE-2012-0158 and CVE-2012-1856, respectively, these vulnerabilities affect Microsoft Office 2003, 2007 and 2010, and were patched by Microsoft in 2012 as part of the MS12-027 and MS12-060 security bulletins.

Despite being relatively old, such vulnerabilities, especially CVE-2012-0158, are commonly exploited in targeted attacks. Two examples of recent targeted attacks where CVE-2012-0158 was used include the NetTraveler and HangOver cyberespionage campaigns.

The malicious documents install a backdoor program that Rapid7 researchers have dubbed KeyBoy, after a text string found in one of the samples. The malware registers a new Windows service called MdAdum that loads a malicious DLL (Dynamic Library Link) file called CREDRIVER.dll, the researchers said.

The KeyBoy malware steals credentials stored in Internet Explorer and Mozilla Firefox and installs a keylogger component that can steal credentials entered into Google Chrome. The backdoor program also allows the attackers to get detailed information about the compromised computers, browse their directories, and download or upload files from and to them, the Rapid7 researchers said.

In addition, the malware can be used to open a Windows command shell on the infected computers that can be used remotely to execute Windows commands, they said.

The backdoor samples collected by the Rapid7 researchers were compiled on April 1, suggesting that the attacks are reasonably recent. The domain names used for the command-and-control servers contacted by the malware were registered during April and May.

These attackers are definitely targeting users in several different countries, Guarnieri said Monday via email. Rapid7 found evidence that users in Taiwan, members of minority populations in China and possibly Western diplomats have also been targeted as part of this campaign, he said.

"The campaign is not particularly sophisticated, the exploits are well known and the malware is fairly simple," Guarnieri said. "However as we have seen in recent years, sophistication is not necessary for attackers to be successful and meet their ends. In fact the large majority of targeted attacks from and within the Asian region are generally very basic in complexity."

That said, the antivirus detection rates for the exploits and the backdoor malware are surprisingly low at the moment, he said. "For some reason this group didn't receive particular attention (at least not publicly) so we expect detection to improve in the next days."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitymalwarespywareonline safetyintrusionExploits / vulnerabilitiesRapid7

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?