ESET recently blogged about a targeted cyber/espionage attack that appears to be originating from India. Multiple security vendors have been tracking this campaign. The attack appears to be no more than four years old and very broad in scope. Based on our telemetry (Figure 1), it appears that attackers are focusing on targets located in Pakistan, specifically government agencies.
Figure 1. Telemetry data focused on South Asia
The identified infection vector of this campaign is spear phishing emails with malicious files attached. We’ve observed malicious documents exploiting the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).
Once exploited, the documents will drop malware that is used to steal information from the targets and send it back to the attackers’ servers.
Symantec products detect the spear phishing Word documents as Trojan.Mdropper and the dropped files as Downloader and Infostealer.
Users should ensure that software applications are up to date, and avoid clicking on suspicious links and opening suspicious email attachments.
To best protect against targeted attacks, we advise users to use the latest Symantec technologies and incorporate layered defenses.