Last Updated: 2007-05-25 22:54:35 UTC ~ "We are receiving more reports about targeted attacks claiming to be from the Better Business Bureau. The spam always comes with an RTF attachment. Does this ring a bell? If you’re a frequent reader of ISC you might remember that I already posted an analysis of such an attack back in March – you can find it here: http://isc.sans.org/...ml?storyid=2528 . BBB also posted an alert about this quite a while ago ( http://www.bbb.org/a...icle.asp?ID=747 ).
Basically the attackers use an application called Object Packager to embed an executable in a RTF document. The executable is typically a downloader which, when executed, downloads a second stage malware. The attackers keep changing both the downloader and second stage malware, together with sites they are using. It is worth pointing again that this attack does not exploit any Office vulnerability; instead it relies on social engineering (see the screenshots in the old diary).
While the attack itself is not very interesting, what is interesting is that the spam e-mails carrying this seem to be targeted. In fact, almost all reports we’ve received lately (and Sunbelt blogged about the same thing at http://sunbeltblog.b...ous-better.html ) claimed that only a couple of users in attacked organizations received this and that they were almost always CEOs or CFOs..."
Edited by apluswebmaster, 26 May 2007 - 06:05 AM.