Spying via XLS files

We see targeted attacks and espionage with trojans regularily. Here's a typical case.A malicious Excel XLS file (md5: 3c740451ef1ea89e9f943e3760b37d3b) was emailed to a target - apparently to just one person.When opened, this is what the XLS looked like:However, in reality the malicious file had already exploited Excel and taken over the computer by the time you saw this. The exploit code creates two new DLL files to the SYSTEM32 folder ("apimgr.dll" and "netserv.dll") and executes them.These DLL files are backdoors that try to communicate back to the attackers, using these sites:feng.pc-officer.comihe1979.3322.orgRight now, host ihe1979.3322.org does not resolve at all, and feng.pc-officer.com resolves to a placeholder IP (which is 63.64.63.64). The attackers can temporarily make the hostname resolve to the real IP address and then turn it back, to hide their tracks.The domain name pc-officer.com is a weird one. It has been registered already in 2006, and it has been used in targeted attacks before. See this ISC blog entry from September 2007. Here the attack was done via a DOC files, instead of XLS. And the reporting server was ding.pc-officer.com, not feng.pc-officer.com.If you haven't read about Ghostnet yet, now would be a good time.PS. We (continue reading...)