ESET Reveals Targeted Data Stealing Attacks in Pakistan Using Fake PDF and Document Attachments

Next story

ESET, a global pioneer in proactive protection for 25-years, has uncovered and analyzed a targeted campaign that tries to steal sensitive information from different organizations, particularly in Pakistan (with limited spread around the world). During the course of ESET investigations, several leads were discovered that indicate the threat has its origin in India and has been going on for at least two years.
This targeted attack used a code signing certificate issued to a seemingly legitimate company to sign malicious binaries and improve their potential to spread. The company was based in New Delhi, India and the certificate was issued in 2011. The malware spread through documents attached to emails.


“We have identified several different documents that followed different themes likely to be enticing to the recipients. One of these is the Indian armed forces. We do not have precise information as to which individuals or organizations were really specifically targeted by these files, but based on our investigations, it is our assumption that people and institutions in Pakistan were targeted,” said Jean-Ian Boutin, ESET Malware Researcher.

For instance, one of the fake PDF files was delivered through a self-extracting archive called “pakistandefencetoindiantopmiltrysecreat.exe”, and ESET telemetry data shows that Pakistan is heavily affected by this campaign with 79 percent of detections being in that country.

Detection Distribution
The first infection vector was utilizing a widely used and abused vulnerability known as CVE-2012-0158. This vulnerability can be exploited by specially crafted Microsoft® Office documents and allows arbitrary code execution. The documents were delivered by email, and the malicious code was executed without the attacked computer user even knowing as soon as the document was opened. The other infection vector was via Windows executable files appearing to be Word or PDF documents – again distributed via email. In both cases, to evade suspicion by the victim, fake documents are shown to the user on execution.
The malware was stealing sensitive data from infected PCs and sending them to the attackers’ servers. It was using various types of data-stealing techniques, among them a key-logger, taking screenshots and uploading documents to attackers’ computer. Interestingly, the information stolen from an infected computer was uploaded to the attacker’s server unencrypted.

“The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation,” adds Jean-Ian Boutin.


Full technical analysis is available on WeLiveSecurity.com - ESET’s news platform with the latest information and analysis on cyber threats and useful security tips.
Detection Names
This is a multi-part and multi-vector threat, below are ESET threat names related to this case:

Win32/Agent.NLD worm
Win32/Spy.Agent.NZD Trojan
Win32/Spy.Agent.OBF Trojan
Win32/Spy.Agent.OBV Trojan
Win32/Spy.KeyLogger.NZL Trojan
Win32/Spy.KeyLogger.NZN Trojan
Win32/Spy.VB.NOF Trojan
Win32/Spy.VB.NRP Trojan
Win32/TrojanDownloader.Agent.RNT Trojan
Win32/TrojanDownloader.Agent.RNV Trojan
Win32/TrojanDownloader.Agent.RNW Trojan
Win32/VB.NTC Trojan
Win32/VB.NVM Trojan
Win32/VB.NWB Trojan
Win32/VB.QPK Trojan
Win32/VB.QTV Trojan
Win32/VB.QTY Trojan
Win32/Spy.Agent.NVL Trojan
Win32/Spy.Agent.OAZ trojan


About ESET

ESET®, the pioneer of proactive protection and the maker of the award-winning NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 25 years, the Company has led the industry in proactive threat detection. By obtaining the 75th VB100 award in September 2012, ESET NOD32® Antivirus holds the world record for the number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. ESET holds a number of accolades from AV-Comparatives, Virus Bulletin, AV-TEST and other independent testing organizations. ESET NOD32® Antivirus, ESET Smart Security®, ESET® Endpoint Solutions, ESET® Mobile Security and ESET® Cyber Security (solution for Mac) are trusted by millions of global users and are among the most recommended security solutions in the world. The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Sao Paulo (Brazil) and Prague (Czech Republic). ESET® has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries.