“Safe” a Global Malware Campaign Attacking up to 71 New Victims a Day

According to a report by Help Net Security, researchers at Trend Micro have published a new white paper that takes a chilling look at “Safe”: a global cyber malware campaign that is attacking up to 71 new victims a day, including media outlets, tech companies, government and NGOs, and academic institutions.

Emerging back in October 2012, the Safe campaign uses two sets of command-and-control (C&C) infrastructures. So far, it has spread malware to over 100 countries and harvested nearly 12,000 unique IPs – mostly in Mongolia, India, the U.S., China, Pakistan and the Philippines.

Victims of the campaign receive a spear phishing email with a harmless-looking document that, once opened, exploits a vulnerability (CVE-2012-0158) in older versions of MS-Word. From there, additional malicious files download and attempt to steal passwords from Internet Explorer, Firefox and any stored Remote Desktop Protocol (RDP) credentials.

The story of how Trend Micro researchers made their discovery is also noteworthy. Apparently, one of Safe’s campaign servers was mistakenly set up so to allow anyone to view its directory contents. As a result, researchers were able to identify victims of the campaign and isolate the PHP source code used to create the malware. This is very similar to the mistake that was done by the attackers behind the “Red October” operation.

However, Trend Micro researchers weren’t able to ID the cybercriminals behind the campaign – who they believe is a professional software engineer based in China – because of VPNs and proxy tools.