Targeted attack against Tibetan activists abuses Nvidia file to load malware
The attack uses an Nvidia tool vulnerable to DLL preloading, Sophos researchers say
Security researchers from antivirus vendor Sophos have uncovered a Tibet-themed attack campaign that abuses a legitimate and digitally signed Nvidia file to load malware on computers.
The attack delivers a RTF (Rich Text Format) document via email that's rigged with an exploit for a Microsoft Office vulnerability patched in April 2012. The document masquerades as a statement from the Tibetan Youth Congress.
If opened on a system that doesn't have the corresponding Microsoft Office patch, the exploit drops and executes a self-extracting WinRAR archive that deploys three files called Nv.exe, NvSmartMax.dll and NvSmartMax.dll.url. Nv.exe is subsequently executed.
The interesting thing about Nv.exe is that it's actually a clean and digitally signed application from graphics chip maker Nvidia called the "Nvidia Smart Maximise Helper Tools."
The version of Nv.exe dropped by this exploit is vulnerable to an attack called DLL preloading -- also known as DLL sideloading, DLL hijacking, or binary planting.
DLL preloading vulnerabilities occur when an application is programmed to load a specifically named DLL file, but the developer didn't specify the full path to the file in the code or the directory from where it should be loaded. In such cases Windows will automatically search for the DLL in different directories in a certain order, starting with the application's working directory.
In this case, Nv.exe is programmed to load NvSmartMax.dll, which the attackers have replaced with a malicious one. When the legitimate Nv.exe is executed, it will automatically load the malicious NvSmartMax.dll located in the same directory as itself.
The rogue NvSmartMax.dll is programmed to further load NvSmartMax.dll.url, which is a copy of a known remote access tool (RAT) called PlugX. "The attack is designed to compromise the target computer and provide the attacker with remote access," said Gabor Szappanos, principal malware researcher at Sophos, in a blog post published Wednesday.
The use of the legitimate and clean Nv.exe as a pre-loader for the malware is intended to make it harder for users and possibly some security software to detect the compromise.
The first lesson to learn from this attack is to keep software up to date, Szappanos said. The fact that a Microsoft Office vulnerability patched in April 2012 is still being used in attacks as of Jan. 2013 is a clear indication that many users are not taking the first basic steps towards security, he said.
"The second lesson is mainly for application developers," Szappanos said. "Even if you are not developing security applications, you must consider the risks that your software introduces to your customers' networks."
"In this attack, Nvidia's software was abused but it could just as easily have been any of a thousand other developers," he said, pointing out that Microsoft has published advice on how to avoid DLL search path issues that could lead to DLL preloading.
This is not the first time that DLL preloading issues have been exploited by malware. The Stuxnet cybersabotage malware was programmed to drop a copy of itself as a specifically named DLL file in directories containing industrial engineering projects created with the Siemens Step 7 software.
Older versions of the Step 7 software automatically loaded this DLL when opening the infected projects, which allowed the malware to spread to other machines due to project project sharing.
On Tuesday, security researchers from Symantec reported about a malware attack that targeted users in Japan and exploited a DLL preloading vulnerability in Ichitaro, the second-most popular word processor software in Japan after Microsoft Word.