Modernizing Authentication — What It Takes to Transform Secure Access
Kaspersky Lab researchers recently came across a series of targeted attacks being sent via a domain registered in Shanghai.
The document titles either refer to articles from Men's Health magazine, cover military issues, or have Cyrillic file names. Open them, and you'll be shown a text document that covers the information promised in the title, while malware is installed in the background.
"When the exploit runs it creates and executes a file called wordupgrade.exe," writes Kaspersky Lab's Ben Godwood. "This executable drops a DLL called usrsvpla.dll into the system32 directory and modifies the WmdmPmSN (Portable Media Serial Number Service) registry key to load the DLL into svchost.exe. ... The malware installed by these documents is a variant of Enfal/Lurid. We are detecting wordupgrade.exe as Trojan-Dropper.Win32.Datcaen.d and usrsvpla.dll as Trojan.Win32.Zapchast.affv."
Godwood notes that the malware itself isn't particularly new -- as Trend Micro notes, the Enfal malware dates back to 2006 -- but he advises caution when viewing attachments related to any of the above topics.