Targeted attack against Tibetan activists abuses Nvidia file to load malware

The attack uses an Nvidia tool vulnerable to DLL preloading, Sophos researchers say

Security researchers from antivirus vendor Sophos have uncovered a Tibet-themed attack campaign that abuses a legitimate and digitally signed Nvidia file to load malware on computers.

The attack delivers a RTF (Rich Text Format) document via email that's rigged with an exploit for a Microsoft Office vulnerability patched in April 2012. The document masquerades as a statement from the Tibetan Youth Congress.

If opened on a system that doesn't have the corresponding Microsoft Office patch, the exploit drops and executes a self-extracting WinRAR archive that deploys three files called Nv.exe, NvSmartMax.dll and NvSmartMax.dll.url. Nv.exe is subsequently executed.

The interesting thing about Nv.exe is that it's actually a clean and digitally signed application from graphics chip maker Nvidia called the "Nvidia Smart Maximise Helper Tools."

The version of Nv.exe dropped by this exploit is vulnerable to an attack called DLL preloading -- also known as DLL sideloading, DLL hijacking, or binary planting.

DLL preloading vulnerabilities occur when an application is programmed to load a specifically named DLL file, but the developer didn't specify the full path to the file in the code or the directory from where it should be loaded. In such cases Windows will automatically search for the DLL in different directories in a certain order, starting with the application's working directory.

In this case, Nv.exe is programmed to load NvSmartMax.dll, which the attackers have replaced with a malicious one. When the legitimate Nv.exe is executed, it will automatically load the malicious NvSmartMax.dll located in the same directory as itself.

The rogue NvSmartMax.dll is programmed to further load NvSmartMax.dll.url, which is a copy of a known remote access tool (RAT) called PlugX. "The attack is designed to compromise the target computer and provide the attacker with remote access," said Gabor Szappanos, principal malware researcher at Sophos, in a blog post published Wednesday.

The use of the legitimate and clean Nv.exe as a pre-loader for the malware is intended to make it harder for users and possibly some security software to detect the compromise.

The first lesson to learn from this attack is to keep software up to date, Szappanos said. The fact that a Microsoft Office vulnerability patched in April 2012 is still being used in attacks as of Jan. 2013 is a clear indication that many users are not taking the first basic steps towards security, he said.

"The second lesson is mainly for application developers," Szappanos said. "Even if you are not developing security applications, you must consider the risks that your software introduces to your customers' networks."

"In this attack, Nvidia's software was abused but it could just as easily have been any of a thousand other developers," he said, pointing out that Microsoft has published advice on how to avoid DLL search path issues that could lead to DLL preloading.

This is not the first time that DLL preloading issues have been exploited by malware. The Stuxnet cybersabotage malware was programmed to drop a copy of itself as a specifically named DLL file in directories containing industrial engineering projects created with the Siemens Step 7 software.

Older versions of the Step 7 software automatically loaded this DLL when opening the infected projects, which allowed the malware to spread to other machines due to project project sharing.

On Tuesday, security researchers from Symantec reported about a malware attack that targeted users in Japan and exploited a DLL preloading vulnerability in Ichitaro, the second-most popular word processor software in Japan after Microsoft Word.

Tags: security

Oracle identifies products affected by Heartbleed, but work remains on fixes

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Business Continuity Management Solutions

Automate business-continuity and disaster-recovery planning and enable crisis management in one solution.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.