Targeted attack against Tibetan activists abuses Nvidia file to load malware

The attack uses an Nvidia tool vulnerable to DLL preloading, Sophos researchers say

Security researchers from antivirus vendor Sophos have uncovered a Tibet-themed attack campaign that abuses a legitimate and digitally signed Nvidia file to load malware on computers.

The attack delivers a RTF (Rich Text Format) document via email that's rigged with an exploit for a Microsoft Office vulnerability patched in April 2012. The document masquerades as a statement from the Tibetan Youth Congress.

If opened on a system that doesn't have the corresponding Microsoft Office patch, the exploit drops and executes a self-extracting WinRAR archive that deploys three files called Nv.exe, NvSmartMax.dll and NvSmartMax.dll.url. Nv.exe is subsequently executed.

The interesting thing about Nv.exe is that it's actually a clean and digitally signed application from graphics chip maker Nvidia called the "Nvidia Smart Maximise Helper Tools."

The version of Nv.exe dropped by this exploit is vulnerable to an attack called DLL preloading -- also known as DLL sideloading, DLL hijacking, or binary planting.

DLL preloading vulnerabilities occur when an application is programmed to load a specifically named DLL file, but the developer didn't specify the full path to the file in the code or the directory from where it should be loaded. In such cases Windows will automatically search for the DLL in different directories in a certain order, starting with the application's working directory.

In this case, Nv.exe is programmed to load NvSmartMax.dll, which the attackers have replaced with a malicious one. When the legitimate Nv.exe is executed, it will automatically load the malicious NvSmartMax.dll located in the same directory as itself.

The rogue NvSmartMax.dll is programmed to further load NvSmartMax.dll.url, which is a copy of a known remote access tool (RAT) called PlugX. "The attack is designed to compromise the target computer and provide the attacker with remote access," said Gabor Szappanos, principal malware researcher at Sophos, in a blog post published Wednesday.

The use of the legitimate and clean Nv.exe as a pre-loader for the malware is intended to make it harder for users and possibly some security software to detect the compromise.

The first lesson to learn from this attack is to keep software up to date, Szappanos said. The fact that a Microsoft Office vulnerability patched in April 2012 is still being used in attacks as of Jan. 2013 is a clear indication that many users are not taking the first basic steps towards security, he said.

"The second lesson is mainly for application developers," Szappanos said. "Even if you are not developing security applications, you must consider the risks that your software introduces to your customers' networks."

"In this attack, Nvidia's software was abused but it could just as easily have been any of a thousand other developers," he said, pointing out that Microsoft has published advice on how to avoid DLL search path issues that could lead to DLL preloading.

This is not the first time that DLL preloading issues have been exploited by malware. The Stuxnet cybersabotage malware was programmed to drop a copy of itself as a specifically named DLL file in directories containing industrial engineering projects created with the Siemens Step 7 software.

Older versions of the Step 7 software automatically loaded this DLL when opening the infected projects, which allowed the malware to spread to other machines due to project project sharing.

On Tuesday, security researchers from Symantec reported about a malware attack that targeted users in Japan and exploited a DLL preloading vulnerability in Ichitaro, the second-most popular word processor software in Japan after Microsoft Word.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about MicrosoftNvidiaSiemensSmartSophosSymantecWinRAR

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts