Japan leakage analysis emails with malicious XLS attachments

Japan’s seemingly unending series of misfortunes has so far generated a vast variety of online scams. The latest one includes spam emails containing Excel attachments rigged with Flash exploits.

The subject line states: “Japan Nuclear Radiation Leakage and Vulnerability Analysis”, and the email is supposedly sent by the Office of Nuclear Security and Incident Response with the U.S. Nuclear Regulatory Commission.

Given that lots of people are worried about the effects that the Fukushima reactor meltdown might have on their own lives, it does seem like a good lure for inexperienced Internet users.

A similar email contains an Excel file with an embedded Flash object that tries to exploit a known vulnerability. Once the file is opened, the users might be tipped off by the fact that the spreadsheet is empty. But, by then it is too late – the Flash object started its run.

It starts with a a heap-spray containing shellcode that loads and passes execution to a second shellcode embedded in the Excel file. “The second shellcode is responsible for decrypting and executing an EXE file (also embedded in the Excel file),” explain F-Secure researchers. “In the meantime, the Flash object constructs and loads a second Flash object in runtime. This second Flash object is the main exploit in this malware and it exploits CVE-2011-0609 to execute the shellcode in the heap.”

They think that the exploit was delivered in such a way in order to avoid being spotted. “As it is loaded in memory, no physical file is available for scanning by an antivirus engine,” they say. The embedded EXE file is detected as a Trojan.

The vulnerability misused in this attack has been recently patched by Adobe, so users are advised to update their Flash Player.