Spam about the Jasmine Revolution leads to malware

By the end of 2010, the total number of Chinese Internet users reached 457 million. That means that even if scammers and hackers concentrate exclusively on that particular segment of the Internet-using public, they still have an extremely large base of potential targets.

It is no wonder, then, that security firms have lately begun covering and revealing malicious campaigns geared towards Chinese users. Android Trojans have often first surfaced on unofficial Chinese third-party app markets. Recently, a bootkit targeting Chinese users has been discovered by Kaspersky Lab.

And now a new spam campaign taking advantage of Chinese users’ interest in the topic of “Jasmine Revolution” – the protest movement in China that was inspired by the recent Tunisian Revolution – is dropping a backdoor Trojan into the users’ computers.

Trend Micro researcher Yuki Chen analyzed the .rtf file attached to this spam email, and revealed how the attack works.

The file itself is titled “My thoughts on the jasmine flower”, and it’s written in Chinese and with Chinese characters. It has been crafted by the attacker in such a way as to make possible the exploitation of an old stack-based buffer overflow vulnerability in Microsoft Word.

The flaw allows the attacker to execute arbitrary code on the targeted machine, and to deliver the payload (backdoor Trojan) that gets dropped in the temp folder. To fool the victim into believing the file is just a common .rtf file, the file opens upon download and shows a text about the “Jasmine Revolution”.