RTF exploit hiding in bin Laden death-themed email

Osama bin Laden’s death is sure to be milked for all it’s worth by online spammers and scammers, and the latest instance of this also seems to be the latest incarnation of a slew of politically/economically themed malicious emails sent to targets working for the U.S. government.

The email holds “FW: Courier who led U.S. to Osama bin Laden’s hideout identified” in the subject line, and urges the recipient to download and open the attached Laden’s Death.doc file:

The file is, of course, crafted in such a way as to attempt to take advantage of a RTF Stack Buffer Overflow Vulnerability. If it succeeds, it exploits shellcode and drops a file named server.exe and executes it.

According to F-Secure, the dropped file drops another file in the system, and attempts to hijack the DHCP service by modifying the registry. Then, it tries to connect to a C&C server located at ucparlnet.com.

The payload is actually a rather versatile piece of malware that can steal and send data to remote servers, download further malware on the system and can act as a trojan proxy server.

According to a number of examples collected at the contagio malware dump, similar emails containing rigged .doc files delivering the same payload have been targeting U.S. government workers for a while now, tempting them with subject lines such as “Fwd: China-U.S. Trade Issues” and “FW: U.S. economy slips to 4th in WEF’s competitiveness rankings.”