“I forward this file to you for review. Please open and view it,” says simply the email that is thought to have been the means of deploying the backdoor that resulted in the massive RSA breach in March.
Using a few of the details shared about it – namely, that the email contained an attachment called 2011 Recruitment plan.xls, and “2011 Recruitment Plan” in the subject line – F-Secure researcher Timo Hirvonen burrowed for months in the malware database shared by Virus Total with security companies, in the hopes that the attached file was uploaded for a check by someone.
As it turns out, both the email and the attachment were uploaded. Here is how it looks like (click on the screenshot to enlarge it):
With a “From” email address spoofed to look like it was coming from the web master of recruiting website Beyond.com, it was sent to an EMC employee and CC’d to three others on the 3rd of March.
The attached Excel spreadsheet contained a Flash object that was executed by Excel and took advantage of a vulnerability to install the Poison Ivy backdoor on the victim’s computer.
The backdoor then proceeded to contact a server from which the attacker was able to access remotely the workstation and other network drives, and from that, to the rest of the network.
“The attack email does not look too complicated,” points out F-Secure. “In fact, it’s very simple. However, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems.”
According to Computerworld, RSA was contacted but has not confirmed that the found email is one of the two that wreaked such havoc in the company.