Trend Micro reveals cybercriminals using LINE to target Taiwan government

Source: Trend Micro.

According to Trend Micro's Targeted Attack Trends 2014 report, targeted attacks – otherwise known as advanced persistent threats (APTs), have intensified over the past year alongside newly identified techniques. The company has found that mobile messaging application LINE was used as a bait to lure targets in a targeted attack which hit the Taiwan government.

Korean messaging app LINE has a global reach of more than 560 million registered users as of October 2014 according to Statista, while a January 2015 blog post by Metaps, LINE reaches about 75% of the population in Taiwan.

Intended targets received a spear-phishing email that uses LINE as its subject and has .ZIP file attachment with the filename, add_line.zip. The said email message purports to come from the secretary of a political figure and supposedly asked recipients in a Taiwan government office to join a specific LINE group, and to provide some information for profiling purposes. Once users open the .ZIP file, an executable file, add_zip.exe is launched. Trend Micro detects this as BKDR_MOCELPA.ZTCD-A.

Further investigation revealed that this targeted attack is likely related to the Taidoor campaign, which employs malicious .DOC files that shows a legitimate document but executes the malware payload in the background. The LINE malware makes use of the same encryption to hide the network traffic. 

One Taidoor sample exploited CVE-2012-0158, a vulnerability in Windows Common Controls. It targeted US Defense contractors as well as Japanese companies. There were two Taidoor-related zero-day exploit attacks targeting CVE-2014-1761 last year which hit government agencies and an educational institution in Taiwan. The LINE exploit may have a similar attack scope.

The news reinforces the need for enterprises and large organisations to adapt more than ever to the risks posed by targeted attacks, Trend Micro said. Aside from endpoint solutions which leverage behaviour monitoring to detect this type of threat, organisations can go beyond endpoint solutions to specifically address targeted attacks with a custom defense strategy that follows ‘detect-analyse-respond’ life cycle in order to mitigate and break the attack cycle. Enterprises are also advised to build their threat intelligence and create an incident response team. Through these efforts, IT administrators can determine the indicators of compromise (IoCs) and use it as basis when monitoring the network for any suspicious activities, preventing attacks from reaching data exfiltration stage.

Need more details?

A Trend Micro blog post describes the exploit