Targeted attack against Tibetan activists abuses Nvidia file to load malware

The attack uses an Nvidia tool vulnerable to DLL preloading, Sophos researchers say

Security researchers from antivirus vendor Sophos have uncovered a Tibet-themed attack campaign that abuses a legitimate and digitally signed Nvidia file to load malware on computers.

The attack delivers a RTF (Rich Text Format) document via email that's rigged with an exploit for a Microsoft Office vulnerability patched in April 2012. The document masquerades as a statement from the Tibetan Youth Congress.

If opened on a system that doesn't have the corresponding Microsoft Office patch, the exploit drops and executes a self-extracting WinRAR archive that deploys three files called Nv.exe, NvSmartMax.dll and NvSmartMax.dll.url. Nv.exe is subsequently executed.

The interesting thing about Nv.exe is that it's actually a clean and digitally signed application from graphics chip maker Nvidia called the "Nvidia Smart Maximise Helper Tools."

The version of Nv.exe dropped by this exploit is vulnerable to an attack called DLL preloading -- also known as DLL sideloading, DLL hijacking, or binary planting.

DLL preloading vulnerabilities occur when an application is programmed to load a specifically named DLL file, but the developer didn't specify the full path to the file in the code or the directory from where it should be loaded. In such cases Windows will automatically search for the DLL in different directories in a certain order, starting with the application's working directory.

In this case, Nv.exe is programmed to load NvSmartMax.dll, which the attackers have replaced with a malicious one. When the legitimate Nv.exe is executed, it will automatically load the malicious NvSmartMax.dll located in the same directory as itself.

The rogue NvSmartMax.dll is programmed to further load NvSmartMax.dll.url, which is a copy of a known remote access tool (RAT) called PlugX. "The attack is designed to compromise the target computer and provide the attacker with remote access," said Gabor Szappanos, principal malware researcher at Sophos, in a blog post published Wednesday.

The use of the legitimate and clean Nv.exe as a pre-loader for the malware is intended to make it harder for users and possibly some security software to detect the compromise.

The first lesson to learn from this attack is to keep software up to date, Szappanos said. The fact that a Microsoft Office vulnerability patched in April 2012 is still being used in attacks as of Jan. 2013 is a clear indication that many users are not taking the first basic steps towards security, he said.

"The second lesson is mainly for application developers," Szappanos said. "Even if you are not developing security applications, you must consider the risks that your software introduces to your customers' networks."

"In this attack, Nvidia's software was abused but it could just as easily have been any of a thousand other developers," he said, pointing out that Microsoft has published advice on how to avoid DLL search path issues that could lead to DLL preloading.

This is not the first time that DLL preloading issues have been exploited by malware. The Stuxnet cybersabotage malware was programmed to drop a copy of itself as a specifically named DLL file in directories containing industrial engineering projects created with the Siemens Step 7 software.

Older versions of the Step 7 software automatically loaded this DLL when opening the infected projects, which allowed the malware to spread to other machines due to project project sharing.

On Tuesday, security researchers from Symantec reported about a malware attack that targeted users in Japan and exploited a DLL preloading vulnerability in Ichitaro, the second-most popular word processor software in Japan after Microsoft Word.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender solutions stop attacks before they even begin! Get cybersecurity that 500 MILLION users already have and trust.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?