Finnish security company F-Secure found the file that was used to Hack RSA. Hackers planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and successfully break into there. Back in April itself they knew that the attack was launched with a targeted email to EMC employees (EMC owns RSA), and that the email contained an attachment called “2011 Recruitment plan.xls”. The targets were, for example, IT administrator with special network privileges. The attachment used a zero-day exploit targeting a vulnerability in Adobe Flash to drop another malicious file—a backdoor—onto the recipient’s desktop computer.
Timo Hirvonen is an analyst in F-secure labs and he was convinced that he could find this file. Timo wrote a data analysis tool that analysed samples for flash objects. He knew the XLS file in question used a Flash object to take over the system. The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG). When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls
Five months later, they finally had the file. It turns out somebody (most likely an EMC/RSA employee) had uploaded the email and attachment to the Virustotal online scanning service on 19th of March.
The attackers spoofed the e-mail to make it appear to come from a “web master” at Beyond.com, a job-seeking and recruiting site. It had the subject “2011 Recruitment plan” and one line of content:
“I forward this file to you for review. Please open and view it”.
The message was sent to one EMC employee and cc’d to three others.
F-Secure produced a brief video showing what happened if the recipient clicked on the attachment. An Excel spreadsheet opened, which was completely blank except for an “X” that appeared in the first box of the spreadsheet. The “X” was the only visible sign that there was an embedded Flash exploit in the spreadsheet. The Flash object is executed by Excel. Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over.
After this, Poison Ivy connects back to it’s server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time. Thus giving the attackers remote access to the infected computer at EMC. From there, they were able to reach the systems and data they were ultimately after.