Skip to content

2014 Press Release

Trend Micro Warns of New Targeted Attacks Affecting Government Agencies

Cybercriminals tamper file names luring unsuspecting recipients to download malicious attachments

Taipei, June 19, 2014 – Think twice before downloading and opening file attachments. Global leader in cloud security, Trend Micro Incorporated (TYO: 4704; TSE: 4704), monitored a new campaign that specifically targeted government and administrative agencies in Taiwan. The campaign, named “PLEAD", used spear-phishing emails that contain “Right to Left Override" (RTLO)-disguised attachments and exploited a vulnerability in Windows to ensnare targets, luring unsuspecting email recipients to open and download malicious file attachments, leading to the execution of a backdoor which gathers system and network information from infected computers.

The RTLO technique made use of the RTLO Unicode character that was created to support languages written from right to left, which enabled computers to exchange information regardless of the language used. Through the RTLO technique, threat actors were able to disguise malicious files as relatively harmless documents.

In the following case, an email which purported to be reference materials for a technical consultant conference was sent to a recipient in a particular ministry in Taiwan. When the attachment was unpacked, the recipient saw two files: a PowerPoint and a Microsoft Word document.

Figure 1: Unpacked attachment showed RTLO trick at work with the “.SCR" screen saver file

The RTLO technique was applied to the first file. By adding the Unicode command for RTLO before the “P" in “PPT", the appearance of the complete file name resembled a PowerPoint document, when in actual fact, was a screen saver file. To add to the believability of the email, the cybercriminal included an additional “.DOC" Microsoft Word file as a decoy document. In addition, the disguised “.SCR" screen saver file dropped a PowerPoint file, which made victims believe that they opened a legitimate document, further preventing raising any alarm bells.

Figure 2: The. “.SCR" drops this .PPT file as decoy

As a final payload of this attack campaign, a backdoor would be deposited into the victim’s computer and would begin decrypting its code before injecting themselves into another process. Following installation, the backdoor would acquire information such as User Name, Computer Name, Host Name and Current Malware Process ID from the target’s computer, which would then enable the threat actor to keep track of its specific targets. When a successful connection with remote servers was established, the backdoor would execute the following commands that were typical of reconnaissance activities:

  • Checking installed software or proxy setting
  • Listing drives
  • Getting the files
  • Deleting the files
  • Remote shelling

Government Institutions Tops the List in Target Attacks

“Employees of government institutions need to be extra cautious when accessing documents from unknown senders. According to Trend Micro’s TrendLabs 1Q2014 Security Roundup report, 76 percent of targeted attacks were aimed at the government sector," comments Macky Cruz, Security Focus Lead, Trend Micro Inc.

“In addition, the TrendLabs Targeted Attack Trends 2H 2013 report also revealed that the most typical point of entry to penetrate target networks were emails, and threat actors typically sent spear-phishing emails with contextually relevant subjects to specific people within different functions in a target organization," adds Cruz.

Do Not Undermine Old Vulnerabilities

Apart from spear-phishing emails, threat actors continued to exploit old vulnerabilities in various software and systems. For example, Trend Micro detected a rising number of exploits that used the CVE-2012-0158 vulnerability in targeted attacks. While this vulnerability had long been patched by MS12-027 in 2012, the vulnerability continued to exist in Windows common controls and allowed attackers to execute malicious code.

Targeted attacks are becoming more rampant, to the extent that even “traditional" cybercriminals are now using similar tactics in their attacks. Trend Micro has published a new whitepaper titled “Cybercriminals Use What Works: Targeted Attack Methodologies for Cybercrime" to shed more light on reasons why cybercriminals adopt certain targeted attack methodologies.

Trend Micro is conducting an in-depth research on the PLEAD campaign and will be providing technical details about the breadth of this campaign. For latest updates on the PLEAD campaign, follow:

About Trend Micro

Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Built on 25 years of experience, our solutions for consumers, businesses and governments provide layered data security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection Network™ infrastructure, and are supported by over 1,200 threat experts around the globe. For more information, visit

Connect with us on