F-Secure Analyzes Malicious Excel Spreadsheet That Penetrated RSA's Network

After EMC's RSA Security disclosed earlier this year that unknown attackers had breached its systems via an e-mail with a malicious attachment, security researchers wondered what the file had contained and how exactly it had breached the security company.

Researchers at F-Secure think they may have finally found the attacking file.

Timo Hirvonen, an anti-malware analyst at F-Secure, had been searching for the file in the company's "collections of tens of millions of malware samples" ever since RSA admitted it had been breached, Mikko Hypponen, chief research officer of F-Secure, wrote on the "News from the Lab" blog Aug. 26. Hirvonen found on Aug. 22 what he believes is the original e-mail that had been sent to RSA Security employees and the actual Excel spreadsheet that had been attached.

The email Hirvonen found was sent to at several emc.com addresses on March 3, according to F-Secure's blog post. On March 19, shortly after RSA announced the compromise, someone, presumably an EMC employee, uploaded the email and attachment to VirusTotal for analysis. A free service, VirusTotal scans suspicious messages with tools from over 40 top security companies and posts results of the scan. The vendors also get access to all the files uploaded to the service, which is how Hirvonen found the file.

"I forward this file to you for review. Please open and view it," the e-mail said.

The e-mail message had been spoofed to look like it had come from a generic Webmaster address at recruiting Website Beyond.com, and had a subject line "2011 Recruitment plan." It had been sent to one EMC employee and cc:ed to three others, possibly in the human resources department, Hirvnonen found. He realized he was on the right track because RSA had revealed the filename in the spring.

An Excel spreadsheet titled "2011 Recruitment plan.xls" was attached to an e-mail that was "crafted well enough to trick one of the employees to retrieve it from their Junk mail folder," Uri Rivner, RSA's head of new technologies, said in an April 1 blog post.

When Hirvonen opened the attachment, he found a blank spreadsheet with a single checkbox, an embedded Flash object. Just opening up the spreadsheet caused Excel to execute the Flash code, which then exploited Adobe's vulnerability to drop a Poison Ivy backdoor to the system. The file was closed automatically, but it was too late as the computer was compromised. This matched the description of what RSA had already revealed.

Since the Flash code targeted a zero-day, RSA could not have protected against it by keeping systems patched.

Hirvonen observed how Poison Ivy connected to a remote server, allowing the attacker full access to the infected workstation and all the user-accessible network drives. Attackers were able to move around the network until they found the critical data they were looking for.

RSA claimed in March that attack had been an advanced persistent threat. As details emerged that the initial attack had been launched by a malicious attachment sent by e-mail, observers wondered whether or not that could be considered an APT.

Hypponen said even though the email looked "very simple" and the backdoor wasn't "advanced," since the Flash exploit was advanced, the overall attack was "advanced, even if some of the interim steps weren't very complicated," Hypponen said.

That may be up for debate now that the details of the exploit are public.

"The 0-Day used in the RSA pwn is so lame & NOT sophisticated at all! Shame on you criminals for the bad exploit quality. And shame on you RSA for being pwned via a lame and not so sophisticated exploited ! [sic]," Chaouki Bekrar, founder and head of research at security firm VUPEN, posted on Twitter.