Security Advisor

New Spear-Phishing Campaign Infects 12,000 Worldwide

Security firm Trend Micro came out with a warning this week of a sophisticated cybercrime ring that has already targeted and infected over 12,000 unique IP addresses worldwide with malware.

The new targeted campaign, called "SafeNet," has been using an already-patched Office vulnerability (fixed in April's security update) in the attacks as the distribution method, and is finding success due to those lax on patching. Trend Micro also believes those responsible are located in Asia.

"While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China," said researchers at Trend Micro in a blog post. "However, the relationship between the malware developers and the campaign operators themselves remains unclear."

Even though Trend Micro has been vague about the intent of the operation, it is believed SafeNet's ultimate goal is to steal sensitive data.

While the number may seem high for those infected, Trend Micro said that only about an average of 71 IP addresses actually communicate with the cyber ring's command and control (C&C) servers on a daily basis.

According to a white paper going into an in-depth look at the operation, the campaign has been targeting government entities, research institutions, media organizations and technology corporations.

Unlike the typical, vague spear-phishing e-mail scams, the group has been sending personally specific-crafted e-mails to recipients with a malicious link embedded. One example given by Trend Micro was an e-mail to an anonymous media outlet that provided a fake link to a taped NBC interview with the Dalai Lama. And if the link is opened (and your Office isn't up-to-date), malware is then silently loaded on your system.

During its investigation, Trend Micro was able to identify a list of IPs infected through the two C&C servers being used in the operation, both believed to be located in China. According to the security firm's numbers, India was by far the most-targeted region, with 4,305 IP addresses attacked. The U.S. came in second with 709.

Because targets have been identified as high-profile organizations and groups (and not individual users), Trend Micro suggests the most important prevention steps should include both making sure a comprehensive plan to secure sensitive data is in place and informing employees on the important of being vigilant for potential attacks.

"Security-related policies and procedures combined with education and training programs are essential components of defense," said the white paper. "Traditional training methods can be fortified by simulations and exercises using real spear-phishing attempts sent to test employees. Employees trained to expect targeted attacks are better positioned to report potential threats and constitute an important source of threat intelligence."

About the Author

Chris Paoli is the site producer for and


  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus