The Safe campaign was first seen on October 2012.
Victims and Targets:
The Safe campaign was able to compromise government ministries, technology companies, media outlets, academic research institutions, and nongovernmental organizations. Furthermore, it was discovered that the average number of actual victims remained at 71 per day, with few if any changes from day to day
The Safe campaign attackers used spear-phishing emails with malicious attachments. Attackers used several malicious documents that all exploited a Microsoft Office® vulnerability (i.e., CVE-2012-0158). If opened with a version of Microsoft Word® that is not up-to-date, a malicious payload is silently installed on the user’s computer.
In addition, one of the C&C servers used in the Safe campaign was set up in such a way that the contents of the directories were viewable to anyone who accessed them.
Possible Indicators of Compromise
Below is a list of the components of the Safe campaign.
Network traffic identifiers:
* More information on the Safe campaign can be seen in the Trend Micro research paper, “Safe: A Targeted Threat.”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.