Permit me to start with a truism: In the world of computer forensics, you never really know anything for sure. With that as a given, the case of the new Flash zero-day exploit keeps getting curiouser and curiouser, and "China" keeps popping up.
Yesterday Adobe confirmed the critical Flash zero-day bug. This previously unknown security hole was discovered as an embedded Flash .swf file object inside a Word document sent via email. In her Contagio Malware Dump blog, researcher Mila Parkour gives extensive details about the .swf file and the infected .doc file that's making the rounds.
This is no fractured-English, "all your base are belong to us" attack. It's a very sophisticated, targeted message with a compelling -- and potentially disastrous -- attachment.
The email message with an infected attachment that Mila describes appears to come from a Hotmail account. It was sent on April 8. The subject of the message is "Disentangling Industrial Policy and Competition Policy in China." The body of the message says, in part:
...the current issue of the ABA Antitrust Section's Antitrust Source may be of interest. It contains interviews of the heads of the sections devoted to AML enforcement within MOFCOM, NDRC and SAIC. In addition, it conatins a worthwhile article on "Disentangling Industrial Policy and Competition Policy in China"...
There's an attachment to the message, a Word 2003-2007 .doc file called, you guessed it, "Disentangling Industrial Policy and Competition Policy in China.doc."
It's first-class bait. The American Bar Association (ABA) has an Antitrust Source newsletter. The current issue of that newsletter contains four articles from a symposium on Chinese competition law, one of which is called "Disentangling Industrial Policy and Competition Policy in China." If you have an interest in Chinese law and happen to understand ABA jargon, you may even be able to translate the body of the message: AML is China's new Anti-Monopoly Law; MOFCOM is China's Ministry of Commerce; NDRC is China's National Development and Reform Commission; and SAIC is the State Administration for Industry and Commerce.
It's fair to say that the message was designed to catch the eye of English-speaking attorneys with an interest in Chinese competition law. It's spear phishing with a very sharp spear. As Parkour says, "The recipients of this message included people whose names you can find in Wikipedia and assistants of former high-ranked politicians who are now working at global consulting companies."