Virus experts at Sophos made a surprising discovery in their analysis of a targeted cyber attack. A specially crafted RTF document was taking advantage of a vulnerability in Word to execute a tool from NVIDIA's graphics card drivers on the victims' computers. The executable file, called nv.exe, is digitally signed – and is, in fact, the original file with no changes.

The reason for this method became clear after the NvSmartMax.dll library, which was copied with both the Word document and the .exe file onto computers, was analysed: that library was home to the actual malicious code that set up a permanent backdoor. The malicious functions in the library were executed by the nv.exe file signed by NVIDIA.

The attackers took advantage of the fact that executable files first look for libraries in their own folder. In this case, nv.exe therefore tries to execute functions from its DLL but, instead, finds and uses an evil twin first. The attackers may have been using the signed binary as a detour in order to help their malicious code slip past any anti-virus software that might be installed.

The prepared Word document consists of a statement from the Tibetan Youth Congress, a non-governmental organisation that works for Tibetan independence, which suggests that this cyber-attack was once again targeting pro-Tibet groups.

(sno)