{"cve": [{"lastseen": "2018-11-08T12:04:22", "bulletinFamily": "NVD", "description": "The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka \"MSCOMCTL.OCX RCE Vulnerability.\"", "modified": "2018-11-07T06:29:00", "published": "2012-08-14T21:55:01", "id": "CVE-2012-1856", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1856", "title": "CVE-2012-1856", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:45", "bulletinFamily": "software", "description": "\r\n\r\nVUPEN Security Research - Microsoft Windows Common Controls MSCOMCTL.OCX\r\nUse-after-free (CVE-2012-1856 / MS12-060)\r\n\r\nWebsite : http://www.vupen.com/english/research.php\r\n\r\nTwitter : http://twitter.com/vupen\r\n\r\n\r\nI. BACKGROUND\r\n---------------------\r\n\r\nMicrosoft Windows is a series of software operating systems and graphical\r\nuser interfaces produced by Microsoft. Windows had approximately 90% of\r\nthe market share of the client operating systems. (Wikipedia)\r\n\r\n\r\nII. DESCRIPTION\r\n---------------------\r\n\r\nVUPEN Vulnerability Research Team discovered a critical vulnerability\r\nin Microsoft products.\r\n\r\nThe vulnerability is caused by a use-after-free error in the "TabStrip"\r\nControl within the "MSCOMCTL.OCX" component, which could allow remote\r\nattackers execute arbitrary code via a specially crafted web page or\r\nmalicious Office document.\r\n\r\nCVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n\r\n\r\nIII. AFFECTED PRODUCTS\r\n---------------------------\r\n\r\nMicrosoft Office 2010 Service Pack 1\r\nMicrosoft Office 2007 Service Pack 3\r\nMicrosoft Office 2007 Service Pack 2\r\nMicrosoft Office 2003 Web Components Service Pack 3\r\nMicrosoft Office 2003 Service Pack 3\r\nMicrosoft Office XP Service Pack 3\r\nMicrosoft SQL Server 2008 R2\r\nMicrosoft SQL Server 2008\r\nMicrosoft SQL Server 2005\r\nMicrosoft SQL Server 2000\r\nMicrosoft Commerce Server 2009 R2\r\nMicrosoft Commerce Server 2009\r\nMicrosoft Commerce Server 2007 Service Pack 2\r\nMicrosoft Commerce Server 2002 Service Pack 4\r\nMicrosoft Host Integration Server 2004 Service Pack 1\r\nMicrosoft Visual FoxPro 8.0 Service Pack 1\r\nMicrosoft Visual FoxPro 9.0 Service Pack 2\r\nMicrosoft Visual Basic 6.0 Runtime\r\n\r\n\r\nIV. Binary Analysis & Exploits/PoCs\r\n---------------------------------------\r\n\r\nIn-depth technical analysis of the vulnerability and a fully functional\r\nexploit including ASLR/DEP bypass are available through the VUPEN BAE\r\n(Binary Analysis & Exploits) portal:\r\n\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\nVUPEN Binary Analysis & Exploits Service provides private exploits and\r\nin-depth technical analysis of the most significant public vulnerabilities\r\nbased on disassembly, reverse engineering, protocol analysis, and code\r\naudit.\r\n\r\nThe service allows governments and major corporations to evaluate risks, and\r\nprotect infrastructures and assets against new threats. The service also\r\nallows security vendors (IPS, IDS, AntiVirus) to supplement their internal\r\nresearch efforts and quickly develop both vulnerability-based and\r\nexploit-based signatures to proactively protect their customers from attacks\r\nand emerging threats.\r\n\r\n\r\nV. VUPEN Threat Protection Program\r\n-----------------------------------\r\n\r\nGovernments and major corporations which are members of the VUPEN Threat\r\nProtection Program (TPP) have been proactively alerted about the\r\nvulnerability\r\nwhen it was discovered by VUPEN in advance of its public disclosure, and\r\nhave received a detailed attack detection guidance to protect national and\r\ncritical infrastructures against potential 0-day attacks exploiting this\r\nvulnerability:\r\n\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n\r\nVI. SOLUTION\r\n----------------\r\n\r\nApply MS12-060 security updates.\r\n\r\n\r\nVII. CREDIT\r\n--------------\r\n\r\nThis vulnerability was discovered by Nicolas Joly of VUPEN Security\r\n\r\n\r\nVIII. ABOUT VUPEN Security\r\n---------------------------\r\n\r\nVUPEN is the leading provider of advanced vulnerability research for\r\ndefensive and offensive cyber security. VUPEN solutions enable corporations\r\nand governments to measure and manage risks, eliminate vulnerabilities\r\nbefore they can be exploited, and protect critical infrastructures and\r\nassets against known and unknown vulnerabilities.\r\n\r\nVUPEN has been recognized as "Company of the Year 2011 in the Vulnerability\r\nResearch Market" by Frost & Sullivan.\r\n\r\nVUPEN solutions include:\r\n\r\n* VUPEN Binary Analysis & Exploits Service (BAE) :\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\n* VUPEN Threat Protection Program (TPP) :\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n\r\nIX. REFERENCES\r\n----------------------\r\n\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms12-060\r\nhttp://www.vupen.com\r\n\r\n\r\nX. DISCLOSURE TIMELINE\r\n-----------------------------\r\n\r\n2010-09-06 - Vulnerability Discovered by VUPEN and shared with customers\r\n2012-08-14 - Public disclosure\r\n", "modified": "2012-09-18T00:00:00", "published": "2012-09-18T00:00:00", "id": "SECURITYVULNS:DOC:28554", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28554", "title": "VUPEN - Microsoft Windows Common Controls MSCOMCTL.OCX Use-after-free (CVE-2012-1856 / MS12-060)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-12T10:28:23", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Windows Common Controls is prone to a remote code-execution vulnerability. An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage. Successful exploits will allow the attacker to execute arbitrary code within the context of the application (typically Internet Explorer) that uses the ActiveX control.\n\n### Technologies Affected\n\n * Microsoft BizTalk Server 2002 SP1 \n * Microsoft Commerce Server 2002 SP4 \n * Microsoft Commerce Server 2007 SP2 \n * Microsoft Commerce Server 2009 \n * Microsoft Commerce Server 2009 R2 \n * Microsoft Host Integration Server 2004 SP1 \n * Microsoft Office 2003 SP3 \n * Microsoft Office 2003 Web Components SP3 \n * Microsoft Office 2007 SP2 \n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 (32-bit edition) SP1 \n * Microsoft SQL Server 2000 Analysis Services SP4 \n * Microsoft SQL Server 2000 SP4 \n * Microsoft SQL Server 2005 Express Edition with Advanced Serv SP1 \n * Microsoft SQL Server 2005 Express Edition with Advanced Serv SP2 \n * Microsoft SQL Server 2005 Express Edition with Advanced Serv SP3 \n * Microsoft SQL Server 2005 Express Edition with Advanced Serv SP4 \n * Microsoft SQL Server 2005 Itanium Edition SP4 \n * Microsoft SQL Server 2005 SP4 \n * Microsoft SQL Server 2005 x64 Edition SP4 \n * Microsoft SQL Server 2008 32bit R2 \n * Microsoft SQL Server 2008 32bit SP2 \n * Microsoft SQL Server 2008 32bit SP3 \n * Microsoft SQL Server 2008 R2 \n * Microsoft SQL Server 2008 R2 SP1 \n * Microsoft SQL Server 2008 itanium R2 \n * Microsoft SQL Server 2008 itanium SP2 \n * Microsoft SQL Server 2008 itanium SP3 \n * Microsoft SQL Server 2008 x64 R2 \n * Microsoft SQL Server 2008 x64 SP2 \n * Microsoft SQL Server 2008 x64 SP3 \n * Microsoft Visual Basic 6.0 Runtime \n * Microsoft Visual FoxPro 8.0 SP1 \n * Microsoft Visual FoxPro 9.0 SP2 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nNever accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nAttackers could exploit this vulnerability by enticing a user to visit a malicious website. Do not follow links provided by sources of questionable integrity.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisable support for script code and active content within a client browser to reduce the chances of a successful exploit. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nThe vendor released an advisory and updates. Please see the references for details.\n", "modified": "2012-08-14T00:00:00", "published": "2012-08-14T00:00:00", "id": "SMNTC-54948", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/54948", "type": "symantec", "title": "Microsoft Windows Common Controls ActiveX Control CVE-2012-1856 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:47", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-060.", "modified": "2017-04-10T00:00:00", "published": "2012-08-15T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=901211", "id": "OPENVAS:901211", "title": "Microsoft Windows Common Controls Remote Code Execution Vulnerability (2720573)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms12-060.nasl 5912 2017-04-10 09:01:51Z teissa $\n#\n# Microsoft Windows Common Controls Remote Code Execution Vulnerability (2720573)\n#\n# Authors:\n# Veerendra G G <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow an attacker to execute arbitrary code\n within the context of the application.\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Visual Basic 6.0\n Microsoft Commerce Server 2009\n Microsoft SQL Server 2000 Service Pack 4\n Microsoft SQL Server 2005 Service Pack 4\n Microsoft SQL Server 2008 Service Pack 2\n Microsoft SQL Server 2008 Service Pack 3\n Microsoft Visual FoxPro 8.0 Service Pack 1\n Microsoft Visual FoxPro 9.0 Service Pack 2\n Microsoft Commerce Server 2002 Service Pack 4\n Microsoft Commerce Server 2007 Service Pack 2\n Microsoft Office 2003 Service Pack 3 and prior\n Microsoft Office 2007 Service Pack 3 and prior\n Microsoft Office 2010 Service Pack 1 and prior\n Microsoft Host Integration Server 2004 Service Pack 1\n Microsoft SQL Server 2000 Analysis Services Service Pack 4\n Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 4\";\ntag_insight = \"The flaw is due to an error within the TabStrip ActiveX control\n in MSCOMCTL.OCX file and can be exploited to execute arbitrary code.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms12-060\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS12-060.\";\n\nif(description)\n{\n script_id(901211);\n script_version(\"$Revision: 5912 $\");\n script_bugtraq_id(54948);\n script_cve_id(\"CVE-2012-1856\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-10 11:01:51 +0200 (Mon, 10 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-15 09:05:46 +0530 (Wed, 15 Aug 2012)\");\n script_name(\"Microsoft Windows Common Controls Remote Code Execution Vulnerability (2720573)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/50247\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms12-060\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nkey = \"\";\nver = \"\";\nkeys = \"\";\nitem = \"\";\npath = \"\";\nsysPath = \"\";\ndllVer = NULL;\nsysVer = NULL;\nexeVer = NULL;\n\n## Check for Windows OS\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\n## Get Version from Mscomctl.Ocx file\nsysVer = fetch_file_version(sysPath, file_name:\"system32\\Mscomctl.Ocx\");\nif(sysVer)\n{\n ## Check for Microsoft Office 2003, 2007 and 2010\n if(get_kb_item(\"MS/Office/Ver\") =~ \"^[11|12|14].*\")\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.34\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n ## TODO: Need to update once we get proper info\n ## Patch is not getting applied on 2005\n ## Check for SQL Server 2005 and 2008\n #foreach ver (make_list(\"2005\", \"10\"))\n #{\n # key = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n # \"\\Uninstall\\Microsoft SQL Server \" + ver;\n # if(registry_key_exists(key:key))\n # {\n # if(version_is_less(version:sysVer, test_version:\"6.1.98.34\"))\n # {\n # security_message(0);\n # exit(0);\n # }\n # }\n #}\n\n ## Check for Visual Basic 6.0\n key = \"SOFTWARE\\Microsoft\\Visual Basic\\6.0\";\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.34\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n ## Check for Visual FoxPro 8.0 and 9.0\n foreach ver (make_list(\"8.0\", \"9.0\"))\n {\n key = \"SOFTWARE\\Microsoft\\VisualFoxPro\\\" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.34\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n\n## Check for Microsoft SQL Server 2000 Analysis Services\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000 Analysis Services\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n dllVer = fetch_file_version(sysPath:path, file_name:\"bin\\msmdctr80.dll\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"8.0.2304.0\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n## Check for Microsoft SQL Server 2000\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL \" +\n \"Server 2000\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n exeVer = fetch_file_version(sysPath:path, file_name:\"Binn\\sqlservr.exe\");\n if(exeVer)\n {\n ## Check for GDR and QFE versions\n if(version_is_less(version:exeVer, test_version:\"2000.80.2066.0\") ||\n version_in_range(version:exeVer, test_version:\"2000.80.2300.0\", test_version2:\"2000.80.2304.0\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n\n## Check for Microsoft Integration Server 2004\nkey = \"SOFTWARE\\Microsoft\\Host Integration Server\\6.0\";\nif(registry_key_exists(key:key))\n{\n prdName = registry_get_sz(key:key, item:\"ProductName\");\n if(\"Microsoft Host Integration Server 2004\" >< prdName)\n {\n dllVer = fetch_file_version(sysPath, file_name:\"system32\\comctl32.Ocx\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.98.34\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n\n## Check for Microsoft Commerce Server 2002, 2007 or 2009\nkeys = make_list(\"SOFTWARE\\Microsoft\\Commerce Server\",\n \"SOFTWARE\\Microsoft\\Commerce Server 2007\",\n \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"+\n \"\\Microsoft Commerce Server 2009\");\n\nforeach key (keys)\n{\n if(registry_key_exists(key:key))\n {\n ## Get Version from mscomctl.ocx file\n dllVer = fetch_file_version(sysPath, file_name:\"system32\\mscomctl.ocx\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"6.1.98.34\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-23T15:17:39", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS12-060.", "modified": "2018-11-22T00:00:00", "published": "2012-08-15T00:00:00", "id": "OPENVAS:1361412562310901211", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310901211", "title": "Microsoft Windows Common Controls Remote Code Execution Vulnerability (2720573)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms12-060.nasl 12485 2018-11-22 11:39:45Z cfischer $\n#\n# Microsoft Windows Common Controls Remote Code Execution Vulnerability (2720573)\n#\n# Authors:\n# Veerendra G G <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.901211\");\n script_version(\"$Revision: 12485 $\");\n script_bugtraq_id(54948);\n script_cve_id(\"CVE-2012-1856\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-22 12:39:45 +0100 (Thu, 22 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-15 09:05:46 +0530 (Wed, 15 Aug 2012)\");\n script_name(\"Microsoft Windows Common Controls Remote Code Execution Vulnerability (2720573)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/50247\");\n script_xref(name:\"URL\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms12-060\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an attacker to execute arbitrary code\n within the context of the application.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Visual Basic 6.0\n\n Microsoft Commerce Server 2009\n\n Microsoft SQL Server 2000 Service Pack 4\n\n Microsoft SQL Server 2005 Service Pack 4\n\n Microsoft SQL Server 2008 Service Pack 2\n\n Microsoft SQL Server 2008 Service Pack 3\n\n Microsoft Visual FoxPro 8.0 Service Pack 1\n\n Microsoft Visual FoxPro 9.0 Service Pack 2\n\n Microsoft Commerce Server 2002 Service Pack 4\n\n Microsoft Commerce Server 2007 Service Pack 2\n\n Microsoft Office 2003 Service Pack 3 and prior\n\n Microsoft Office 2007 Service Pack 3 and prior\n\n Microsoft Office 2010 Service Pack 1 and prior\n\n Microsoft Host Integration Server 2004 Service Pack 1\n\n Microsoft SQL Server 2000 Analysis Services Service Pack 4\n\n Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 4\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error within the TabStrip ActiveX control\n in MSCOMCTL.OCX file and can be exploited to execute arbitrary code.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and install the listed hotfixes or download and\n install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS12-060.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\nofficeVer = get_kb_item(\"MS/Office/Ver\");\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mscomctl.Ocx\");\nif(sysVer)\n{\n if(officeVer && officeVer =~ \"^1[124]\\.\")\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.34\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n key = \"SOFTWARE\\Microsoft\\Visual Basic\\6.0\";\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.34\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n foreach ver (make_list(\"8.0\", \"9.0\"))\n {\n key = \"SOFTWARE\\Microsoft\\VisualFoxPro\\\" + ver;\n if(registry_key_exists(key:key))\n {\n if(version_is_less(version:sysVer, test_version:\"6.1.98.34\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL Server 2000 Analysis Services\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n dllVer = fetch_file_version(sysPath:path, file_name:\"bin\\msmdctr80.dll\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"8.0.2304.0\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL Server 2000\";\nif(registry_key_exists(key:key))\n{\n path = registry_get_sz(key:key, item:\"InstallLocation\");\n exeVer = fetch_file_version(sysPath:path, file_name:\"Binn\\sqlservr.exe\");\n if(exeVer)\n {\n if(version_is_less(version:exeVer, test_version:\"2000.80.2066.0\") ||\n version_in_range(version:exeVer, test_version:\"2000.80.2300.0\", test_version2:\"2000.80.2304.0\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\n\nkey = \"SOFTWARE\\Microsoft\\Host Integration Server\\6.0\";\nif(registry_key_exists(key:key))\n{\n prdName = registry_get_sz(key:key, item:\"ProductName\");\n if(\"Microsoft Host Integration Server 2004\" >< prdName)\n {\n dllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\comctl32.Ocx\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.98.34\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n\nkeys = make_list(\"SOFTWARE\\Microsoft\\Commerce Server\",\n \"SOFTWARE\\Microsoft\\Commerce Server 2007\",\n \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"+\n \"\\Microsoft Commerce Server 2009\");\n\nforeach key (keys)\n{\n if(registry_key_exists(key:key))\n {\n dllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\mscomctl.ocx\");\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"6.1.98.34\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:55:02", "bulletinFamily": "exploit", "description": "Bugtraq ID:54948\r\nCVE ID:CVE-2012-1856\r\n\r\nMicrosoft Windows\u662f\u4e00\u6b3e\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\nMicrosoft Windows\u591a\u4e2a\u4ea7\u54c1\u4f7f\u7528\u7684MSCOMCTL.OCX\u4e2d\u7684\u901a\u7528\u63a7\u4ef6TabStrip ActiveX\u63a7\u4ef6\u5b58\u5728\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u6784\u5efa\u7279\u5236\u7684\u6587\u6863\u6216WEB\u9875\u9762\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u7834\u574f\u5185\u5b58\uff0c\u53ef\u4ee5\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\u6b64\u6f0f\u6d1e\u5df2\u7ecf\u5728\u7f51\u7edc\u4e0a\u79ef\u6781\u5229\u7528\u3002\n0\nMicrosoft Commerce Server 2002\r\n Microsoft Commerce Server 2007\r\n Microsoft Commerce Server 2009\r\n Microsoft Host Integration Server 2004\r\n Microsoft Office 2003 Professional Edition\r\n Microsoft Office 2003 Small Business Edition\r\n Microsoft Office 2003 Standard Edition\r\n Microsoft Office 2003 Student and Teacher Edition\r\n Microsoft Office 2003 Web Components\r\n Microsoft Office 2007\r\n Microsoft Office 2010\r\n Microsoft SQL Server 2000\r\n Microsoft SQL Server 2000 Analysis Services\r\n Microsoft SQL Server 2005\r\n Microsoft SQL Server 2005 Compact Edition 3.x\r\n Microsoft SQL Server 2005 Express Edition\r\n Microsoft SQL Server 2008\r\n Microsoft Visual Basic 6.x\r\n Microsoft Visual FoxPro 8.x\r\n Microsoft Visual FoxPro 9.x\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms12-060", "modified": "2012-08-18T00:00:00", "published": "2012-08-18T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60330", "id": "SSV:60330", "type": "seebug", "title": "Microsoft Windows\u901a\u7528\u63a7\u4ef6ActiveX\u63a7\u4ef6\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:17:26", "bulletinFamily": "scanner", "description": "There is an unspecified remote code execution vulnerability in Windows common controls, which is included in several Microsoft products. An attacker could exploit this by tricking a user into viewing a maliciously crafted web page, resulting in arbitrary code execution.", "modified": "2018-11-15T00:00:00", "id": "SMB_NT_MS12-060.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=61535", "published": "2012-08-15T00:00:00", "title": "MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61535);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2012-1856\");\n script_bugtraq_id(54948);\n script_xref(name:\"MSFT\", value:\"MS12-060\");\n script_xref(name:\"MSKB\", value:\"983811\");\n script_xref(name:\"MSKB\", value:\"983812\");\n script_xref(name:\"MSKB\", value:\"983813\");\n script_xref(name:\"MSKB\", value:\"2597986\");\n script_xref(name:\"MSKB\", value:\"2687441\");\n script_xref(name:\"MSKB\", value:\"2726929\");\n script_xref(name:\"MSKB\", value:\"2708437\");\n script_xref(name:\"MSKB\", value:\"2708940\");\n script_xref(name:\"MSKB\", value:\"2708941\");\n script_xref(name:\"MSKB\", value:\"2711207\");\n script_xref(name:\"MSKB\", value:\"2716389\");\n script_xref(name:\"MSKB\", value:\"2716390\");\n script_xref(name:\"MSKB\", value:\"2716392\");\n script_xref(name:\"MSKB\", value:\"2716393\");\n\n script_name(english:\"MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)\");\n script_summary(english:\"Checks for kill bit\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote Windows host has a code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"There is an unspecified remote code execution vulnerability in Windows\ncommon controls, which is included in several Microsoft products. An\nattacker could exploit this by tricking a user into viewing a\nmaliciously crafted web page, resulting in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/524144/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-060\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Microsoft Office 2003,\n2007, and 2010, Office 2003 Web Components, Microsoft SQL Server 2000,\nMicrosoft SQL Analysis Services 2000, Microsoft Commerce Server 2002,\n2007, and 2009, Microsoft Host Integration Server 2004, Microsoft\nVisual Fox Pro 8.0 and 9.0, and Visual Basic 6.0 Runtime.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sql_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:commerce_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:host_integration_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_foxpro\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_basic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_components\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"mssql_version.nasl\", \"commerce_server_installed.nasl\", \"foxpro_installed.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_activex_func.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS12-060';\nkbs = make_list(\n '983811',\n '983812',\n '983813',\n '2597986',\n '2687441',\n '2726929',\n '2708437',\n '2708940',\n '2708941',\n '2711207',\n '2716389',\n '2716390',\n '2716392',\n '2716393'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Uninstall/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, 'activex_init');\n\nclsids = make_list(\n '{1EFB6596-857C-11D1-B16A-00C0F0283628}',# MSComCtl.ocx (TabStrip)\n '{24B224E0-9545-4A2F-ABD5-86AA8A849385}',# MSComCtl.ocx (TabStrip2)\n '{9ED94440-E5E8-101B-B9B5-444553540000}' # Comctl32.ocx (TabStrip)\n);\n\nactivex_report = NULL;\ncomctl132_vuln = FALSE;\nmscomctl_vuln = FALSE;\nvuln = FALSE;\n\nforeach clsid (clsids)\n{\n # Make sure the control is installed\n file = activex_get_filename(clsid:clsid);\n if (isnull(file) || !file) continue;\n\n # Get its version\n version = activex_get_fileversion(clsid:clsid);\n if (!version) version = 'unknown';\n\n if (\n activex_get_killbit(clsid:clsid) == 0 &&\n (\n (version =~ \"^6\\.0\\.\" &&\n ver_compare(ver:version, fix:'6.0.98.34') < 0) ||\n (version =~ \"^6\\.1\\.\" &&\n ver_compare(ver:version, fix:'6.1.98.34') < 0)\n )\n )\n {\n vuln = TRUE;\n if (clsid == '{9ED94440-E5E8-101B-B9B5-444553540000}')\n comctl132_vuln = TRUE;\n else mscomctl_vuln = TRUE;\n\n if(!isnull(activex_report)) activex_report += '\\n';\n activex_report +=\n '\\n Class identifier : ' + clsid +\n '\\n Filename : ' + file +\n '\\n Installed version : ' + version;\n }\n}\n\nactivex_end();\n\nanalysis_svcs_installed = !isnull(get_kb_item('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Microsoft SQL Server 2000 Analysis Services/DisplayName'));\nsql_ver_list = get_kb_list(\"mssql/installs/*/SQLVersion\");\nanalysispath = NULL;\nvfp8_installed = !isnull(get_kb_item('SMB/VFP8.0/path'));\nvfp9_installed = !isnull(get_kb_item('SMB/VFP9.0/path'));\n\ncommerce_edition = get_kb_item('SMB/commerce_server/productname');\nvb6_installed = FALSE;\noffice_version = hotfix_check_office_version();\nowc2003_installed = FALSE;\nhis2004_installed = FALSE;\n\nforeach name (get_kb_list('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName'))\n{\n if (name == 'Microsoft Office 2003 Web Components')\n owc2003_installed = TRUE;\n if (name == 'Microsoft Host Integration Server 2004')\n his2004_installed = TRUE;\n\n # break early if possible\n if(owc2003_installed == TRUE && his2004_installed == TRUE)\n break;\n}\n\nif (vuln || analysis_svcs_installed)\n{\n registry_init();\n hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n # If the ActiveX stuff looks unpatched, try to determine which KBs are missing\n if (vuln)\n {\n if (!isnull(get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\VisualStudio\\6.0\\Setup\\Microsoft Visual Basic\\ProductDir\")))\n vb6_installed = TRUE;\n }\n\n # determine if 32 or 64-bit office is installed. this value is reportedly whenever office 2010 is installed, even if outlook is not installed\n if (office_version['14.0'])\n office_bitness = get_registry_value(handle:hklm, item:\"Software\\Microsoft\\Office\\14.0\\Outlook\\Bitness\");\n\n # get the SQL Server 200 Analysis Services path if it looks like it's installed\n if (analysis_svcs_installed)\n {\n analysispath = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft SQL Server 2000 Analysis Services\\InstallLocation\");\n\n if (analysispath)\n analysispath += \"\\bin\";\n }\n\n RegCloseKey(handle:hklm);\n close_registry();\n}\n\nprod_info = NULL;\n\nif (vuln)\n{\n activex_report = 'The following vulnerable controls do not have the kill bit set :\\n' + activex_report;\n prod_info = NULL;\n\n if ((office_version['11.0'] || owc2003_installed) && mscomctl_vuln)\n {\n # KB923618 is Office 2003 SP3. KB2726929 will fail to install unless it's present, though it\n # doesn't make it clear that the failure is due to a lack of SP3\n prod_info +=\n '\\n' +\n '\\n Product : Office 2003 / Office 2003 Web components' +\n '\\n Missing Update : KB2726929 (prerequisite: KB923618)';\n hotfix_add_report(bulletin:bulletin, kb:'2726929');\n }\n if (office_version['12.0'] && mscomctl_vuln)\n {\n prod_info +=\n '\\n' +\n '\\n Product : Office 2007' +\n '\\n Missing Update : KB2687441';\n hotfix_add_report(bulletin:bulletin, kb:'2687441');\n }\n if (office_version['14.0'] && office_bitness != 'x64' && mscomctl_vuln)\n {\n prod_info +=\n '\\n' +\n '\\n Product : Office 2010' +\n '\\n Missing Update : KB2597986';\n hotfix_add_report(bulletin:bulletin, kb:'2597986');\n }\n if (vfp8_installed)\n {\n prod_info +=\n '\\n' +\n '\\n Product : Visual FoxPro 8.0' +\n '\\n Missing Update : KB2708940';\n hotfix_add_report(bulletin:bulletin, kb:'2708940');\n }\n if (vfp9_installed)\n {\n prod_info +=\n '\\n' +\n '\\n Product : Visual FoxPro 9.0' +\n '\\n Missing Update : KB2708941';\n hotfix_add_report(bulletin:bulletin, kb:'2708941');\n }\n if (vb6_installed)\n {\n # KB290887 is VB 6.0 Runtime SP6\n prod_info +=\n '\\n' +\n '\\n Product : Visual Basic 6.0 Runtime' +\n '\\n Missing Update : KB2708437 (prerequisite: KB290887)';\n hotfix_add_report(bulletin:bulletin, kb:'2708437');\n }\n if (his2004_installed && comctl132_vuln)\n {\n prod_info +=\n '\\n' +\n '\\n Product : Host Integration Server 2004' +\n '\\n Missing Update : KB2711207';\n hotfix_add_report(bulletin:bulletin, kb:'2711207');\n }\n\n if ('2009 R2' >< commerce_edition && mscomctl_vuln)\n {\n prod_info +=\n '\\n' +\n '\\n Product : Commerce Server 2009 R2' +\n '\\n Missing Update : KB2716393';\n hotfix_add_report(bulletin:bulletin, kb:'2716393');\n }\n else if ('2009' >< commerce_edition && mscomctl_vuln)\n {\n prod_info +=\n '\\n' +\n '\\n Product : Commerce Server 2009' +\n '\\n Missing Update : KB2716392';\n hotfix_add_report(bulletin:bulletin, kb:'2716392');\n }\n if ('2007' >< commerce_edition && mscomctl_vuln)\n {\n prod_info +=\n '\\n' +\n '\\n Product : Commerce Server 2007' +\n '\\n Missing Update : KB2716390';\n hotfix_add_report(bulletin:bulletin, kb:'2716390');\n }\n if ('2002' >< commerce_edition && mscomctl_vuln)\n {\n prod_info +=\n '\\n' +\n '\\n Product : Commerce Server 2002' +\n '\\n Missing Update : KB2716389';\n hotfix_add_report(bulletin:bulletin, kb:'2716389');\n }\n}\n\n# the only other things to check are sql server 2000 and sql server 2000 analysis services.\n# if neither are installed and the activex stuff is not vulnerable, there's no need to do any further testing\nif (!vuln && isnull(analysispath) && isnull(sql_ver_list))\n exit(0, 'The host is not affected.');\n\nif (!is_accessible_share())\n audit(AUDIT_FN_FAIL, 'is_accessible_share()');\n\n# SQL Server 2000 Analysis Services\nif (\n analysispath &&\n hotfix_is_vulnerable(path:analysispath, file:\"Msmdadin.dll\", version:\"8.0.0.2304\", min_version:\"8.0.0.0\", bulletin:bulletin, kb:\"983813\")\n)\n{\n vuln = TRUE;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n' +\n '\\n Product : SQL Server 2000 Analysis Services' +\n '\\n Missing Update : KB983813';\n }\n}\n\nforeach item (keys(sql_ver_list))\n{\n item -= 'mssql/installs/';\n item -= '/SQLVersion';\n sqlpath = item;\n\n share = hotfix_path2share(path:sqlpath);\n if (!is_accessible_share(share:share)) continue;\n\n # GDR\n if (hotfix_is_vulnerable(path:sqlpath, file:\"Sqlservr.exe\", version:\"2000.80.2066.0\", min_version:\"2000.80.2000.0\", bulletin:bulletin, kb:\"983812\"))\n {\n vuln = TRUE;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n' +\n '\\n Product : SQL Server 2000' +\n '\\n Missing Update : KB983812';\n }\n }\n # QFE\n else if(hotfix_is_vulnerable(path:sqlpath, file:\"Sqlservr.exe\", version:\"2000.80.2305.0\", min_version:\"2000.80.2100.0\", bulletin:bulletin, kb:\"983811\"))\n {\n vuln = TRUE;\n\n if (!isnull(activex_report))\n {\n prod_info +=\n '\\n' +\n '\\n Product : SQL Server 2000' +\n '\\n Missing Update : KB983811';\n }\n }\n}\n\nif (vuln)\n{\n if (isnull(prod_info)) exit(0, \"None of the Microsoft KBs applies even though at least one of the controls is in use, possibly from a third-party application.\");\n\n if (!isnull(activex_report))\n {\n activex_report +=\n '\\n\\nNessus determined these controls are being used by the following applications :' +\n prod_info;\n\n if (hotfix_get_report())\n hotfix_add_report('\\n' + activex_report, bulletin:bulletin);\n else\n hotfix_add_report(activex_report, bulletin:bulletin);\n }\n\n set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:56:23", "bulletinFamily": "info", "description": "Details have come to light about a new remote access Trojan called uWarrior that arrives embedded in a rigged .RTF document.\n\nResearchers with Palo Alto Networks\u2019 research division, Unit 42, described the malware and how it appears to have emanated from an \u201cunknown actor of Italian origin,\u201d in [a blog post on Monday](<http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-rat-uwarrior/>). Researchers warn that even though the RAT appears to \u201cborrow components from several off-the-shelf tools,\u201d the malware is \u201cfully featured\u201d and when it comes to exploitation, \u201cthe combination of methods and affected code is both new and complex.\u201d\n\nThe malware includes two old remote exploit code execution bugs, CVE-2012-1856 and CVE-2015-1770. The former, which affected the Microsoft Windows Common Controls MSCOMCTL.OCX back in 2012, is apparently back and using a novel return-oriented programming (ROP) chain to bypass ASLR, Palo Alto claims.\n\nAccording to the quartet of researchers who wrote an analysis of the malware, Brandon Levene, Robert Falcone, Tomer Bar and Tom Keigher, the weaponized .RTF document contains multiple OLE objects that can be used to carry out exploitation.\n\nFollowing exploitation, the researchers claim a payload is downloaded to the system, executed, and then uWarrior is copied to another location on the system, logging its activities all the while to a local file. From there the malware communicates with a command and control server via a compressed, encrypted, raw TCP socket and binary message protocol.\n\nAs the researchers acknowledge in their writeup the uWarrior RAT appears to borrow bits and pieces from another RAT called ctOS, that bills itself as having \u201cmore features than any other RAT on the market.\u201d Both RATs \u201ccontain similar configuration structures,\u201d several functions, code and even Italian language strings, hence why researchers are deducing it may have originated in Italy.\n\n\u201cThese Italian strings are part of PDB paths and are prevalent throughout .net manifest data. This lends additional strength to the linkage between ctOS and uWarrior, as the former\u2019s control panel demos are also in Italian,\u201d the researchers write.\n\nA debugging symbol path found in the sample the researchers looked at included \u201cUtilityWarrior.pdb,\u201d which is why they believe the malware\u2019s author refers to the RAT as uWarrior.\n\nResearchers with Fortinet also spotted the RAT making the rounds and have a slightly different take, suggesting the RAT\u2019s author may have created the malware for another hacker and that they may have loose connection to the AlienSpy RAT.\n\nWhile the AlienSpy has been taken offline, many of the campaigns that previously utilized the RAT have [moved onto Jsocket](<https://threatpost.com/alienspy-rat-resurfaces-as-jsocket/114385>), another commercial subscription-based RAT.\n\nStill, Roland Dela Paz, a researcher with the firm [wrote Monday](<http://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-2-rats-hackers-and-rihanna>) that he\u2019s seen several AlienSpy RATs using the same IP address that uWarrior points to as a C&C server.\n\nPaz goes full-on sleuth and traces a handful of leads, eventually arriving at the idea that uWarrior may have been coded by an Italian boy, Edoardo a.k.a. Dodosky, for an amateur Nigerian hacker they refer to as \u201cPawan.\u201d Like Palo Alto, Fortinet researchers note that uWarrior was seemingly compiled in Visual Basic, likely in Italian. Paz believes that \u201cPawan,\u201d who previously expressed interest in hiring a RAT developer on a forum, has used several other commercial RATs, in addition to uWarrior and AlienSpy, in the past, including some that are signed.\n", "modified": "2015-08-26T11:59:01", "published": "2015-08-26T07:59:01", "id": "THREATPOST:FE668EAEA23EF787EFD0CEF0670F38CC", "href": "https://threatpost.com/researchers-uncover-new-italian-rat-uwarrior/114414/", "type": "threatpost", "title": "Researchers Outline New Italian RAT uWarrior", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:05", "bulletinFamily": "info", "description": "An espionage campaign featuring precise targeting of victims and malware that allows the attackers one-on-one interaction with compromised systems has been uncovered. Government agencies, manufacturers, high tech companies and media organizations in South Korea and Japan have been the primary targets of the campaign called Icefog, which was reported today by researchers at Kaspersky Lab.\n\nThe China-based campaign is two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a spear-phishing email, or are lured to a compromised website and infected with malware.\n\n\n\nHowever, while other APT campaigns maintain a long-term persistence inside infected networks, Icefog seems to do just the opposite. The attackers, Kaspersky researchers said, know what they need from a victim and once they have it, the target is abandoned. They\u2019re also likely a small group of hired guns, akin to mercenaries, used to attack a particular group, steal data, and get out quickly.\n\n\u201cWe\u2019ve entered the era of a growing number of these smaller, agile groups hired on a per-project basis,\u201d said Kaspersky Lab researcher Kurt Baumgartner, speaking today at the Billington Cybersecurity Summit in Washington, D.C. \u201cThe operational improvements have arrived and these polished APT groups become much better at flying under the radar.\n\n\u201cFinding a pattern in all the noise is not easy. It\u2019s becoming harder and harder to identify the patterns and connect them with a group,\u201d Baumgartner said.\n\nTo date, Kaspersky Lab\u2019s Global Research and Analysis Team has observed six variants of Icefog and has been able to sinkhole 13 domains used in the attack, capturing snapshots of the malware used and logs detailing victims and interaction with command and control servers.\n\nWindows and Mac OS X versions of Icefog have also been observed, but it appears the OS X backdoor is merely a beta trial of the malware, largely found in online Chinese bulletin boards. Meanwhile, more than 200 unique Windows-based IP addresses have connected to a Kaspersky-controlled sinkhole, a fraction of the total infections researchers said.\n\n\u201cThere\u2019s a team of operators that are being very selective and going after exactly what they need,\u201d said Baumgartner, right. \u201cIt\u2019s classic APT behavior. They likely have previous knowledge of the networks and targets.\u201d\n\nThose targets include defense industry contractors such as Lig Nex1 and Selectron Industrial Company, shipbuilding companies DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom and media companies such as Fuji TV.\n\nIcefog not only establishes a backdoor connection to the attacker-controlled command infrastructure, but it also drops a number of tools that allow the attackers to steal certain document types and pivot within an infected company looking for more computers to infect and additional resources to steal.\n\nThe campaign also relies on exploits for vulnerabilities that have been patched in Windows or Java to establish a foothold on an endpoint. Remote code execution bugs in Windows (CVE-2012-0158 and CVE-2012-1856) spread via malicious Word or Excel files are the most common means of initiating the Icefog attack. The infected attachments promise anything from an illicit image of a woman to a document written in Japanese titled: \u201cLittle enthusiasm for regional sovereignty reform.\u201d Users are also sent links to compromised sites hosting Java exploits (CVE-2013-0422 and CVE-2012-1723).\n\nSeparate spear phishing campaigns were also spotted using HLP files\u2014older versions of Winhelp files\u2014to infect targets. Winhelp was supported natively until Windows Vista was released.\n\n\u201cMost likely, the choice to abuse Winhelp indicates that the attackers have an idea of what version operating systems they are attacking,\u201d the Kaspersky report said.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/09/22105452/icefog.pdf>)\n\nAnother spear phishing effort used HWP document files to spread Icefog; HWP is a proprietary document format used in South Korea, in particular by the government.\n\nOnce a machine is compromised, the attackers individually analyze system information and files stored on the machine and if it passes muster, the backdoor and lateral movement tools are remotely sent to the machine, including password and hash-dumping tools for saved Internet Explorer and Outlook passwords. A compression program is also sent down to compress stolen data before it\u2019s sent to the command and control server. Beyond credentials, victims are losing Windows address book files (.WAB), as well as HWP, Excel and Word files.\n\nOf the six variants, the oldest in 2011 was used in an attack against Japan\u2019s House of Representatives and House of Councilors. Six AOL email addresses were used and commands were also fetched from these accounts.\n\nThe most commonly seen Icefog variant is called Type 1 and it has all the backdoor and lateral movement capabilities described earlier, as well as giving the attackers access to execute SQL commands on SQL Servers found on the network. It\u2019s here where the term Icefog was seen in a string used in the command and control server (the C&C software is named Dagger Three). The command and control script, meanwhile, provides a professional looking interface used to communicate and interact with compromised machines. It uses the native file system to store stolen data and temporary files.\n\n\u201cPerhaps the most interesting part is that the Type 1 C&C panel maintains a full history of the attacker\u2019s interaction with the victims,\u201d the report said. \u201cThis is kept as an encrypted logfile, in the \u2018logs\u2019 directory on the server. In addition to that, the server maintains full interaction logs and command execution results from each victim.\u201d\n\nAnother variant was used to enhance Type 1 infections with additional encryption obfuscating communication with command servers. It was not used against victims and disappeared once a machine was rebooted.\n\nSamples for two other variants have yet to be obtained, but Kaspersky was able to sinkhole three domains used with these attacks. These two variants had only view and update capabilities.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/09/07040656/ips_icefog.jpg>)\n\nThe most recent version, Icefog-NG, doesn\u2019t communicate with a central command server and instead of using a webserver, its command and control is a Windows desktop application that works as a standalone TCP server listening on port 5600.\n\nKaspersky said it first obtained an Icefog sample in June after an attack on Fuji TV. It was able to connect the dots back to the attack on the Japanese parliament two years ago.\n\n\u201cWe predict the number of small, focused APT-for-hire groups to grow, specializing in hit-and-run operations, a kind of \u2018cyber-mercenaries\u2019 of the modern world,\u201d the report said.\n", "modified": "2018-03-22T14:54:55", "published": "2013-09-25T16:30:30", "id": "THREATPOST:191B75DFBFEAFA9F2F649D66191A07C9", "href": "https://threatpost.com/icefog-espionage-campaign-is-hit-and-run-targeted-operation/102417/", "type": "threatpost", "title": "Icefog Targeted APT Attacks Hit South Korea, Japan", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:27", "bulletinFamily": "info", "description": "Tibetans, journalists and human rights workers in Hong Kong and Taiwan have been targeted in an APT campaign that makes use of Microsoft Rich Text File (RTF) documents to compromise computers. Researchers say it\u2019s a new strategy by attackers in an ongoing advanced persistent threat that dates back to 2009.\n\nAccording to Arbor Networks, the RTF document-based attack uses four known vulnerabilities (CVE-2012-0158, CVE-2012-1856, CVE-2015-1641 and CVE-2015-1770) in one attachment. This is the first time, researchers say, that attackers associated with this APT have packed four vulnerabilities inside a single RTF document.\n\nOnce compromised, the vulnerabilities are being used to deliver malware payloads such as Grabber, T9000, Kivars, PlugX, Gh0StRAT and Agent.XST, according to Arbor Networks, which published a report Monday of its [findings (PDF)](<https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/04/ASERT-Threat-Intelligence-Report-2016-03-The-Four-Element-Sword-Engagement.pdf>).\n\nArbor Networks said attackers are borrowing a best-of-breed mix of past technology used in previous and related APT attacks against similar journalist and human rights targets. \u201cWhat we have been able to do is update an ongoing APT and show how malware, techniques and spear phishing techniques have been refreshed for the present day,\u201d said Curt Wilson, senior threat intelligence analyst at Arbor Networks, in an interview with Threatpost.\n\nIn the week preceding the January 2016 Taiwanese general election, human rights lawyers and Tibetan activists received a phishing email purporting to come from a human rights organization. The email included the subject line \u201cUS Congress sanctions $6 million fund for Tibetans in Nepal and India.\u201d Attached was an RTF file that contained the four-pronged RTF file.\n\nAnyone who opened the email attachment was injected with the Grabber (aka EvilGrab) malware into their computer system\u2019s ctfmon.exe process, Arbor Networks said. Grabber then triggered the download of a host of malicious software such as remote access Trojans, giving attackers access to the system and the ability to load additional malicious code.\n\nPayloads varied from Grabber, T9000, Kivars, PlugX, Gh0StRAT and Agent.XST just as the phishing email subject lines varied. \u201c[BULK] TIBET, OUR BELOVED NATION AND WILL NEVER FORGET IT,\u201d read another subject line harboring an RTF file that ultimately infected systems with the Kivars Keylogger Payload.\n\nWilson said none of the payloads or exploits were new. He added, \u201cBeing able to draw a line from one APT to another is an extremely important step when it comes to fighting APTs and ideally \u2013 in this case \u2013 keeping those fighting for human rights out of jail.\u201d\n\nWilson said the espionage campaign against journalists, activists and human rights advocates appears to be connected to an even broader set of targets and operations. Also on Monday, The Citizen Lab, part of the Munk School of Global Affairs, [similarly published a report tracking](<https://citizenlab.org/2016/04/between-hong-kong-and-burma/>) advanced persistence threats targeting Hong Kong and Myanmar/Burman democracy activists.\n", "modified": "2016-04-19T01:45:15", "published": "2016-04-19T07:00:14", "id": "THREATPOST:DB438BDD32A19C608E74D09992D53881", "href": "https://threatpost.com/apt-targeting-tibetans-packs-four-vulnerabilities-in-one-compromise/117493/", "type": "threatpost", "title": "APT Threat Targets Tibetans, Journalists and Human Rights Workers", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:59", "bulletinFamily": "info", "description": "A new analysis of the Sofacy APT gang, a Russian-speaking group carrying out targeted attacks against military and government offices for close to a decade, shows a relentless wave of intrusions peaking this summer against victims in a number of NATO countries and the Ukraine.\n\nResearchers at Kaspersky Lab this morning [released their update on Sofacy](<https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/>), which is also known as APT28, Fancy Bear, Sednit and a handful of other monikers. The report demonstrates a barrage of zero-day vulnerabilities in Office, Java, Adobe and Windows at the group\u2019s disposal; the zero-days are being used against targets in attacks that remained active as of last month. The gang\u2019s malware implants were uncovered as well as its capabilities to quickly adapt to detection technologies and hit compromised machines with different backdoors so that in case one was found out, there would be fallbacks.\n\nSofacy\u2019s roots go back to around 2007, Kaspersky researchers said, with the name coming from an implant used in attacks four years ago that shared some similarities with the [Miniduke APT](<https://threatpost.com/miniduke-espionage-malware-hits-governments-europe-using-adobe-exploits-022713/77569/>) gang uncovered by Kaspersky Lab in 2013 executing espionage activity against governments in Europe.\n\nSofacy\u2019s rapid capability expansion began in 2013 when a number of new backdoors and malware tools were discovered, including CORESHELL, JHUHUGIT and AZZY among others.\n\nThis summer, the AZZY implant got a facelift and was used as recently as October along with a new USB-stealing malware designed to hit air-gapped machines.\n\nIn July, researchers at iSight Partners reported that Sofacy, or Tsar Team as iSight calls them, had dropped their [sixth zero day exploit in four months](<https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/>), two of which in Office and Java were patched during a span of a few days in July.\n\n\u201cUsually, when someone publishes research on a given cyber-espionage group, the group reacts: either it halts its activity or dramatically changes tactics and strategy. With Sofacy, this is not always the case. We have seen it launching attacks for several years now, and its activity has been reported by the security community multiple times,\u201d said Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab.\n\nFive of the six zero days, iSight said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach. Given the underground value of unpatched and unreported vulnerabilities, this was highly unusual behavior, even for a state-sponsored cyberespionage team.\n\nKaspersky researchers said that it discovered the group was using a Flash and Java zero day to drop the JHUHUGIT malware implant, which became its most prevalent first-stage implant in subsequent attacks.\n\nThe updated AZZY Trojan, meanwhile, surfaced in August in attacks against higher profile victims, and including in one case, a defense contractor, Kaspersky researchers said. While the first sample was spotted on July 29 and signatures quickly added to security systems, Kaspersky researchers said that by Aug. 4, another sample was in the wild. What made the AZZY update stand out was that it was not delivered via a zero-day, instead it was delivered and installed by separate malware already on the system, a dropper called msdeltemp.dll that the attackers controlled via backdoors in order to send commands to infected machines.\n\n\u201cThis code modification marks an unusual departure from the typical AZZY backdoors, with its C&C communication functions moved to an external DLL file,\u201d Kaspersky researchers wrote in their report. \u201cIn the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularization follows the same line of thinking.\u201d\n\nIn addition to traditional data-stealing capabilities, Sofacy also covets information stored on air-gapped machines and uses its USBSTEALER implant to drain these machines of valuable content.\n\nThis is behavior similar to that of the Equation group, one of the most sophisticated state-sponsored groups, which invested significant resources in developing more than 100 malware implants, each with their own purpose and used selectively against valuable targets.\n\n\u201cIn 2015 its activity increased significantly, deploying no less than five 0-days, making Sofacy one of the most prolific, agile and dynamic threat actors in the arena,\u201d Raiu said. \u201cWe have reasons to believe that these attacks will continue.\u201d\n", "modified": "2015-12-04T21:35:34", "published": "2015-12-04T07:05:37", "id": "THREATPOST:23B92BF326746339F6B36D64AEB2D5F6", "href": "https://threatpost.com/relentless-sofacy-apt-attacks-armed-with-zero-days-new-backdoors/115556/", "type": "threatpost", "title": "Sofacy APT28 Gang Using New Backdoors, Zero Days", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2017-01-08T18:01:15", "bulletinFamily": "info", "description": "[](<http://3.bp.blogspot.com/-u4tWthaiHas/UkWq-HnhGBI/AAAAAAAAXy0/QcH2jC5FGbA/s1600/Chinese+APT+Espionage+campaign,+dubbed+'Icefog'+targeted+Military+contractors+and+Governments.png>)\n\n**Kaspersky Lab** has identified another [Chinese APT campaign](<http://thehackernews.com/search/label/APT1>), dubbed \u2018**Icefog**\u2019, who targeted Governmental institutions, Military contractors, maritime / shipbuilding groups, telecom operators, industrial and high technology companies and mass media.\n\n \n\n\nThe Hacking group behind the attack who carry out surgical [hit and run operations](<http://thehackernews.com/search/label/cyber%20espionage>), is an [advanced persistent threat](<http://thehackernews.com/search/label/Chinese%20Hackers>) (APT) group, used a backdoor dubbed Icefog that worked across Windows and [Mac OS X](<http://thehackernews.com/search/label/Mac%20OS>) to gain access to systems.\n\n\"_The Mac OS X backdoor currently remains largely undetected by security solutions and has managed to infect several hundred victims worldwide_,\" [the report](<http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf>) (PDF) said. \n \n\n\nThis China-based [campaign](<http://thehackernews.com/2013/02/mandiant-revealed-chinese-apt1-cyber.html>) is almost two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a [spear-phishing](<http://thehackernews.com/search/label/Spear%20Phishing>) email, or are lured to a compromised website and infected with [malware](<http://thehackernews.com/search/label/Malware>).\n\nThe attackers embed exploits for several known [vulnerabilities](<http://thehackernews.com/search/label/Vulnerability>) (CVE-2012-1856 and CVE-2012-0158) into Microsoft Word and Excel documents.\n\n \n\n\nOnce a computer has been compromised, the hackers upload [malicious tools](<http://thehackernews.com/search/label/hacking%20tool>) and backdoors. They look for email account credentials, sensitive documents and passwords to other systems.\n\n[](<http://2.bp.blogspot.com/-XiMXWdrJEd0/UkWrQ-NuzjI/AAAAAAAAXy8/Otpp4n6YeSY/s1600/Spear+phishing+mail.png>)\n\n \n\n\n\"_We observed many victims in several other countries, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia_,\" the research team said.\n\n \n\n\nThere is no concrete evidence to confirm this was a nation-state sponsored operation, but based on where the stolen data were transferred to, Kaspersky wrote the attackers are assumed to be in China, South Korea and Japan.\n\n[](<http://4.bp.blogspot.com/-ZFm4K6kLoyI/UkWsMlnzypI/AAAAAAAAXzI/bJ9suAFvclM/s1600/statistics.png>)\n\nIn total, Kaspersky Lab observed more than 4,000 uniquely infected IPs and several hundred victims. They are now in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.\n", "modified": "2013-09-27T16:12:43", "published": "2013-09-27T05:05:00", "id": "THN:59AA6ADFEEB67D7E156CDF3579330697", "href": "http://thehackernews.com/2013/09/chinese-apt-espionage-campaign-dubbed.html", "type": "thn", "title": "Chinese APT Espionage campaign, dubbed 'Icefog' targeted Military contractors and Governments", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "talosblog": [{"lastseen": "2017-06-30T15:02:29", "bulletinFamily": "blog", "description": "<h3>Introduction</h3><div><br /></div>Streams of malicious emails Talos inspects every day usually consist of active spamming campaigns for various ransomware families, phishing campaigns and the common malware family suspects such as banking Trojans and bots.. It is however often more interesting to analyze campaigns smaller in volume as they might contain more interesting malware. A few weeks ago I became interested in just such a campaign with a smaller number of circulating email messages. The email, first of them submitted from Middle East, purports to be coming from a Turkish trading company, which might further indicate the geographic area where the attacks were active. Analyzing malware is often like solving a puzzle, you have to do it piece by piece to reach the final image. In this case I spent more time analyzing the campaign than I initially planned. The campaign has many stages of the infection chain and all needed to be unraveled before the final payload level was reached. Furthermore, each of the stages used different development platform and was obfuscated in a different way. But let us start from the beginning.<br /><br /><a name='more'></a><h3>Stage 1 - email</h3><br />The email message contains two attachments. The first one is a Word document in the Office Open XML file format while the second is a ZIP file PurchaseOrders.zip, containing an executable file PurchaseOrders.exe. This is a relatively unusual strategy for email campaigns as it is much more common for malicious emails to contain a single attachment rather than two or more. It seems that the attackers wanted to be double sure that the recipient will open at least one of the attachments. <br /><br /><div><a href=\"https://4.bp.blogspot.com/-djgawCQ6erk/WSKxer3H_VI/AAAAAAAAACk/ZleVyzcOQ7on0C2m-Zb8azdsKKq76gzUgCLcB/s1600/image4.png\"><img border=\"0\" height=\"408\" src=\"https://4.bp.blogspot.com/-djgawCQ6erk/WSKxer3H_VI/AAAAAAAAACk/ZleVyzcOQ7on0C2m-Zb8azdsKKq76gzUgCLcB/s640/image4.png\" width=\"640\" /></a></div><div style=\"text-align: center;\">Email campaign </div><h3>Stage 2a - Word Document - CVE-2013-3906</h3><br />The Word document attachment, \u201cLetter of introduction.doc\u201d contains an exploit for CVE-2013-3906 tiff image file parsing vulnerability. The document contains multiple TabStrip (classid: {1EFB6596-857C-11D1-B16A-00C0F0283628}) ActiveX controls also used in CVE-2012-1856. <br /><br /><div><a href=\"https://3.bp.blogspot.com/-IM748RfThPw/WSKy7RBIrTI/AAAAAAAAAC0/LPRZounNzCs3rAI0S5i42VNZHpJmIqpHgCLcB/s1600/image8.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" height=\"416\" src=\"https://3.bp.blogspot.com/-IM748RfThPw/WSKy7RBIrTI/AAAAAAAAAC0/LPRZounNzCs3rAI0S5i42VNZHpJmIqpHgCLcB/s640/image8.png\" width=\"640\" /></a></div><div style=\"text-align: center;\">Embedded ActiveX controls used for heap spray</div><br />Embedded TabStrip ActiveX controls are used for heap spraying and the embedded TIFF file named image1.jpeg triggers the CVE-2013-3906 vulnerability. There are 40 embedded ActiveX controls and each is mapped in 2MB allocated memory space. In this case, exploitation takes time but the exploit eventually crashes the vulnerable versions of Word and starts the shellcode. The shellcode is immediately visible in the hex dump of the ActiveX OLE2 file and sprayed in the memory of the exploited Word process.<br /><br /><div><a href=\"https://4.bp.blogspot.com/-AaOwVaIA7I0/WSKzSEH08EI/AAAAAAAAAC4/t6rdCH54nPIyZiASdFe-di-8L3KlIokfQCLcB/s1600/image7.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" height=\"162\" src=\"https://4.bp.blogspot.com/-AaOwVaIA7I0/WSKzSEH08EI/AAAAAAAAAC4/t6rdCH54nPIyZiASdFe-di-8L3KlIokfQCLcB/s640/image7.png\" width=\"640\" /></a></div><div><br /></div><div style=\"text-align: center;\">Heap sprayed shellcode from ActiveXn.bin files</div><br /><h4>Shellcode - hook evasion</h4><div><br /></div>The shellcode itself is relatively simple and, give or take, 450 bytes long, excluding the URL used for downloading the payload. As is often the case, the APIs are found by parsing the Process Environment Block (PEB) and traversing the linked list of loaded modules as well as their respective exported functions. <br /><br />Notably, before calling required APIs, the shellcode checks for presence of inline hooks, often installed by endpoint security products and jumps over the installed hook code in order to avoid being noticed in their behavior detection windows. <br /><br /><div><a href=\"https://3.bp.blogspot.com/-9ZM9p_6-KMQ/WSKzrNiiwyI/AAAAAAAAAC8/fWpV6ECZhCAiNf76IoOBblTaOHOemSJWwCLcB/s1600/image10.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" height=\"368\" src=\"https://3.bp.blogspot.com/-9ZM9p_6-KMQ/WSKzrNiiwyI/AAAAAAAAAC8/fWpV6ECZhCAiNf76IoOBblTaOHOemSJWwCLcB/s640/image10.png\" width=\"640\" /></a></div><div style=\"text-align: center;\">Evading security hooks </div><br />If the user was infected by the attached Word document, the shellcode would download and execute an executable from a legitimate, compromised server. The C2 server for the final payload is extracted from a configuration blob stored encrypted within the downloaded payload body.<br /><h3>Stage 2b - PurchaseOrders.exe</h3><div><br /></div>The executable downloaded by the shellcode is identical in its functionality to the executable attached to the email so we are eventually coming to PurchaseOrder.exe which will eventually get executed whether the user opens the attached document or if they immediately go for launching the PurchaseOrder.exe. The executable has a PDF document icon and the user can be forgiven for not recognizing it as an executable, considering the fact that Windows by default hides filename extensions of the known file types. <br /><br /><br /><div><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-RnFZHJTmgbc/WSK0mzVJFQI/AAAAAAAAADI/gqYvFEUGgkkDXnAxTR0mI-NdLTPlgdtVwCLcB/s1600/image3.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" height=\"200\" src=\"https://3.bp.blogspot.com/-RnFZHJTmgbc/WSK0mzVJFQI/AAAAAAAAADI/gqYvFEUGgkkDXnAxTR0mI-NdLTPlgdtVwCLcB/s200/image3.png\" width=\"151\" /></a></div></div><div><br /></div><div style=\"text-align: center;\">Icon file used by PurchaseOrder.exe.</div><div style=\"text-align: center;\"><br /></div>The executable itself is just over 1.4MB in size, which is rather large for attachments used in email campaigns. The file itself is a self-extractable CAB archive which contains three randomly named files.<br /><h3>Stage 3 - AutoIt Script</h3><div><br /></div>The first file is instantly recognisable and it is a legitimate, Autoit script interpreter. The second file is a Unicode file encoded as UTF-16 and is over 110MB in size which is at first almost enough to discourage from analysis. The actual script code starts deep within the file, which provides the attacker with the ability to obfuscate the script code in a way that is not immediately visible by researchers.<br /><br />Talos has <a href=\"http://blog.talosintelligence.com/2015/08/malware-meets-sysadmin-automation-tools.html\">already written</a> about a similar delivery method in the past and it seems that this campaign uses a similar generator of obfuscated Autoit scripts. Thankfully, It was relatively simple to remove all the junk characters and reduce the size of the code to analyze to a much more manageable 41KBs. <br /><br /><div><a href=\"https://1.bp.blogspot.com/-fjaHmuIZRLo/WSK06YDg4hI/AAAAAAAAADM/8livkCZpb2Ez-kZqlrls7N2Raux7YndbwCLcB/s1600/image11.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" height=\"232\" src=\"https://1.bp.blogspot.com/-fjaHmuIZRLo/WSK06YDg4hI/AAAAAAAAADM/8livkCZpb2Ez-kZqlrls7N2Raux7YndbwCLcB/s640/image11.png\" width=\"640\" /></a></div><br /><div style=\"text-align: center;\">Autoit stage deobfuscated</div><br />The Autoit script itself creates a directory in the user's profile folder and sets its attributes to system and hidden. It then creates a copy of RegSvcs.exe .NET services installation tool or copies the existing RegSvcs.exe to a filename splwow64.exe to set up the next stage. Regscvcs.exe is used for injecting and launching a remote thread within its process space. The thread uses RC4 to decrypt the third file dropped by the original self-extractable CAB archive and reads it into the process space of regsvcs.exe. This leads us to the next stage, using an executable developed in C/C++. This stage will only exist in its executable format in memory, while it will be an RC4 encrypted data blob on the disk.<br /><h3>Stage 4 - Zyklon injector</h3><div><br /></div>The stage injected into RegSvcs.exe is another unobfuscated injector of the final payload. The executable decompresses the payload from the resource section of the PE file, finds and launches Windows Explorer executable that is found in different folders depending on the Windows platform (32 or 64 bit) and launches a remote thread that loads and runs a .NET executable, which is the final payload of the campaign, in this case a sample of the Zyklon HTTP bot.<br /><br />Loading managed code into an unmanaged space is not entirely simple process. Attempting to cheat the infection chain to launch the Zyklon bot from the command line was apparently anticipated by the campaign author who modified the Zyklon class Main function to display a text message for anybody trying to launch it this way.<br /><br />The original Zyklon code for the version 1.0.0.0 does not seem to contain this mechanism that ensures that the payload is run by a specific loader that does not call the Zyklon Class Main function but a different entry point.<br /><br /><div><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-k5kQ5SUp0AM/WSK1Lj3fLVI/AAAAAAAAADQ/MdzuJMsQ6EEuAjW0OJWLWNrZnWef1XhWgCLcB/s1600/image5.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" height=\"190\" src=\"https://4.bp.blogspot.com/-k5kQ5SUp0AM/WSK1Lj3fLVI/AAAAAAAAADQ/MdzuJMsQ6EEuAjW0OJWLWNrZnWef1XhWgCLcB/s320/image5.png\" width=\"320\" /></a></div></div><br /><div style=\"text-align: center;\">You are not supposed to run it this way</div><br />The payload is obfuscated using Crypto Obfuscator and an additional code generator. The code which uses xor operations to set a value of a variable used in a switch statement to direct the program flow is relatively easy to follow once the Crypto Obfuscator code transformations are removed, which can be done using a very useful .NET deobfuscation utility <a href=\"https://github.com/0xd4d/de4dot\">de4dot</a>. In fact, the Zyklon Builder, found on VirusTotal, uses the same dnlib library, used also by de4dot and <a href=\"https://github.com/0xd4d/dnSpy\">dnspy</a> analysis tools, to add the configuration file to the malicious .NET assembly base Zyklon bot embedded in its resource section.<br /><br />Once the obfuscator was removed it did not take too long to realize that for the purpose of the analysis it was possible to manually modify the Zyklon class Main function to call the EntryPoint function which contains the bot code and debug the Zyklon using the dnspy debugger.<br /><br /><h3>C2 communication (encryption)</h3><br />Zyklon's \"official\" name is \"Zyklon H.T.T.P Bot\", which is visible in the links to PDB files retained as a remainder of the compilation process. The bot is reasonably well written with precautions for hiding the traffic from network based detection engines, even from intercepting proxies by encrypting all its communications. <br /><br /><div><a href=\"https://3.bp.blogspot.com/-Kb6xqTb4Scc/WSK2WjBhQrI/AAAAAAAAADc/kliasgO5ScccB-gA_7ooDgBctGtlGCfnACLcB/s1600/image2.jpg\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" height=\"355\" src=\"https://3.bp.blogspot.com/-Kb6xqTb4Scc/WSK2WjBhQrI/AAAAAAAAADc/kliasgO5ScccB-gA_7ooDgBctGtlGCfnACLcB/s640/image2.jpg\" width=\"640\" /></a></div><div style=\"text-align: center;\"><br /></div><div style=\"text-align: center;\">Establishing communication with a C2 server</div><br />The bot connects to one of the three possible C2 servers, starting from the first one specified in its configuration. The server sends a certificate and the communication is first encrypted with RSA and then with a 256 bit long AES with the initialization vector and the key generated by the server, sent back to the client after the client POSTs a request ending with the query gate.php?getkey=y. <br /><br />Looking at the DNS requests for one of the C2 servers that remained active throughout the campaign it is possible to see the time when the campaign was active.<br /><br /><div><a href=\"https://1.bp.blogspot.com/-9DgD-kLYnuk/WSK2pO5xbJI/AAAAAAAAADg/TQJYyqyOzIksgJke6CORNGigljIrnqKFQCLcB/s1600/image1.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" height=\"250\" src=\"https://1.bp.blogspot.com/-9DgD-kLYnuk/WSK2pO5xbJI/AAAAAAAAADg/TQJYyqyOzIksgJke6CORNGigljIrnqKFQCLcB/s640/image1.png\" width=\"640\" /></a></div><br /><div style=\"text-align: center;\">C2 DNS domain activity</div><br />The initial configuration for the bot is embedded within the resource section of the file, together with the list of user agent strings used by the bot when contacting the C2 server. The malicious .NET assembly also contains an encrypted blob that becomes its persistence module injector. Once decrypted and loaded in memory its function is to make sure that the bot is respawned from a remote thread if the main executable is terminated as a process.<br /><br />The client then sends a request containing the information about the infected system and receives a configuration string from C2, which sets the internal bot parameters. Several threads are also launched in order to download and execute required additional plugins.<br /><br />The main command loop sleeps for 60 seconds and sends a request for a command to the C2 server. The main purpose of the bot seems to be conducting DDoS attacks but there are other more or less standard commands available such as downloading and executing additional payloads from a user-specified URL or logging the user keystrokes and sending them back to the C2 server.<br /><br />Curiously, Zyklon may also attempt to enumerate the usual automatic startup locations in the Windows registry to find potential competitive files and submit them to VirusTotal for scanning. So called cloud malware inspection is used to terminate processes based on the VirusTotal verdict. The bot also executes rudimentary heuristic checks for some of the known competitive bot names and filename extensions and tries to remove them if found on the system. Competition is never welcome by the bad guys.<br /><br /><h3>Zyklon website</h3><br />The website advertising Zyklon is hosted on a .onion domain which is also accessible from the clear net through a web to Tor proxy. The owners are advertising two different versions for sale, one that can connect to Tor based C2 servers and the standard one without that capability. <br /><br />Perhaps the most interesting page of the Zyklon website are its Terms of Service, which the authors seem to believe may free them from potential prosecution. The user, aka the attacker, allegedly has the sole legal responsibility for damage caused by it, at least according to Zyklon creators :<br /><br /><code>YOU UNDERSTAND AND HEREBY ACKNOWLEDGE AND AGREE THAT YOU MAY NOT AND WARRANT THAT YOU WILL NOT:<br /><br />1. use the Zyklon H.T.T.P Remote Administration Software for any illegal purpose, or in violation of any laws, including, without limitation, laws governing intellectual property, data protection and privacy, and import or export control;<br /><br />2. remove, circumvent, disable, damage or otherwise interfere with security-related features of the Zyklon H.T.T.P Remote Administration Software, features that prevent or restrict use or copying of any content accessible through the Zyklon H.T.T.P Remote Administration Software, or features that enforce limitations on use of the Zyklon H.T.T.P Remote Administration Software;<br /><br />3. intentionally interfere with or damage operation of the Zyklon H.T.T.P Remote Administration Software or any user's enjoyment of them, by any means, including uploading or otherwise disseminating viruses, worms, or other malicious code;<br /><br />4. post, store, send, transmit, or disseminate any information or material which infringes any patents, trademarks, trade secrets, copyrights, or any other proprietary or intellectual property rights;or<br /><br />5. Install and/or use Zyklon H.T.T.P Remote Administration Software on any computer which you do not have explicit permission to do so on;<br /><br />6. distribute Zyklon H.T.T.P files over the Internet with the intent of infecting/harming machines of other people;</code><br /><br /><h3>Downloaded credential harvesting modules (email, browser, ftp)</h3><div><br /></div>Zyklon creators also advertise a number of useful plugins for harvesting user credentials and stealing confidential information such as details of wallets of various crypto currencies like Bitcoin, LiteCoin and DodgeCoin. For a potential customer, the list of features must be quite impressive. However, not everything is as ideal as it seems at first. <br /><br />In the analyzed campaign, the Zyklon main executable downloaded only three plugins, as instructed by the C2 server, all of them with a purpose of stealing user credentials from password caches of the most popular web browsers as well as email and ftp clients. <br /><br /><br /><br /><code>CI=False|KT=1|UAC=False|S5=False|ER=False|UPNP=False|RP=True|RW=False| AK=False|BK_CYCLE=|BK_RUN_ONCE=False|SOCKS_PORT=3128|SOCKS_AUTH=False| SOCKS_USERNAME=Nothing|SOCKS_PASSWORD=Nothing|KLI=1|KLM=500|EKL=True| WC=False|BA=MyBtc|LA=MyLtc|KLF=False|BR=True|FTR=True|EMR=True|SFR=False| GR=False|AU=False|UF=N/A|</code><br /><div style=\"text-align: center;\">Configuration command sent to Zyklon from C2 server</div><br />The plugin download URL follows the format of plugin/index.php?plugin=<pluginname> with possible plugins being<br /><br /><div style=\"text-align: left;\"><code>/plugin/index.php?plugin=browser<br />/plugin/index.php?plugin=email<br />/plugin/index.php?plugin=ftp!<br />/plugin/index.php?plugin=software<br />/plugin/index.php?plugin=games<br />/plugin/index.php?plugin=cuda<br />/plugin/index.php?plugin=minerd<br />/plugin/index.php?plugin=sgminer<br />/plugin/index.php?plugin=socks</code></div><div style=\"text-align: left;\"><code></code>Available Zyklon plugins</div><br />Downloaded plugins are injected into a previously launched and hollowed legitimate process name \"%windir%\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe\" and are in fact just freeware command line tools written in C/C++ available from the website <a href=\"http://www.securityxploded.com/\">http://www.securityxploded.com</a>.<br /><br />It is likely that Zyklon author realized it would take quite a long time to fully develop all the features within the main Zyklon bot and decided to include available free password dumping utilities just to make its RAT more competitive in what is quite a cutthroat underground market for remote administration tools.<br /><h3>Conclusion</h3><div><br /></div>Zyklon is quite a well known botnet kit and it has been fairly active this year. In this smaller, possibly more targeted campaign we analyzed, it has shown that its users are employing a number of different technologies and obfuscation techniques to be more successful - from exploiting a vulnerability in Microsoft Word over Autoit scripts and .NET executables, all the way to freeware utilities used as plugins for harvesting credentials from browser cache, email and ftp clients. <br /><br /><div><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-MF4deQ-8EZE/WSK22muFq9I/AAAAAAAAADk/zc-44bk2Y5s2l5T8bR9y4IDYbaEpacJtgCLcB/s1600/image6.jpg\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" height=\"640\" src=\"https://2.bp.blogspot.com/-MF4deQ-8EZE/WSK22muFq9I/AAAAAAAAADk/zc-44bk2Y5s2l5T8bR9y4IDYbaEpacJtgCLcB/s640/image6.jpg\" width=\"546\" /></a></div></div><br /><div style=\"text-align: center;\">Zyklon campaign execution flow on an endpoint</div><br />Overall, this was a well executed campaign which used compromised hosts as C2 servers. Luckily, there are several weaknesses which can be exploited for detecting its footprint either by inspecting IOCs or tracking the network communications patterns and behavior on endpoints.<br /><h3> Coverage</h3><br /><div><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/-MfJcVepVAto/WSK3McQlMPI/AAAAAAAAADo/l4Kd23iH6VQqXoSVFYEtvqsVLwGzh6IqACLcB/s1600/image9.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" height=\"400\" src=\"https://1.bp.blogspot.com/-MfJcVepVAto/WSK3McQlMPI/AAAAAAAAADo/l4Kd23iH6VQqXoSVFYEtvqsVLwGzh6IqACLcB/s1600/image9.png\" /></a></div></div><br />Advanced Malware Protection (<a href=\"https://www.cisco.com/c/en/us/support/security/amp-firepower-software-license/tsd-products-support-series-home.html\">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br /><a href=\"https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html\">CWS</a> or <a href=\"https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html\">WSA</a> web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br /><a href=\"https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html\">Email Security</a> can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as <a href=\"https://www.cisco.com/c/en/us/products/security/asa-next-generation-firewall-services/index.html\">NGFW</a>, <a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and <a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> with Advanced Security can detect malicious activity associated with this threat.<br /><br /><a href=\"https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html\">AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><a href=\"https://umbrella.cisco.com/\">Umbrella</a> prevents DNS resolution of the domains associated with malicious activity.<br /><br /><a href=\"https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html\">Stealthwatch</a> detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.<br /><br /><br /><h3> Iocs</h3>Document exploits<br />ac944374d5f50ecbdd3b9e7151d5a4b055ec18ea26482c2301ccc439164b25be<br />996b19658cffedc9395243693c3ca1d12a2c2a2c986e35a877f1ae2a2b595a6d<br /><br />PE Exes downloaded by the exploit docs<br />4bce73a29ee1b9840cd82d8c08e107179cd74dc1aed488f6d16772ce12092c69<br />bcf8dbbc78883b2d84511819123cf39b1c2ffe3cd9763d08fe1544c89084cadf<br /><br />ZIP Attachments<br />e67db2e2ebd3c540489dd4844b066b45f31b2d879a085eabda1f63926ddc0688<br />b1906c1d23f62df7f63a06030f27c3249414d027a9deb62d27f65ec6f3a61adb<br /><br />PE exe files within ZIPs<br />b7101462507a8cf5bf91b62b641ef1ac3d268115d6dfca54a1625efb07fccf0d<br />4bce73a29ee1b9840cd82d8c08e107179cd74dc1aed488f6d16772ce12092c69<br /><br />Browser plugin<br />e5d2c3a7ddd219ab361af4a709999a492387e3aaf8380187a7699895fc383e40<br /><br />FTP plugin<br />6a32a0d83a5c955822502444833283a3fde8e1893f1490fac1ae5b84a00db5c6<br /><br />Email plugin<br />bbcc07baaa00bb30de43a39a04dc66754fe805630f155fde47ab259fdbd03748<br /><br />Zyklon Builder v1.0.0<br />682d5d60d6fc0e1d5810e9cd9d8b1c6b6fa154d5a790da944177074d28846d66<br /><br />Download URLs<br />http://wszystkozmetalu[.]pl/Invoiceq.exe<br />http://www.blcpolychemical[.]com/re/PurchaseOrders.exe<br />http://barkliaytire[.]com<br />http://distriegroupelectric[.]com<br />http://extreime-net[.]com<br />http://distriegroupelectric[.]com:80/plugin/index[.]php?plugin=ftp<br />http://distriegroupelectric[.]com:80/plugin/index[.]php?plugin=email<br />http://distriegroupelectric[.]com:80/plugin/index[.]php?plugin=browser<br /><br />C2<br /><br />http://distriegroupelectric.com:80/gate[.]php<br />http://distriegroupelectric.com:80/login[.]php - Control Panel<div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=-tCyCvm52oE:NYaqQzBxp7g:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/-tCyCvm52oE\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-05-30T11:17:29", "published": "2017-05-23T06:05:00", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/-tCyCvm52oE/modified-zyklon-and-plugins-from-india.html", "id": "TALOSBLOG:02B5913B29E7BC0C5F27126E1E64B3A8", "title": "Modified Zyklon and plugins from India", "type": "talosblog", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
