Sunday, August 10, 2014

Countering darknet tracking docs with Cryptam (and yara)

We've been keeping an eye on the big conferences going on this week - Blackhat/Defcon/BSidesLV and noticed an interesting presentation at this years Defcon "Dropping Docs on Darknets: How People Got Caught".

We noticed Adrian Crenshaw's @irongeek_adc demo track.docx included some external images which were used for tracking TOR users out-of-band in MS Office.

Scanning within the content of a OpenXML docx file is a good use for Cryptam's Yara integration, so we created a quick Yara rule to detect the use of External images in the way used in this presentation. It will also work on some variants of this technique, such as embedded a docx within an OLE document  or within an RTF file.

rule openxml_remote_content
ref = ""
author = "Malware Tracker @mwtracker"
date = "Aug 10 2014"
hash = "63ea878a48a7b0459f2e69c46f88f9ef"

$a = "" ascii nocase
$b = "TargetMode=\"External\"" ascii nocase

all of them

Cryptam results on the Poc here with the openxml_remote_content rule detected.

Sunday, May 4, 2014

Cryptam Document Analysis + OpenXML embedded in RTF

Recently there have been a number of reports of RTF exploits using a new trick of embedding OpenXML exploits to create a multi-exploit master key to cover a number of recent patched exploits in one RTF with low AV detection. In particular the file tweeted on March 29 by @botherder got our attention and was covered by Mcafee and Bluecoat.

MD5: af17892aa82b48282d956adeb5e70e65
Original filename: aircanada_eticket_820910108.doc
Cryptam report.
VirusTotal: 29/51

While superficially within the RTF component, there is the use of CVE-2010-3333, there is also an Open XML (docx) file exploiting CVE-2012-1856, and an embedded Tiff exploiting CVE-2013-3906. AV detection of the most obvious, and old, CVE-2010-3333 can be misleading when assuming you're patched against this threat.

RTF content with embedded OpenXML (zip header):

OpenXML embedded content and CVE-2012-1856 ActiveX files:

CVE-2012-1856 classID referenced in activeXNN.xml files:

RTF Start of CVE-2013-3906 Tiff referenced as a jpeg:

We quietly added support for OpenXML (docx etc) in RTF a couple weeks ago to Cryptam, but are just now getting the word out. Our testing has shown most of the embedded OpenXML files are likely manually created as their magic numbers tend to match a regular Zip as opposed to a properly generated OpenXML file. Both the Cryptam web suite and command line versions now process Embedded OpenXML files to automatically extract and scan. To accommodate handling of corrupt zip information by the built-in zip support, we now use an external zip command.

Use Cryptam free on our website.

Monday, April 14, 2014

CVE-2012-0158 in Mime HTML MSO format still baffles AV + MH370 Theme

When we started working on the research for this blog post we were exploring Malaysia Airlines Flight 370 (MH370) malware lures using Yara to flag samples in Cryptam with the following rule:

rule theme_MH370 {
        author = ""
        version = "1.0"
        date = "2014-04-09"
        $callsign1 = "MH370" ascii wide nocase fullword
        $callsign2 = "MAS370" ascii wide nocase fullword
        $desc1 = "Flight 370" ascii wide nocase fullword
        any of them

In addition to APT1 use of the lure in Word document 5e8d64185737f835318489fda46f31a6 dropping an updated version of Trojan Elise, we were surprised to see that one of the recent MH370 lures was a Mime MSO document exploiting MS Office Word vulnerability CVE-2012-0158 with 0 detection rate on VirusTotal dropping a variant of Vidgrab/Evilgrab. FireEye nicely covered a number of the MH370 campaigns in their March blog post.  However we could not find any references to the Mime MSO document MD5 0f765671a844190d74e985410fe31e8e "Where is MH370.doc" with 0/51 detection on in any other reporting. We were one of the first to previously report that Mime MSO files were being used to exploit CVE-2012-0158 in Word (August 30, 2013 Malware Tracker Blog CVE-2012-0158 exploit evades AV in Mime HTML format). At the end of this post we provide 4 other March 2014 0 detection file indicators from Cryptam samples to hopefully assist AV in improving detection rates for this threat.

 Sample current as of this post on VirusTotal

 Cryptam result showing CVE-2012-0158 plus a 256byte xored exe:

The CVE-2012-0158 trigger is not obfuscated but uses a class ID BDD1F04B-858B-11D1-B16A-00C0F0283628 to activate the vulnerable MSCOMCTL ActiveX control:

The class ID is disclosed in MS12-027 as vulnerable to CVE-2012-0158:

Other 0 detection samples:
517782778e296fade32ce3fd2330afc8 "0319 Montsame.doc" (mwtracker comment: Mongolia) 2014-03-20T02:14:45.000Z 0/50

f721f3a22ad26105a8894ce967c02e32 "內政部公文.doc" (mwtracker comment: Taiwan) 2014-03-10T00:22:23.000Z  0/50

f851e312899d11abe39390cb6a21f982 "保釣信頭2012.doc" (mwtracker comment: Taiwan) 2014-03-07 07:05:26 0/50

82542d9913301396f6f1a676c9b93f58 "Iltgeh huudas_revised.doc"  (mwtracker comment: Estonia) 2014-03-05 07:54:10 0/50

Some of the samples appear to drop a vidgrab/evilgrab variant and another not-yet-identified implant.

Sunday, April 13, 2014

Cryptam Malware Document Analizer + imphash

The web and suite versions of the Cryptam document malware analysis system now calculate the imphash of embedded/dropped executables when possible and store this value within the dropped file info for searching. The imphash is a executable similarity hash based on the Import Address Table order and is included in Cryptam is designed to statically extract the xor/rol/ror/not obfuscated executables from malware documents such as RTF, MS Office, or PDF files and can automatically process the dropped files with Yara or an external sandbox.

This new feature allows you to link dropper executables to current or past attack campaigns and to cross reference older samples which may have already been identified with Yara signatures but now have been modified to evade the unique static string matching common to many Yara signatures.

Imphash searching is available to registered users under Advanced Search - drop_files like <your imphash>.

Searching the example imphash c948ebda9bd9367f9fc50e01020766c8 dropped by RTF b2b8127bae5b61e258b17dc057338075 (24 / 51 on Virustotal April 11 2014) shows a number of dropped samples some of which have been identified as the malware called "Safe" related to Lurid. This sample beacons to www[.]getapencil[.]com visible in the executables strings extracted by Cryptam.

Scan a document for embedded executables with Cryptam at

Sunday, January 12, 2014

CVE-2013-5331 evaded AV by using obscure Flash compression ZWS

Update: 2013-01-14 added Yara signature.

We recently came across what is likely the CVE-2013-5331 zero day (Adobe Flash in MS Office .doc) file on (Biglietto Visita.doc, MD5: 2192f9b0209b7e7aa6d32a075e53126d, 0 detections on 2013-11-11, 2/49 on 2013-12-23). The filename is Italian for "visit card" and could be related to MFA targeting in Italy. This exploit was patched 2013-12-10, and was in the wild for at least a full month.

While it appears to be the only CVE-2013-5331 sample on Virustotal we could find, it's also interesting that the Flash exploit payload is a very unusual ZWS compression header (the compression algorithm uses LZMA as in Lempel–Ziv–Markov chain algorithm and which is also used in 7zip). Flash CWS headers for Gzip compression is the most commonly used, and we are not aware of Flash content creation tools outputting ZWS Flash. This compression method ZWS combined with embedding within MSOffice documents is very likely to evade most AV products.

From our Cryptam Database Related files with similar metadata:
5da6a1d46641044b782d5c169ccb8fbf 2013-06-28 CVE-2012-5054 7/46 2013-07-07
8d70043395a2d0e87096c67e0d68f931 2013-06-28 CVE-2013-0633 6/46 2013 07-18

Yara Rule for ZWS Flash embedded in MSOffice:
rule doc_zws_flash {
    ref ="2192f9b0209b7e7aa6d32a075e53126d"
    author = ""
    date = "2013-01-11"

        $header = {66 55 66 55 ?? ?? ?? 00 5A 57 53}
        $control = "CONTROL ShockwaveFlash.ShockwaveFlash"
        all of them

Friday, August 30, 2013

CVE-2012-0158 exploit evades AV in Mime HTML format

Since the end of April 2013 we've been seeing APT1, the NetTraveler/Netshark/Surtr group and others use Mime-MSO format files to deliver CVE-2012-0158 exploits to victims in spear phishing attacks.  By packaging the exploit within a Mime document instead of RTF or OLE Word document, the attackers appear to avoid detection by half or more of the AV products on VirusTotal.

The malicious file, while being mime and HTML content, is normally named with a with .doc or .rtf to associate it as a Microsoft office document. The content is similar to a mime email or single file web archive:

Unlike the RTF version of the CVE-2012-0158 exploit, the Mime version has received very little exposure and still bypasses many AV products despite the lack of obfuscation efforts.

This CVE-2012-0158 Mime delivery method was previously reported in May 2013 by Antiy Labs [PDF].

Instead of calling vulnerable class names such as with RTF, class IDs such as BDD1F04B-858B-11D1-B16A-00C0F0283628 (ListView ActiveX MS12-027 CVE-2012-0158) are used along with base 64 encoded document content:

This format can also be used to deliver Shockwave Flash exploits within MS Office.

We've seen 3 identified groups, including APT1 using this exploit to deliver over 6 different trojans.

Our Cryptam online scanner detects this threat as " MSO MSCOMCTL.OCX RCE CVE-2012-0158".


APT1 / "Operation Beebus" / WARP:
7c55a62b935171d1c0bb6d3a923e7436 Draft Agenda_PCC V3.doc




Wednesday, June 12, 2013

MS13-051 / CVE-2013-1331 Office zero day patched by Microsoft

Here's some info on the now-patched (as of June 11 2013) zero day that's starting to come out.

MSFT advisory:


Sample on VT from March 4 2013 (credit Eromang):

And also a quick note that while no one submitted any CVE-2013-1331 samples to Cryptam before the public release, we would have detected the suspicious ScriptBridge reference in the above sample:

Update: @eromang has found samples of this exploit dating back to 2009, check out his blog post.