Monday, April 14, 2014

CVE-2012-0158 in Mime HTML MSO format still baffles AV + MH370 Theme

When we started working on the research for this blog post we were exploring Malaysia Airlines Flight 370 (MH370) malware lures using Yara to flag samples in Cryptam with the following rule:

rule theme_MH370 {
    meta:
        author = "MalwareTracker.com"
        version = "1.0"
        date = "2014-04-09"
    strings:
        $callsign1 = "MH370" ascii wide nocase fullword
        $callsign2 = "MAS370" ascii wide nocase fullword
        $desc1 = "Flight 370" ascii wide nocase fullword
    condition:
        any of them
}




In addition to APT1 use of the lure in Word document 5e8d64185737f835318489fda46f31a6 dropping an updated version of Trojan Elise, we were surprised to see that one of the recent MH370 lures was a Mime MSO document exploiting MS Office Word vulnerability CVE-2012-0158 with 0 detection rate on VirusTotal dropping a variant of Vidgrab/Evilgrab. FireEye nicely covered a number of the MH370 campaigns in their March blog post.  However we could not find any references to the Mime MSO document MD5 0f765671a844190d74e985410fe31e8e "Where is MH370.doc" with 0/51 detection on VirusTotal.com in any other reporting. We were one of the first to previously report that Mime MSO files were being used to exploit CVE-2012-0158 in Word (August 30, 2013 Malware Tracker Blog CVE-2012-0158 exploit evades AV in Mime HTML format). At the end of this post we provide 4 other March 2014 0 detection file indicators from Cryptam samples to hopefully assist AV in improving detection rates for this threat.

 Sample current as of this post on VirusTotal


 Cryptam result showing CVE-2012-0158 plus a 256byte xored exe:




The CVE-2012-0158 trigger is not obfuscated but uses a class ID BDD1F04B-858B-11D1-B16A-00C0F0283628 to activate the vulnerable MSCOMCTL ActiveX control:

The class ID is disclosed in MS12-027 as vulnerable to CVE-2012-0158:



Other 0 detection samples:
517782778e296fade32ce3fd2330afc8 "0319 Montsame.doc" (mwtracker comment: Mongolia) 2014-03-20T02:14:45.000Z 0/50

f721f3a22ad26105a8894ce967c02e32 "內政部公文.doc" (mwtracker comment: Taiwan) 2014-03-10T00:22:23.000Z  0/50

f851e312899d11abe39390cb6a21f982 "保釣信頭2012.doc" (mwtracker comment: Taiwan) 2014-03-07 07:05:26 0/50

82542d9913301396f6f1a676c9b93f58 "Iltgeh huudas_revised.doc"  (mwtracker comment: Estonia) 2014-03-05 07:54:10 0/50



Some of the samples appear to drop a vidgrab/evilgrab variant and another not-yet-identified implant.


Sunday, April 13, 2014

Cryptam Malware Document Analizer + imphash

The web and suite versions of the Cryptam document malware analysis system now calculate the imphash of embedded/dropped executables when possible and store this value within the dropped file info for searching. The imphash is a executable similarity hash based on the Import Address Table order and is included in pefile.py. Cryptam is designed to statically extract the xor/rol/ror/not obfuscated executables from malware documents such as RTF, MS Office, or PDF files and can automatically process the dropped files with Yara or an external sandbox.



This new feature allows you to link dropper executables to current or past attack campaigns and to cross reference older samples which may have already been identified with Yara signatures but now have been modified to evade the unique static string matching common to many Yara signatures.

Imphash searching is available to registered users under Advanced Search - drop_files like <your imphash>.

















Searching the example imphash c948ebda9bd9367f9fc50e01020766c8 dropped by RTF b2b8127bae5b61e258b17dc057338075 (24 / 51 on Virustotal April 11 2014) shows a number of dropped samples some of which have been identified as the malware called "Safe" related to Lurid. This sample beacons to www[.]getapencil[.]com visible in the executables strings extracted by Cryptam.

Scan a document for embedded executables with Cryptam at https://www.malwaretracker.com/doc.php

Sunday, January 12, 2014

CVE-2013-5331 evaded AV by using obscure Flash compression ZWS

Update: 2013-01-14 added Yara signature.

We recently came across what is likely the CVE-2013-5331 zero day (Adobe Flash in MS Office .doc) file on virustotal.com (Biglietto Visita.doc, MD5: 2192f9b0209b7e7aa6d32a075e53126d, 0 detections on 2013-11-11, 2/49 on 2013-12-23). The filename is Italian for "visit card" and could be related to MFA targeting in Italy. This exploit was patched 2013-12-10, and was in the wild for at least a full month.



While it appears to be the only CVE-2013-5331 sample on Virustotal we could find, it's also interesting that the Flash exploit payload is a very unusual ZWS compression header (the compression algorithm uses LZMA as in Lempel–Ziv–Markov chain algorithm and which is also used in 7zip). Flash CWS headers for Gzip compression is the most commonly used, and we are not aware of Flash content creation tools outputting ZWS Flash. This compression method ZWS combined with embedding within MSOffice documents is very likely to evade most AV products.

From our Cryptam Database Related files with similar metadata:
5da6a1d46641044b782d5c169ccb8fbf 2013-06-28 CVE-2012-5054 7/46 2013-07-07
8d70043395a2d0e87096c67e0d68f931 2013-06-28 CVE-2013-0633 6/46 2013 07-18

Yara Rule for ZWS Flash embedded in MSOffice:
rule doc_zws_flash {
    meta:
    ref ="2192f9b0209b7e7aa6d32a075e53126d"
    author = "MalwareTracker.com"
    date = "2013-01-11"

    strings:
        $header = {66 55 66 55 ?? ?? ?? 00 5A 57 53}
        $control = "CONTROL ShockwaveFlash.ShockwaveFlash"
      
    condition:
        all of them
}

Friday, August 30, 2013

CVE-2012-0158 exploit evades AV in Mime HTML format

Since the end of April 2013 we've been seeing APT1, the NetTraveler/Netshark/Surtr group and others use Mime-MSO format files to deliver CVE-2012-0158 exploits to victims in spear phishing attacks.  By packaging the exploit within a Mime document instead of RTF or OLE Word document, the attackers appear to avoid detection by half or more of the AV products on VirusTotal.



The malicious file, while being mime and HTML content, is normally named with a with .doc or .rtf to associate it as a Microsoft office document. The content is similar to a mime email or single file web archive:




Unlike the RTF version of the CVE-2012-0158 exploit, the Mime version has received very little exposure and still bypasses many AV products despite the lack of obfuscation efforts.

This CVE-2012-0158 Mime delivery method was previously reported in May 2013 by Antiy Labs [PDF http://www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf].


Instead of calling vulnerable class names such as with RTF, class IDs such as BDD1F04B-858B-11D1-B16A-00C0F0283628 (ListView ActiveX MS12-027 CVE-2012-0158) are used along with base 64 encoded document content:

This format can also be used to deliver Shockwave Flash exploits within MS Office.

We've seen 3 identified groups, including APT1 using this exploit to deliver over 6 different trojans.

Our Cryptam online scanner detects this threat as "exploit.office MSO MSCOMCTL.OCX RCE CVE-2012-0158".

References:

APT1 / "Operation Beebus" / WARP:
7c55a62b935171d1c0bb6d3a923e7436 Draft Agenda_PCC V3.doc
b08fae5abbde4c329694c220ef6745d0

NetTraveler:
d04655b17aea031e0037892979c91bb4
64fcd0d90dc9eb18d9a700ee4a6cd8de
5079b547a35c3dae23ca3ced917b8f36

Netshark:
b82495293512bd83a9ecdc74537e7623
b1d70421c051509b3759519fe9231fac
59f14e75f0cedd71d9219eb1ff1a19ea

Surtr:
6ff9a5a80fabe8da9d57576a5f60a3c4
712baec89f77f9dc3d91955cbef2410e
f0ed27704bf90d38f10d1e195833fd4e
4e25355848ce2dd843a6ed74254a54f7

Wednesday, June 12, 2013

MS13-051 / CVE-2013-1331 Office zero day patched by Microsoft

Here's some info on the now-patched (as of June 11 2013) zero day that's starting to come out.

MSFT advisory: http://technet.microsoft.com/en-us/security/bulletin/ms13-051

Details: http://blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx

Sample on VT from March 4 2013 (credit Eromang): https://www.virustotal.com/en/file/f854f057c5b7e5e9f863d94d0c81c1f8a2f1eac34dae900da52f6cadf98d923a/analysis/


And also a quick note that while no one submitted any CVE-2013-1331 samples to Cryptam before the public release, we would have detected the suspicious ScriptBridge reference in the above sample:
https://www.malwaretracker.com/docsearch.php?hash=714876fdce62371da08c139377f23d76


Update: @eromang has found samples of this exploit dating back to 2009, check out his blog post.

Friday, June 7, 2013

Tomato Garden Campaign: Part 2 - An Old "New" Exploit

Following up to our previous post, our analysis has shown the exploit is patched with MS12-060, however, it is not CVE-2012-1856 which deals with MSCOMCTL.OCX TabStrip.

The exploit we found used in targeted spear phishing in-the-wild uses the Toolbar activeX control to create a stack overflow - not TabStrip, but this new exploit is mitigated with the MS12-060 patch, making it old. Most of the samples extract a 256 byte xored executable after 0x8000.

As the exploit is indirectly patched, we will release all the related identifiers in the hopes that commercial AV can increase their detection rates for this exploit. As the current top document exploit is CVE-2012-0158, this new exploit requires a later patch to fix, and has lower detection rates than CVE-2012-0158 and CVE-2012-1856 we expect it to become even more popular.




MD5s:
bee6ca093f0f2cdbd27969e9f4f1d9a0
28460cc1133af9a4b2ec8f962d5541cc
5e1f769ef6ce93a10bb59709042ce813
928bbd99330f540cd55874f2098be948
161c840748df9b49fda878394398425a
f5e8b5f370541dcc1562dce0ce703d3d
9eda92fe59ef15349795b2b6a350a481
a83d1d8330e69bdf5ebb994834f90375
370e2ebe5d72678affd39264a0d2fedd
1ad836efc8b64d242c97e0d4bf414e5e
a9c640ce3ddea0ed2fc8923212398a1d
c366fdf495a57f151b7ba0f3f8575699
4284624ae7db18678be38f4a2814d623
acb3eff692374deb9b808834bf02eb65
ad7c5b7c3e5cc79b7b3ff94f031c5fce
1300cbeaf1ade8866f3dc1f362fb63e9
d561f8de3a07669705b1158af8c339af
770a5a1683caa26caaa1531c2ed5e626
f989ac92a714b1b7c57a0fe51e0b5f43
6d84f7e0a2bc6de1cf9a647faa58d657
46b057317708d31874cd704e0d9b4ca9
bfc96694731f3cf39bcad6e0716c5746
1947d3ef9aaec927770fbaa17a6d1f8f
b137cd372af2988696e4adc753bd0765
fc6a07d3419e794ce76badfe683aee11
888502627009ac5be851d01107485327
c49e4904c9add5f8da5085033b1a4d73
56fc7ed9eabe68d5052deab15c62064f
8e0062ff9f405c872689a3876bac65cc
65b7b608ece82fa0e8d6e282ef375b69
d538a5dbbf53f6115e7582fb85cf0f33
b916950e2d51220915cd40c4878d7e25
d2a2ffc54ad7b591c7e0a62249ff8fe9
eeb892070bf677dda7e611d111442813
70286e6a77d827e77611980bd065f890
d4421591ba77976bd6e347527d129dd2
3e251b9bc0ea73d51ece10ddc491ad42
cd24e7ad8b856f40a0a368a2cc00ddc7
b6b9b0c4fbeba112ccccbef1c4781540
322584dd8fb5d636822f32896b0090a5
21582e08e01394381611465d254f88c9
6845288e2be0be1adbc3a3d4c6aaaa63

Office Document metadata seen in all samples:
Version 5.1
Code page: 949
Author: Tran Duy Linh
Template: Normal.dotm
Last Saved By: Tran Duy Linh
Revision Number: 2
Name of Creating Application: Microsoft Office Word
Total Editing Time: 04:00
Create Time/Date: Thu Nov 22 04:35:00 2012
Last Saved Time/Date: Thu Nov 22 04:39:00 2012
Number of Pages: 1
Number of Words: 5
Number of Characters: 34
Security: 0
Exploit related strings:
CONTROL MSComctlLib.Toolbar.2
Toolbar1, 0, 0, MSComctlLib, Toolbar


Yara rule for the dropper:
rule apt_actor_tran_duy_linh
{
       meta:
         info = "author"
       strings:
      $auth = { 4E 6F 72 6D 61 6C 2E 64 6F 74 6D 00 1E 00 00 00 10 00 00 00 54 72 61 6E 20 44 75 79 20 4C 69 6E 68 }

       condition:
               $auth
}




Our Cryptam reports:

bee6ca093f0f2cdbd27969e9f4f1d9a0
28460cc1133af9a4b2ec8f962d5541cc
5e1f769ef6ce93a10bb59709042ce813
928bbd99330f540cd55874f2098be948
161c840748df9b49fda878394398425a
f5e8b5f370541dcc1562dce0ce703d3d
9eda92fe59ef15349795b2b6a350a481
a83d1d8330e69bdf5ebb994834f90375
370e2ebe5d72678affd39264a0d2fedd
1ad836efc8b64d242c97e0d4bf414e5e
a9c640ce3ddea0ed2fc8923212398a1d
c366fdf495a57f151b7ba0f3f8575699
4284624ae7db18678be38f4a2814d623
acb3eff692374deb9b808834bf02eb65
ad7c5b7c3e5cc79b7b3ff94f031c5fce
1300cbeaf1ade8866f3dc1f362fb63e9
d561f8de3a07669705b1158af8c339af
770a5a1683caa26caaa1531c2ed5e626
f989ac92a714b1b7c57a0fe51e0b5f43
6d84f7e0a2bc6de1cf9a647faa58d657
46b057317708d31874cd704e0d9b4ca9
bfc96694731f3cf39bcad6e0716c5746
1947d3ef9aaec927770fbaa17a6d1f8f
b137cd372af2988696e4adc753bd0765
fc6a07d3419e794ce76badfe683aee11
888502627009ac5be851d01107485327
c49e4904c9add5f8da5085033b1a4d73
56fc7ed9eabe68d5052deab15c62064f
8e0062ff9f405c872689a3876bac65cc
65b7b608ece82fa0e8d6e282ef375b69
d538a5dbbf53f6115e7582fb85cf0f33
b916950e2d51220915cd40c4878d7e25
d2a2ffc54ad7b591c7e0a62249ff8fe9
eeb892070bf677dda7e611d111442813
70286e6a77d827e77611980bd065f890
d4421591ba77976bd6e347527d129dd2
3e251b9bc0ea73d51ece10ddc491ad42
cd24e7ad8b856f40a0a368a2cc00ddc7
b6b9b0c4fbeba112ccccbef1c4781540
322584dd8fb5d636822f32896b0090a5
21582e08e01394381611465d254f88c9
6845288e2be0be1adbc3a3d4c6aaaa63

Additional C2 domains:
meetings.space-mars.com
HHGJGOCNGCDAGDGCDADCGFDDDEDDGF.terhec.com
web1.authorizeddns.org
gmaillogin.ddns.us

We believe several groups are using the same document exploit shell to conduct unrelated campaigns.

Thursday, June 6, 2013

Tomato Garden Campaign - Possible Microsoft Office zero day in the wild used against Tibet and China Democracy activists

Update:  So far some of the samples are killed with ms12-060 but are not a known exploit, so this might be a new, but patched exploit. The purpose of this campaign might be to evade AV while going after users without the latest patch - all samples are at 7 or 8 of 43 max on VirusTotal.


We are currently examining 40 samples of an unconfirmed zeroday in Microsoft Office circulating against Pro Democracy and Tibet activists. One of the exploit documents contains a "PittyTiger" payload, however, several different payload implants have been observed. The exploit is contained in a .doc file but could be delivered via RTF as well. We've seen attacks since June 4 2013 using payloads compiled on May 28, and some of the command and control domains have been registered as late as today June 6 2013.

We have provided the samples to Microsoft and are awaiting confirmation.

We will release detection signatures for our Cryptam document malware scanner - free online scanning at Cryptam.com and more details soon.

We recommend taking extra precautions to not open DOC or RTF files received via email or weblinks at this time.


Update 1: Some of the command a control domains are using blog sites for C2. There's at least 4 different implants, so in all probability the exploit has been shared with multiple groups already. We have 40 unique MD5 hashes of OLE .doc files over the past 2 days. Cryptam has been updated with the detection signature - check suspicious docs here.

command and control domains (partial list):
board.nboard.net
98.126.9.34
comsskk.wordpress.com
comsskk.sosblogs.com
comsskk.livejournal.com
www.tigdiho.com
114.142.147.51
tianshao007.vicp.cc
rss.groups.yahoo.com
wut.mophecfbr.com
radiomusictv.wordpress.com
wikipedia.authorizeddns.org (pitty tiger)
login.aerotche.com (Creation date: 05 Jun 2013 13:58:00)
HHGJGOCNHIHADCCNDC.terhec.com (Creation date: 06 Jun 2013 07:24:00)
silence.phdns01.com
cpnet.phmail.us
imlang.phmail.org

Update 2: We extracted the following code signing certificates used in 3 of the samples:

code signing certificates:
VMWare (invalid):



Shenzhen OuMing Keji Co.,Ltd (expired):




Update 3: We're hearing the exploit may be older - patched with ms12-060 but not previously reported.