Friday, August 30, 2013

CVE-2012-0158 exploit evades AV in Mime HTML format

Since the end of April 2013 we've been seeing APT1, the NetTraveler/Netshark/Surtr group and others use Mime-MSO format files to deliver CVE-2012-0158 exploits to victims in spear phishing attacks.  By packaging the exploit within a Mime document instead of RTF or OLE Word document, the attackers appear to avoid detection by half or more of the AV products on VirusTotal.



The malicious file, while being mime and HTML content, is normally named with a with .doc or .rtf to associate it as a Microsoft office document. The content is similar to a mime email or single file web archive:




Unlike the RTF version of the CVE-2012-0158 exploit, the Mime version has received very little exposure and still bypasses many AV products despite the lack of obfuscation efforts.

This CVE-2012-0158 Mime delivery method was previously reported in May 2013 by Antiy Labs [PDF http://www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf].


Instead of calling vulnerable class names such as with RTF, class IDs such as BDD1F04B-858B-11D1-B16A-00C0F0283628 (ListView ActiveX MS12-027 CVE-2012-0158) are used along with base 64 encoded document content:

This format can also be used to deliver Shockwave Flash exploits within MS Office.

We've seen 3 identified groups, including APT1 using this exploit to deliver over 6 different trojans.

Our Cryptam online scanner detects this threat as "exploit.office MSO MSCOMCTL.OCX RCE CVE-2012-0158".

References:

APT1 / "Operation Beebus" / WARP:
7c55a62b935171d1c0bb6d3a923e7436 Draft Agenda_PCC V3.doc
b08fae5abbde4c329694c220ef6745d0

NetTraveler:
d04655b17aea031e0037892979c91bb4
64fcd0d90dc9eb18d9a700ee4a6cd8de
5079b547a35c3dae23ca3ced917b8f36

Netshark:
b82495293512bd83a9ecdc74537e7623
b1d70421c051509b3759519fe9231fac
59f14e75f0cedd71d9219eb1ff1a19ea

Surtr:
6ff9a5a80fabe8da9d57576a5f60a3c4
712baec89f77f9dc3d91955cbef2410e
f0ed27704bf90d38f10d1e195833fd4e
4e25355848ce2dd843a6ed74254a54f7

Wednesday, June 12, 2013

MS13-051 / CVE-2013-1331 Office zero day patched by Microsoft

Here's some info on the now-patched (as of June 11 2013) zero day that's starting to come out.

MSFT advisory: http://technet.microsoft.com/en-us/security/bulletin/ms13-051

Details: http://blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx

Sample on VT from March 4 2013 (credit Eromang): https://www.virustotal.com/en/file/f854f057c5b7e5e9f863d94d0c81c1f8a2f1eac34dae900da52f6cadf98d923a/analysis/


And also a quick note that while no one submitted any CVE-2013-1331 samples to Cryptam before the public release, we would have detected the suspicious ScriptBridge reference in the above sample:
https://www.malwaretracker.com/docsearch.php?hash=714876fdce62371da08c139377f23d76


Update: @eromang has found samples of this exploit dating back to 2009, check out his blog post.

Friday, June 7, 2013

Tomato Garden Campaign: Part 2 - An Old "New" Exploit

Following up to our previous post, our analysis has shown the exploit is patched with MS12-060, however, it is not CVE-2012-1856 which deals with MSCOMCTL.OCX TabStrip.

The exploit we found used in targeted spear phishing in-the-wild uses the Toolbar activeX control to create a stack overflow - not TabStrip, but this new exploit is mitigated with the MS12-060 patch, making it old. Most of the samples extract a 256 byte xored executable after 0x8000.

As the exploit is indirectly patched, we will release all the related identifiers in the hopes that commercial AV can increase their detection rates for this exploit. As the current top document exploit is CVE-2012-0158, this new exploit requires a later patch to fix, and has lower detection rates than CVE-2012-0158 and CVE-2012-1856 we expect it to become even more popular.




MD5s:
bee6ca093f0f2cdbd27969e9f4f1d9a0
28460cc1133af9a4b2ec8f962d5541cc
5e1f769ef6ce93a10bb59709042ce813
928bbd99330f540cd55874f2098be948
161c840748df9b49fda878394398425a
f5e8b5f370541dcc1562dce0ce703d3d
9eda92fe59ef15349795b2b6a350a481
a83d1d8330e69bdf5ebb994834f90375
370e2ebe5d72678affd39264a0d2fedd
1ad836efc8b64d242c97e0d4bf414e5e
a9c640ce3ddea0ed2fc8923212398a1d
c366fdf495a57f151b7ba0f3f8575699
4284624ae7db18678be38f4a2814d623
acb3eff692374deb9b808834bf02eb65
ad7c5b7c3e5cc79b7b3ff94f031c5fce
1300cbeaf1ade8866f3dc1f362fb63e9
d561f8de3a07669705b1158af8c339af
770a5a1683caa26caaa1531c2ed5e626
f989ac92a714b1b7c57a0fe51e0b5f43
6d84f7e0a2bc6de1cf9a647faa58d657
46b057317708d31874cd704e0d9b4ca9
bfc96694731f3cf39bcad6e0716c5746
1947d3ef9aaec927770fbaa17a6d1f8f
b137cd372af2988696e4adc753bd0765
fc6a07d3419e794ce76badfe683aee11
888502627009ac5be851d01107485327
c49e4904c9add5f8da5085033b1a4d73
56fc7ed9eabe68d5052deab15c62064f
8e0062ff9f405c872689a3876bac65cc
65b7b608ece82fa0e8d6e282ef375b69
d538a5dbbf53f6115e7582fb85cf0f33
b916950e2d51220915cd40c4878d7e25
d2a2ffc54ad7b591c7e0a62249ff8fe9
eeb892070bf677dda7e611d111442813
70286e6a77d827e77611980bd065f890
d4421591ba77976bd6e347527d129dd2
3e251b9bc0ea73d51ece10ddc491ad42
cd24e7ad8b856f40a0a368a2cc00ddc7
b6b9b0c4fbeba112ccccbef1c4781540
322584dd8fb5d636822f32896b0090a5
21582e08e01394381611465d254f88c9
6845288e2be0be1adbc3a3d4c6aaaa63

Office Document metadata seen in all samples:
Version 5.1
Code page: 949
Author: Tran Duy Linh
Template: Normal.dotm
Last Saved By: Tran Duy Linh
Revision Number: 2
Name of Creating Application: Microsoft Office Word
Total Editing Time: 04:00
Create Time/Date: Thu Nov 22 04:35:00 2012
Last Saved Time/Date: Thu Nov 22 04:39:00 2012
Number of Pages: 1
Number of Words: 5
Number of Characters: 34
Security: 0
Exploit related strings:
CONTROL MSComctlLib.Toolbar.2
Toolbar1, 0, 0, MSComctlLib, Toolbar


Yara rule for the dropper:
rule apt_actor_tran_duy_linh
{
       meta:
         info = "author"
       strings:
      $auth = { 4E 6F 72 6D 61 6C 2E 64 6F 74 6D 00 1E 00 00 00 10 00 00 00 54 72 61 6E 20 44 75 79 20 4C 69 6E 68 }

       condition:
               $auth
}




Our Cryptam reports:

bee6ca093f0f2cdbd27969e9f4f1d9a0
28460cc1133af9a4b2ec8f962d5541cc
5e1f769ef6ce93a10bb59709042ce813
928bbd99330f540cd55874f2098be948
161c840748df9b49fda878394398425a
f5e8b5f370541dcc1562dce0ce703d3d
9eda92fe59ef15349795b2b6a350a481
a83d1d8330e69bdf5ebb994834f90375
370e2ebe5d72678affd39264a0d2fedd
1ad836efc8b64d242c97e0d4bf414e5e
a9c640ce3ddea0ed2fc8923212398a1d
c366fdf495a57f151b7ba0f3f8575699
4284624ae7db18678be38f4a2814d623
acb3eff692374deb9b808834bf02eb65
ad7c5b7c3e5cc79b7b3ff94f031c5fce
1300cbeaf1ade8866f3dc1f362fb63e9
d561f8de3a07669705b1158af8c339af
770a5a1683caa26caaa1531c2ed5e626
f989ac92a714b1b7c57a0fe51e0b5f43
6d84f7e0a2bc6de1cf9a647faa58d657
46b057317708d31874cd704e0d9b4ca9
bfc96694731f3cf39bcad6e0716c5746
1947d3ef9aaec927770fbaa17a6d1f8f
b137cd372af2988696e4adc753bd0765
fc6a07d3419e794ce76badfe683aee11
888502627009ac5be851d01107485327
c49e4904c9add5f8da5085033b1a4d73
56fc7ed9eabe68d5052deab15c62064f
8e0062ff9f405c872689a3876bac65cc
65b7b608ece82fa0e8d6e282ef375b69
d538a5dbbf53f6115e7582fb85cf0f33
b916950e2d51220915cd40c4878d7e25
d2a2ffc54ad7b591c7e0a62249ff8fe9
eeb892070bf677dda7e611d111442813
70286e6a77d827e77611980bd065f890
d4421591ba77976bd6e347527d129dd2
3e251b9bc0ea73d51ece10ddc491ad42
cd24e7ad8b856f40a0a368a2cc00ddc7
b6b9b0c4fbeba112ccccbef1c4781540
322584dd8fb5d636822f32896b0090a5
21582e08e01394381611465d254f88c9
6845288e2be0be1adbc3a3d4c6aaaa63

Additional C2 domains:
meetings.space-mars.com
HHGJGOCNGCDAGDGCDADCGFDDDEDDGF.terhec.com
web1.authorizeddns.org
gmaillogin.ddns.us

We believe several groups are using the same document exploit shell to conduct unrelated campaigns.

Thursday, June 6, 2013

Tomato Garden Campaign - Possible Microsoft Office zero day in the wild used against Tibet and China Democracy activists

Update:  So far some of the samples are killed with ms12-060 but are not a known exploit, so this might be a new, but patched exploit. The purpose of this campaign might be to evade AV while going after users without the latest patch - all samples are at 7 or 8 of 43 max on VirusTotal.


We are currently examining 40 samples of an unconfirmed zeroday in Microsoft Office circulating against Pro Democracy and Tibet activists. One of the exploit documents contains a "PittyTiger" payload, however, several different payload implants have been observed. The exploit is contained in a .doc file but could be delivered via RTF as well. We've seen attacks since June 4 2013 using payloads compiled on May 28, and some of the command and control domains have been registered as late as today June 6 2013.

We have provided the samples to Microsoft and are awaiting confirmation.

We will release detection signatures for our Cryptam document malware scanner - free online scanning at Cryptam.com and more details soon.

We recommend taking extra precautions to not open DOC or RTF files received via email or weblinks at this time.


Update 1: Some of the command a control domains are using blog sites for C2. There's at least 4 different implants, so in all probability the exploit has been shared with multiple groups already. We have 40 unique MD5 hashes of OLE .doc files over the past 2 days. Cryptam has been updated with the detection signature - check suspicious docs here.

command and control domains (partial list):
board.nboard.net
98.126.9.34
comsskk.wordpress.com
comsskk.sosblogs.com
comsskk.livejournal.com
www.tigdiho.com
114.142.147.51
tianshao007.vicp.cc
rss.groups.yahoo.com
wut.mophecfbr.com
radiomusictv.wordpress.com
wikipedia.authorizeddns.org (pitty tiger)
login.aerotche.com (Creation date: 05 Jun 2013 13:58:00)
HHGJGOCNHIHADCCNDC.terhec.com (Creation date: 06 Jun 2013 07:24:00)
silence.phdns01.com
cpnet.phmail.us
imlang.phmail.org

Update 2: We extracted the following code signing certificates used in 3 of the samples:

code signing certificates:
VMWare (invalid):



Shenzhen OuMing Keji Co.,Ltd (expired):




Update 3: We're hearing the exploit may be older - patched with ms12-060 but not previously reported.

Wednesday, May 29, 2013

Tips for detecting cyber espionage attacks - how to find suspicious emails

State sponsored cyber espionage or targeted malware is most often delivered as email attachments or links within the body of an email. The other methods are compromised websites (waterhole attacks), and direct hacking via externally available systems such as servers and databases. Email is by far the most common and successful way to be targeted by a foreign state, but it's also best defended against by user awareness.

Typical Targets of APT

  • Human rights groups - Tibet, democracy etc.
  • Fortune 500
  • Military, foreign affairs, government, and contractors
  • Resources and energy
  • Communications
  • Aerospace
  • Transportation
  • Health Care
  • Emerging Technology
  • Companies that trade with or compete with China

Tips to detect suspicious emails:

  • Themes - socially engineered emails look somewhat related to your interests or business, but are often something general like a recent news event, or a related theme but not something you're involved with - like invitations or conference attendee lists for events you aren't involved with.
  • Attachments - RTF, DOC, XLS, PDF, PPT, DOCX, CHM, ZIP, RAR, 7Z, HLP, DMG, APK, are common. In addition links to external websites - if it's a link and you feel it might be safe - hover your mouse over it and check that the actual address matches up with the text.
  • Bad names - check the "from" name and the email signature at the bottom - do they match up.
  • Fake email addresses - while a lot of spear phishing comes from Yahoo (or rocketmail) and Hotmail addresses, often the name might be someone you've heard of - but is the address legitimate. Businesses - is the CEO or whoever really sending business related email from their webmail? Also, emails can be spoofed from any legitimate address, including from your organization or businesses that you work with - is the email unusual or has major grammatical or spelling errors?
  • XLS files as a document - XLS files are a popular exploit format - if the email purports to have a document and not a spreadsheet, but the attachment is a XLS file, be suspicious.
  • Double content - the email body has the subject content, but there's a PDF or  .doc file as well. Also both a .doc and PDF of supposedly the same content probably just has different exploits.
  • Password protected files - that mysterious zip, .doc, PDF file is sent to you with the password in the body of the email, don't open it if you weren't expecting it. Password protected files avoid most antivirus scanning.
  • Mobile malware - recent attacks have used emailed APK

Defence

Avoidance: be aware that any business, organization or human rights group could be targeted by an APT, educate users to the types of emails that should be investigated. If a user notices one attack, often they can occur as often as daily for years in some cases. If you're suspicious of the attachments or links, call the person that supposedly sent you the message to see if its legitimate.

Patching: while zero day exploits regularly surface in APT attacks, often attackers target office document and PDF software that are not patched as often as the operating system, in addition to your operating system and web browser, patch your Office and PDF applications and turn on automatic updating. We track the top threats for office documents and PDF documents.

Detection: Commercial AV will have a very low detection rate for targeted malware using document exploits. Upload and scan suspicious documents with Cryptam, and PDFs with PDFExaminer.

Example Phishing Email Resource

For some real life examples of some better socially engineered APT email attacks, check out the Contagiodump blog http://contagiodump.blogspot.com/2010/03/design-contest-top-ten-targeted-attack.html.

Tuesday, February 26, 2013

Yara Scanning added to command line tools

We've pushed out updates to PDFExaminer and Cryptam command line versions tonight that include Yara scanning capability, unlike running the standard Yara tool, using our Yara plugin in PDFExaminer and Cryptam allow you to look deeper inside document files.


PDFExaminer CLI - Yara Related Features

  • Run Yara signatures against decoded streams such as FlateDecode, AsciiHex85, CCITTFaxDecode, and many more.
  • Run Yara signatures against decrypted streams of RC4/AES encrypted PDFs
  • Run Yara signatures against decrypted parameter strings.

Cryptam CLI - Yara Related Features

  • Run Yara signatures against all the subfiles of OpenXML format documents such as docx, xlsx, pptx.
  • Run Yara signatures against decoded RTF datastreams
  • Run Yara signatures against automatically decrypted embedded executables and dropped clean documents.
Automate your triage of incoming targeted APT attacks.  Scan a malware RTF file, extract the executables, and identify the implant or intrusion set TTP with your own Yara signatures all in one step.

More Yara integration to follow on our web-based version too. More info on Yara here.

Thursday, February 21, 2013

Using PDFExaminer to analyse Mandiant_APT2_Report.pdf

Here's a quick walkthrough on using PDFExaminer to triage the Mandiant_APT2_Report.pdf file reported by @9bplus on his blog.

We've added a new feature to specify the user password for these types of encrypted documents to our command line version of the PDFExaminer:

$ php pdfex.php  -p "hello" Mandiant_APT2_Report.pdf summary key key_length
summary=72.0@1090: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
29.0@4378: suspicious.warning: object contains JavaScript
38.0@9351: suspicious.warning: object contains JavaScript
39.0@10793: suspicious.warning: object contains JavaScript
50.0@15082: suspicious.flash addFrameScript
50.0@15082: suspicious.flash Embedded Flash
50.0@15082: suspicious.flash Embedded Flash define obj
56.0@17726: suspicious.warning: object contains JavaScript
49.0@1095: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
key=1cb6525c0c
key_length=40


First - the flash file stands our pretty quickly:
$ md5 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-*
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-21351c1165e65d2ec10ef60eb1d54fd6.stream) = 21351c1165e65d2ec10ef60eb1d54fd6
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-254b68d890b500bbe54902f5bf24cf32.stream) = 254b68d890b500bbe54902f5bf24cf32
MD5 (14a6e24977ff6e7e8a8661aadfa1a1f3/obj-50-gen-0-dup-15082-b1f31dc205e46ae6fbdb5ee10c1ce7a6.flash) = b1f31dc205e46ae6fbdb5ee10c1ce7a6


The compressed Flash file with MD5 254b68d890b500bbe54902f5bf24cf32 was previously submitted to Virustotal:

SHA256: f9202a5cd9007c62a212a33809815fddd498c78f8ea667415a9cacbc7aed313c
File name: s.txt
Detection ratio: 12 / 42
Analysis date: 2012-08-21 09:22:42 UTC ( 6 months ago )
 Exploit:SWF/CVE-2011-0611



Now that the PDF is decrypted, we can keep working through it. Object 64 is a whopping 315K, that one we'll run through Cryptam since in seems to be an encrypted exe:

$ php cryptam.php 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-64-gen-0-dup-37244-9a21e72e04a011b2a6b50b31b7978bfd.stream summary has_exe key
summary=94: string.This program cannot be run in DOS mode
27750: string.GetCommandLineA
27936: string.GetProcAddress
28544: string.EnterCriticalSection
27690: string.CloseHandle
27676: string.CreateFileA
27734: string.KERNEL32
20995: string.ExitProcess
has_exe=1
key=12

There we can see a one byte XOR=0x12 exe is encoded in Object 64. The MZ header is incomplete, so the exe is not automatically extracted. We run the Cryptam multi tool to do this:

php cryptam_multi.php 14a6e24977ff6e7e8a8661aadfa1a1f3/obj-64-gen-0-dup-37244-9a21e72e04a011b2a6b50b31b7978bfd.stream -xor 12

A quick strings shows a few interesting things:
AVG Firewall Asks for Confirmation
0x1A7B4C9F

And a google search leads to the Contagio blog:
Win32/Trojan.Agent.AXMO
and the same domain as @9bplus found - itsec[.]eicp[.]net. These attackers previously targeted MacOS and PCs with themes related to Tibet independance.

That's all for now. 

Wednesday, February 13, 2013

New PDF Zero Day

We are currently investigating a new Adobe Zero Day which does bypass the Sandbox protections of Reader 11.0.1 as reported by FireEye. We anticipate a patch to be released very quickly.

We recommend avoiding opening any PDF received by email or from a website until Adobe releases more information.

PDFExaminer does detect the zero day PDF as suspicious due to the use of JavaScript obfuscation techniques used such as eval.