Friday, June 7, 2013

Tomato Garden Campaign: Part 2 - An Old "New" Exploit

Following up to our previous post, our analysis has shown the exploit is patched with MS12-060, however, it is not CVE-2012-1856 which deals with MSCOMCTL.OCX TabStrip.

The exploit we found used in targeted spear phishing in-the-wild uses the Toolbar activeX control to create a stack overflow - not TabStrip, but this new exploit is mitigated with the MS12-060 patch, making it old. Most of the samples extract a 256 byte xored executable after 0x8000.

As the exploit is indirectly patched, we will release all the related identifiers in the hopes that commercial AV can increase their detection rates for this exploit. As the current top document exploit is CVE-2012-0158, this new exploit requires a later patch to fix, and has lower detection rates than CVE-2012-0158 and CVE-2012-1856 we expect it to become even more popular.




MD5s:
bee6ca093f0f2cdbd27969e9f4f1d9a0
28460cc1133af9a4b2ec8f962d5541cc
5e1f769ef6ce93a10bb59709042ce813
928bbd99330f540cd55874f2098be948
161c840748df9b49fda878394398425a
f5e8b5f370541dcc1562dce0ce703d3d
9eda92fe59ef15349795b2b6a350a481
a83d1d8330e69bdf5ebb994834f90375
370e2ebe5d72678affd39264a0d2fedd
1ad836efc8b64d242c97e0d4bf414e5e
a9c640ce3ddea0ed2fc8923212398a1d
c366fdf495a57f151b7ba0f3f8575699
4284624ae7db18678be38f4a2814d623
acb3eff692374deb9b808834bf02eb65
ad7c5b7c3e5cc79b7b3ff94f031c5fce
1300cbeaf1ade8866f3dc1f362fb63e9
d561f8de3a07669705b1158af8c339af
770a5a1683caa26caaa1531c2ed5e626
f989ac92a714b1b7c57a0fe51e0b5f43
6d84f7e0a2bc6de1cf9a647faa58d657
46b057317708d31874cd704e0d9b4ca9
bfc96694731f3cf39bcad6e0716c5746
1947d3ef9aaec927770fbaa17a6d1f8f
b137cd372af2988696e4adc753bd0765
fc6a07d3419e794ce76badfe683aee11
888502627009ac5be851d01107485327
c49e4904c9add5f8da5085033b1a4d73
56fc7ed9eabe68d5052deab15c62064f
8e0062ff9f405c872689a3876bac65cc
65b7b608ece82fa0e8d6e282ef375b69
d538a5dbbf53f6115e7582fb85cf0f33
b916950e2d51220915cd40c4878d7e25
d2a2ffc54ad7b591c7e0a62249ff8fe9
eeb892070bf677dda7e611d111442813
70286e6a77d827e77611980bd065f890
d4421591ba77976bd6e347527d129dd2
3e251b9bc0ea73d51ece10ddc491ad42
cd24e7ad8b856f40a0a368a2cc00ddc7
b6b9b0c4fbeba112ccccbef1c4781540
322584dd8fb5d636822f32896b0090a5
21582e08e01394381611465d254f88c9
6845288e2be0be1adbc3a3d4c6aaaa63

Office Document metadata seen in all samples:
Version 5.1
Code page: 949
Author: Tran Duy Linh
Template: Normal.dotm
Last Saved By: Tran Duy Linh
Revision Number: 2
Name of Creating Application: Microsoft Office Word
Total Editing Time: 04:00
Create Time/Date: Thu Nov 22 04:35:00 2012
Last Saved Time/Date: Thu Nov 22 04:39:00 2012
Number of Pages: 1
Number of Words: 5
Number of Characters: 34
Security: 0
Exploit related strings:
CONTROL MSComctlLib.Toolbar.2
Toolbar1, 0, 0, MSComctlLib, Toolbar


Yara rule for the dropper:
rule apt_actor_tran_duy_linh
{
       meta:
         info = "author"
       strings:
      $auth = { 4E 6F 72 6D 61 6C 2E 64 6F 74 6D 00 1E 00 00 00 10 00 00 00 54 72 61 6E 20 44 75 79 20 4C 69 6E 68 }

       condition:
               $auth
}




Our Cryptam reports:

bee6ca093f0f2cdbd27969e9f4f1d9a0
28460cc1133af9a4b2ec8f962d5541cc
5e1f769ef6ce93a10bb59709042ce813
928bbd99330f540cd55874f2098be948
161c840748df9b49fda878394398425a
f5e8b5f370541dcc1562dce0ce703d3d
9eda92fe59ef15349795b2b6a350a481
a83d1d8330e69bdf5ebb994834f90375
370e2ebe5d72678affd39264a0d2fedd
1ad836efc8b64d242c97e0d4bf414e5e
a9c640ce3ddea0ed2fc8923212398a1d
c366fdf495a57f151b7ba0f3f8575699
4284624ae7db18678be38f4a2814d623
acb3eff692374deb9b808834bf02eb65
ad7c5b7c3e5cc79b7b3ff94f031c5fce
1300cbeaf1ade8866f3dc1f362fb63e9
d561f8de3a07669705b1158af8c339af
770a5a1683caa26caaa1531c2ed5e626
f989ac92a714b1b7c57a0fe51e0b5f43
6d84f7e0a2bc6de1cf9a647faa58d657
46b057317708d31874cd704e0d9b4ca9
bfc96694731f3cf39bcad6e0716c5746
1947d3ef9aaec927770fbaa17a6d1f8f
b137cd372af2988696e4adc753bd0765
fc6a07d3419e794ce76badfe683aee11
888502627009ac5be851d01107485327
c49e4904c9add5f8da5085033b1a4d73
56fc7ed9eabe68d5052deab15c62064f
8e0062ff9f405c872689a3876bac65cc
65b7b608ece82fa0e8d6e282ef375b69
d538a5dbbf53f6115e7582fb85cf0f33
b916950e2d51220915cd40c4878d7e25
d2a2ffc54ad7b591c7e0a62249ff8fe9
eeb892070bf677dda7e611d111442813
70286e6a77d827e77611980bd065f890
d4421591ba77976bd6e347527d129dd2
3e251b9bc0ea73d51ece10ddc491ad42
cd24e7ad8b856f40a0a368a2cc00ddc7
b6b9b0c4fbeba112ccccbef1c4781540
322584dd8fb5d636822f32896b0090a5
21582e08e01394381611465d254f88c9
6845288e2be0be1adbc3a3d4c6aaaa63

Additional C2 domains:
meetings.space-mars.com
HHGJGOCNGCDAGDGCDADCGFDDDEDDGF.terhec.com
web1.authorizeddns.org
gmaillogin.ddns.us

We believe several groups are using the same document exploit shell to conduct unrelated campaigns.

No comments:

Post a Comment