Thursday, June 6, 2013

Tomato Garden Campaign - Possible Microsoft Office zero day in the wild used against Tibet and China Democracy activists

Update:  So far some of the samples are killed with ms12-060 but are not a known exploit, so this might be a new, but patched exploit. The purpose of this campaign might be to evade AV while going after users without the latest patch - all samples are at 7 or 8 of 43 max on VirusTotal.


We are currently examining 40 samples of an unconfirmed zeroday in Microsoft Office circulating against Pro Democracy and Tibet activists. One of the exploit documents contains a "PittyTiger" payload, however, several different payload implants have been observed. The exploit is contained in a .doc file but could be delivered via RTF as well. We've seen attacks since June 4 2013 using payloads compiled on May 28, and some of the command and control domains have been registered as late as today June 6 2013.

We have provided the samples to Microsoft and are awaiting confirmation.

We will release detection signatures for our Cryptam document malware scanner - free online scanning at Cryptam.com and more details soon.

We recommend taking extra precautions to not open DOC or RTF files received via email or weblinks at this time.


Update 1: Some of the command a control domains are using blog sites for C2. There's at least 4 different implants, so in all probability the exploit has been shared with multiple groups already. We have 40 unique MD5 hashes of OLE .doc files over the past 2 days. Cryptam has been updated with the detection signature - check suspicious docs here.

command and control domains (partial list):
board.nboard.net
98.126.9.34
comsskk.wordpress.com
comsskk.sosblogs.com
comsskk.livejournal.com
www.tigdiho.com
114.142.147.51
tianshao007.vicp.cc
rss.groups.yahoo.com
wut.mophecfbr.com
radiomusictv.wordpress.com
wikipedia.authorizeddns.org (pitty tiger)
login.aerotche.com (Creation date: 05 Jun 2013 13:58:00)
HHGJGOCNHIHADCCNDC.terhec.com (Creation date: 06 Jun 2013 07:24:00)
silence.phdns01.com
cpnet.phmail.us
imlang.phmail.org

Update 2: We extracted the following code signing certificates used in 3 of the samples:

code signing certificates:
VMWare (invalid):



Shenzhen OuMing Keji Co.,Ltd (expired):




Update 3: We're hearing the exploit may be older - patched with ms12-060 but not previously reported.

No comments:

Post a Comment