Friday, August 30, 2013

CVE-2012-0158 exploit evades AV in Mime HTML format

Since the end of April 2013 we've been seeing APT1, the NetTraveler/Netshark/Surtr group and others use Mime-MSO format files to deliver CVE-2012-0158 exploits to victims in spear phishing attacks.  By packaging the exploit within a Mime document instead of RTF or OLE Word document, the attackers appear to avoid detection by half or more of the AV products on VirusTotal.



The malicious file, while being mime and HTML content, is normally named with a with .doc or .rtf to associate it as a Microsoft office document. The content is similar to a mime email or single file web archive:




Unlike the RTF version of the CVE-2012-0158 exploit, the Mime version has received very little exposure and still bypasses many AV products despite the lack of obfuscation efforts.

This CVE-2012-0158 Mime delivery method was previously reported in May 2013 by Antiy Labs [PDF http://www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf].


Instead of calling vulnerable class names such as with RTF, class IDs such as BDD1F04B-858B-11D1-B16A-00C0F0283628 (ListView ActiveX MS12-027 CVE-2012-0158) are used along with base 64 encoded document content:

This format can also be used to deliver Shockwave Flash exploits within MS Office.

We've seen 3 identified groups, including APT1 using this exploit to deliver over 6 different trojans.

Our Cryptam online scanner detects this threat as "exploit.office MSO MSCOMCTL.OCX RCE CVE-2012-0158".

References:

APT1 / "Operation Beebus" / WARP:
7c55a62b935171d1c0bb6d3a923e7436 Draft Agenda_PCC V3.doc
b08fae5abbde4c329694c220ef6745d0

NetTraveler:
d04655b17aea031e0037892979c91bb4
64fcd0d90dc9eb18d9a700ee4a6cd8de
5079b547a35c3dae23ca3ced917b8f36

Netshark:
b82495293512bd83a9ecdc74537e7623
b1d70421c051509b3759519fe9231fac
59f14e75f0cedd71d9219eb1ff1a19ea

Surtr:
6ff9a5a80fabe8da9d57576a5f60a3c4
712baec89f77f9dc3d91955cbef2410e
f0ed27704bf90d38f10d1e195833fd4e
4e25355848ce2dd843a6ed74254a54f7