Monday, April 14, 2014

CVE-2012-0158 in Mime HTML MSO format still baffles AV + MH370 Theme

When we started working on the research for this blog post we were exploring Malaysia Airlines Flight 370 (MH370) malware lures using Yara to flag samples in Cryptam with the following rule:

rule theme_MH370 {
        author = ""
        version = "1.0"
        date = "2014-04-09"
        $callsign1 = "MH370" ascii wide nocase fullword
        $callsign2 = "MAS370" ascii wide nocase fullword
        $desc1 = "Flight 370" ascii wide nocase fullword
        any of them

In addition to APT1 use of the lure in Word document 5e8d64185737f835318489fda46f31a6 dropping an updated version of Trojan Elise, we were surprised to see that one of the recent MH370 lures was a Mime MSO document exploiting MS Office Word vulnerability CVE-2012-0158 with 0 detection rate on VirusTotal dropping a variant of Vidgrab/Evilgrab. FireEye nicely covered a number of the MH370 campaigns in their March blog post.  However we could not find any references to the Mime MSO document MD5 0f765671a844190d74e985410fe31e8e "Where is MH370.doc" with 0/51 detection on in any other reporting. We were one of the first to previously report that Mime MSO files were being used to exploit CVE-2012-0158 in Word (August 30, 2013 Malware Tracker Blog CVE-2012-0158 exploit evades AV in Mime HTML format). At the end of this post we provide 4 other March 2014 0 detection file indicators from Cryptam samples to hopefully assist AV in improving detection rates for this threat.

 Sample current as of this post on VirusTotal

 Cryptam result showing CVE-2012-0158 plus a 256byte xored exe:

The CVE-2012-0158 trigger is not obfuscated but uses a class ID BDD1F04B-858B-11D1-B16A-00C0F0283628 to activate the vulnerable MSCOMCTL ActiveX control:

The class ID is disclosed in MS12-027 as vulnerable to CVE-2012-0158:

Other 0 detection samples:
517782778e296fade32ce3fd2330afc8 "0319 Montsame.doc" (mwtracker comment: Mongolia) 2014-03-20T02:14:45.000Z 0/50

f721f3a22ad26105a8894ce967c02e32 "內政部公文.doc" (mwtracker comment: Taiwan) 2014-03-10T00:22:23.000Z  0/50

f851e312899d11abe39390cb6a21f982 "保釣信頭2012.doc" (mwtracker comment: Taiwan) 2014-03-07 07:05:26 0/50

82542d9913301396f6f1a676c9b93f58 "Iltgeh huudas_revised.doc"  (mwtracker comment: Estonia) 2014-03-05 07:54:10 0/50

Some of the samples appear to drop a vidgrab/evilgrab variant and another not-yet-identified implant.

Sunday, April 13, 2014

Cryptam Malware Document Analizer + imphash

The web and suite versions of the Cryptam document malware analysis system now calculate the imphash of embedded/dropped executables when possible and store this value within the dropped file info for searching. The imphash is a executable similarity hash based on the Import Address Table order and is included in Cryptam is designed to statically extract the xor/rol/ror/not obfuscated executables from malware documents such as RTF, MS Office, or PDF files and can automatically process the dropped files with Yara or an external sandbox.

This new feature allows you to link dropper executables to current or past attack campaigns and to cross reference older samples which may have already been identified with Yara signatures but now have been modified to evade the unique static string matching common to many Yara signatures.

Imphash searching is available to registered users under Advanced Search - drop_files like <your imphash>.

Searching the example imphash c948ebda9bd9367f9fc50e01020766c8 dropped by RTF b2b8127bae5b61e258b17dc057338075 (24 / 51 on Virustotal April 11 2014) shows a number of dropped samples some of which have been identified as the malware called "Safe" related to Lurid. This sample beacons to www[.]getapencil[.]com visible in the executables strings extracted by Cryptam.

Scan a document for embedded executables with Cryptam at