Tuesday, December 23, 2014

Merry Christmas From Malware Tracker or "Christmas Card For You.doc"

Merry Christmas and happy holidays from all of us.

And your obligatory MS12-060 malware Christmas Card:

Christmas Card For You.doc
MD5 0dbe90b1dca29e2daf28ff789b3d43d3
SHA-1 71999500915dff038dc2d39facecbfbb5a907f96
SHA-256 093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a
Dropper imphash: 18ddf28a71089acdbab5038f58044c0a
C2 IP: 210.209.127.8:443
Possibly related domains: boshman09.com (resolves to same IP 210.209.127.8)

rule malware_kis
{
    meta:
date = "December 22, 2014"
desc = "Christmas Card for you malware"
ref = "https://www.malwaretracker.com/docsearch.php?hash=0dbe90b1dca29e2daf28ff789b3d43d3"
MD5 = "0dbe90b1dca29e2daf28ff789b3d43d3"
author = "@mwtracker www.malwaretracker.com"
    strings:
$s1 = "\\kis(by XC)\\MYDLL\\Release\\MYDLL.pdb"

    condition:
all of them
}






You can view our automated Cryptam report on this sample as well as the extracted dropper's strings in Cryptam.

Thursday, December 11, 2014

CVE-2014-4114/CVE-2014-6352 Evade AV by removing read access in zip structure

We recently came across a CVE-2014-4114/CVE-2014-6352 sample (MD5 c69978405ecbb4c5691325ccda6bc1c0) which used the Zip directory structure of OpenXML ppsx files to assign no access permissions to the exploit. This may allow the malware to slip by some automated analysis systems while still allowing the exploit to function properly in MS Office Powerpoint which ignores the Zip format access permissions. This Powerpoint exploit is usually delivered by email and has been used by both espionage and criminal groups.

An early version of the exploit with normal file access permissions:



The new c69978405ecbb4c5691325ccda6bc1c0 with no user read permissions:


This modification to file permissions does appear to offer lower detection rates when comparing to another recent version of a similar exploit.

VT Detection rate of 23/56 for the version with read access:




And VT results of only 13/56 for the version with no read access to the exploit. Most of the major AV engines do not detect the exploit:



Our Cryptam document malware analysis engine has been updated to make any docx/ppsx/pptx/xlsx embedded files readable during processing as well.