Thursday, June 6, 2013

Tomato Garden Campaign - Possible Microsoft Office zero day in the wild used against Tibet and China Democracy activists

Update:  So far some of the samples are killed with ms12-060 but are not a known exploit, so this might be a new, but patched exploit. The purpose of this campaign might be to evade AV while going after users without the latest patch - all samples are at 7 or 8 of 43 max on VirusTotal.

We are currently examining 40 samples of an unconfirmed zeroday in Microsoft Office circulating against Pro Democracy and Tibet activists. One of the exploit documents contains a "PittyTiger" payload, however, several different payload implants have been observed. The exploit is contained in a .doc file but could be delivered via RTF as well. We've seen attacks since June 4 2013 using payloads compiled on May 28, and some of the command and control domains have been registered as late as today June 6 2013.

We have provided the samples to Microsoft and are awaiting confirmation.

We will release detection signatures for our Cryptam document malware scanner - free online scanning at and more details soon.

We recommend taking extra precautions to not open DOC or RTF files received via email or weblinks at this time.

Update 1: Some of the command a control domains are using blog sites for C2. There's at least 4 different implants, so in all probability the exploit has been shared with multiple groups already. We have 40 unique MD5 hashes of OLE .doc files over the past 2 days. Cryptam has been updated with the detection signature - check suspicious docs here.

command and control domains (partial list): (pitty tiger) (Creation date: 05 Jun 2013 13:58:00) (Creation date: 06 Jun 2013 07:24:00)

Update 2: We extracted the following code signing certificates used in 3 of the samples:

code signing certificates:
VMWare (invalid):

Shenzhen OuMing Keji Co.,Ltd (expired):

Update 3: We're hearing the exploit may be older - patched with ms12-060 but not previously reported.

No comments:

Post a Comment