More attacks linked to CVE-2012-0158, the evolution of a threat step by step
May 14, 2012
CVE-2012-0158 vulnerability has been one of the main players in the information security scene during the last weeks. Since it was seen in the wild for the first time, attackers have been using it to break the security of specific targets.
We have been tracking one of these campaigns against one of the main steel industry corporations based in Japan. We will see how the attackers have been testing the exploits, starting the attack, and then improving it. All this just in a couple of days.
Since we can’t exactly determine where the attack comes from, we will see some evidences that could lead us to some conclusions.
One of the first samples found in the wild linked to this campaign is a specially crafted Microsoft Office file that uses CVE-2012-0158 to execute a malicious payload, then showing an embedded harmless MS Office file to the victim. All the other documents are very similar, but the payloads and the harmless documents are different each time.
The way to infect the targets is sending emails to specific key people in the organization.
Some of the harmless documents showed after exploitation are related to industrial products:
In this first sample the malicious dropped payload, named 0412test.exe, is a Microsoft Notepad binary from Windows XP Service Pack 2, Chinese Edition. This suggests that the attackers were doing the first tests in his own infrastructure to build the attack.
The next samples include malicious payloads that connect to a Command & Control server managed by the attackers, which is always the same IP. At this moment all the domains found point to 188.8.131.52, an IP address located in Japan.
The second sample found drops a Trojan Horse that connects to the C&C showing another Office document to the victim. This sample has a very reduced functionality. One interesting fact is the high antivirus detection ratio (23/42).
The main feature of the next sample found is the antivirus detection ratio. Less than half than the previous one the day of the discovery (only 11/42). Now it has changed a bit.
Finally, we found a sample with much more capabilities that the previous ones. It is more focused on stealing user credentials and retrieve internal information from the affected systems. It reads saved login credentials from Mozilla Firefox browser and hooks some Windows user inputs to collect information.
It also has two internal IP ranges (192.168.20.1-62, 10.18.104.88-245) hard-coded in the source code.
The antivirus detection ratio has decreased. The day of the discovery only 6/42 antivirus detected the threat. At the time of writing it is detected by five more.
Each sample connects to one of the following domains, like we previously mentioned, all are pointing to the same IP.
We will probably see more attacks as part of this campaign, with more advanced payloads. We’ve added the C&C IP address to our IP Reputation Database, and we will monitor these C&C servers to detect new threats coming from them.