As our friends at TrendMicro reported a couple of days ago that CVE-2012-0158 is being actively used on different spearphishing campaigns mainly against NGO’s and Tibet related organizations.
The vulnerability used was patched by Microsoft a week ago:
The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers “system state” corruption, as exploited in the wild in April 2012, aka “MSCOMCTL.OCX RCE Vulnerability.”
We have found several targeted RTF doc files dropping different trojans and RATs onto the victims. One of the malicious doc files is very similar to what TrendMicro described a couple of days ago but it shows how quick the attackers are adapting their code to what security companies release in order to avoid signature and AV detection.
Once you open the RTF document, it drops the malicious executable as well as a benign doc file:
The dropped exe file has a low AV detection rate:
And more interesting is that it is digitally signed, apparently using the same signer described by TrendMicro but this time the certificate is valid and it has been signed the 16th.
The trojan connects to the following domains:
- 1.test.3322.org.cn -> 18.104.22.168
- 2.test.3322.org.cn -> 22.214.171.124
- 3.test.3322.org.cn -> 126.96.36.199
- 4.test.3322.org.cn -> 188.8.131.52
- 123ewqasdcxz.xicp.net, now pointing to 0.0.0.0
- hoop-america.oicp.net -> 184.108.40.206
We have collected several documents/mails exploiting CVE-2012-0158 and will publish more information about the ongoing campaigns. Stay tuned!