CVE-2012-0158, Tibet, Targeted Attacks and so on

April 18, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

As our friends at TrendMicro reported a couple of days ago that CVE-2012-0158 is being actively used on different spearphishing campaigns mainly against NGO’s and Tibet related organizations.

The vulnerability used was patched by Microsoft a week ago:

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers “system state” corruption, as exploited in the wild in April 2012, aka “MSCOMCTL.OCX RCE Vulnerability.”

We have found several targeted RTF doc files dropping different trojans and RATs onto the victims. One of the malicious doc files is very similar to what TrendMicro described a couple of days ago but it shows how quick the attackers are adapting their code to what security companies release in order to avoid signature and AV detection.

Once you open the RTF document, it drops the malicious executable as well as a benign doc file:

Immolation Statement.doc

The dropped exe file has a low AV detection rate:

https://www.virustotal.com/file/b7c6522ce21bd230c33e3f250d9789395af932e7fc72c9e0c1304c0bbcaa5e61/analysis/1334789684/

https://www.virustotal.com/file/eb6901caaf90e7e04b5c79d33aaa4aa3f3139cfb179418f78555e0c724b9e09f/analysis/1334790589/

And more interesting is that it is digitally signed, apparently using the same signer described by TrendMicro but this time the certificate is valid and it has been signed the 16th.

The trojan connects to the following domains:

  • 1.test.3322.org.cn -> 64.62.224.75
  • 2.test.3322.org.cn -> 74.82.63.102
  • 3.test.3322.org.cn -> 74.82.63.102
  • 4.test.3322.org.cn -> 64.62.224.75
  • 123ewqasdcxz.xicp.net, now pointing to 0.0.0.0
  • hoop-america.oicp.net -> 222.132.195.5

We have collected several documents/mails exploiting CVE-2012-0158 and will publish more information about the ongoing campaigns. Stay tuned!

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL