The instigators of many targeted attacks are fond of using the CVE-2012-0158 vulnerability, which affects mscomctl.ocx in Microsoft Office and some other Microsoft products. We have seen several campaigns using this exploit against Chinese and Tibetian activists and in other recent attacks. Now McAfee Labs has uncovered another apparent targeted attack using the same vulnerability against a Japanese firm.
In the recent wave of the attacks using this exploit, the potential target seems to be the Japan Aerospace Exploration Agency (JAXA). We have found Word .doc exploits taking advantage of CVE-2012-0158 with the decoy document contents related to JAXA.
We first saw exploit-laden doc files in the wild on April 7 with the following file name:
EOC運営調整会議議事録(最終版).doc. Rough translation: “EOC management coordination meeting minutes (final version)”
Author: RESTEC観測部. “RESTEC observation section”
Title: ALOS地球観測班準備連絡会 議事録. “ALOS Earth observation team preparation Liaison Committee meeting minutes”
Threat Vector
The threat arrives in a Word doc file that exploits the CVE-2012-0158 vulnerability in the mscomctl.ocx ActiveX control. Opening the doc exploit opens another decoy document and drops a binary, services.exe, in the %Temp% directory. This binary copies itself into C:\Program Files\Windows NT\Accessories\Microsoft and runs from there.
The following diagram gives a high-level picture of how the attack works:
The decoy document roughly translates as follows:
Analyzing the payload
The exploit drops the binary services.exe (MD5 677EC884F6606A61C81FC06F6F73DE6D) into %Temp% and later into C:\Program Files\Windows NT\Accessories\Microsoft, and adds registry start-up entries for persistence. The initial part of the binary has a simple but fairly uncommon antidebugging technique using Windows Message loops. It uses RegisterClassA( ) to register the Windows procedure and then calls CreateWindowExA( ) to call further hidden code before the API actually returns.
Once the location has been identified, breaking at the right spot will expose the hidden code and an additional domain to connect to, and eventually exposes the supposedly malicious iframe to redirect the victim to download additional malware.
Network communication
While analyzing this exploit, we found that it connects to www.sitclogi.co.jp, which resolves to 111.68.158.66. This domain is legitimate and was apparently compromised to host malware during this attack. A historical scan of this domain confirms our assumption:
The following are additional malware we’ve seen communicating with the same domain:
| 2b91011e122364148698a249c2f4b7fe | www.sitclogi.co.jp |
| 6c040be9d91083ffba59405f9b2c89bf | www.sitclogi.co.jp |
McAfee detection:
McAfee Advanced Threat Detection provides zero-day detection against this exploit based on its behaviour analysis. As always, we advise users to consider carefully before opening documents from unknown sources.
The post Targeted Attacks Against Japanese Firm Use Old ActiveX Vulnerability appeared first on McAfee.