Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities

Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts. Exploits that use patched vulnerabilities delivered via spear phishing email are one of the most successful combinations used by attackers to infiltrate targeted organizations and gain access to confidential information.

During the last month, McAfee Labs researchers have uncovered targeted attacks carried out via spear phishing email against a French company. We have seen email sent to a large group of individuals in the organization. The attachments exploit the recently patched RTF vulnerability CVE-2014-1761 and the previously patched ActiveX control vulnerability CVE-2012-0158. Both of these vulnerabilities have been popular in several ongoing targeted attacks.

t1

 

 

 

 

 

 

 

 

t2

 

 

 

 

 

 

 

 

 

 

The preceding spear phishing emails come from attackers using the French Yahoo and Laposte email services and possibly impersonating employees of the targeted organization.

RTF Vulnerability

These exploits target the recently discovered RTF zero-day vulnerability CVE-2014-1761. The flaw lies in the value of the “ListOverrideCount,” which is set to 25.

t3

 

 

 

 

However, according to Microsoft’s RTF specifications this value should be either 1 or 9. This error eventually causes an out-of-bounds array overwrite that results in incorrect handling of the structure by Word and leads to the attacker’s controlling an extended instruction pointer (EIP).

Shellcode

McAfee Labs researchers discovered that all the bytes of the shellcode, the return oriented programming (ROP) chain, are directly controlled by the attacker and come straight from the RTF structure. Here is a high-level view of how the ROP chain is formed:

t4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Next we see a snapshot of the parsed RTF structure in memory leading to the control of the EIP:

t5

 

 

 

 

Successful execution of the shellcode opens the decoy document and drops the malware svohost.exe in the %TEMP% directory and then connects to the control server.

t6

 

 

 

 

 

(McAfee Labs researchers Haifei Li and Xie Jun have already blogged on the technical details of the vulnerability and the shellcode.)

In this cycle of spear phishing attacks we’ve also seen email targeting the same organization with attachments that exploit the two-year-old CVE -2012-0158 vulnerability. The malicious payload arrives in the innocuous-sounding article.doc.

t7

 

 

 

 

 

 

 

 

 

 

 

The following API trace gives an idea of the sequence of activities once the exploit is launched on the system:

t8

 

Payload Analysis

Our analysis of the dropped binary reveals that it was specifically written to gather information about the network of the target organization as well as the configuration of the endpoint—leading us to believe that this is a spear phishing reconnaissance. The payload seems to have been compiled on April 9:

t9

 

 

 

 

 

 

The malware starts by retrieving the %Temp% path and prepares to log the communication with its control server in the file %Temp%explorer.exe.

t20

 

 

Subsequently, the malware collecting following information:

  • Hostname
  • Username
  • System type by resolving IsWOW64Process AP
  • Current TCP and UDP connections and open ports
    •     Organizational information from the registry key:
    •         HKLM/Software/Microsoft/WindowsNT/CurrentVersion,
    •         Productname,
    •         CSDVersion,
    •         CurrentVersion,
    •         CurrentBuildNumber,
    •         RegisteredOrganization,
    •         RegisteredOwner
  • Current running system services
  • Installed software from the registry key:
    •     HKLM/Software/Microsoft/Windows/CurrentVersion/Uninstall
  • Information about network adapters, IP configuration, netcard numbers, IP mask, gateway, DHCP server, DHCP host, WINS server, and WINS host

Here is a high-level snapshot of the malware’s information gathering code:

t10

 

 

 

 

 

 

 

 

 

 

 

 

 

Encryption is primarily done using the SYSTEMTIME structure. It forms the repetitive 256-byte key using SYSTEMTIME information, shown below:

t12

 

 

 

 

 

 

 

 

 

 

 

The malware converts the key into 16 bytes to encrypt the information.

Chintan Shah redacted t131

Once the buffer has been encrypted, it connects to the control server sophos.skypetm.com.tw.

t14

 

 

 

 

 

 

 

 

 

 

 

 

 

t15

 

 

 

 

 

 

Command and Control Research

During our analysis of this exploit, sophos.skypetm.com.tw resolved to the IP address 66.220.4.100. located in the Fremont, California. McAfee sensors first observed the outbound traffic to this domain on January 27, at which time it resolved to 198.100.113.27, located in Los Angeles.

From our passive DNS data, we found following MD5 hashes connecting to the same domain resolving to 198.100.113.27.

 

4ab74387f7a02c115deea2110f961fd3 January 27, 2014 sophos.skypetm.com.tw
8dc8e02e06ca7c825d42d82ec19d8377 January 28, 2014 sophos.skypetm.com.tw
0331417d7fc3d075128da1353ae880d8 March 30, 2014 sophos.skypetm.com.tw
5e2360a8c4a0cce1ae22919d8bff49fd April 25, 2014 sophos.skypetm.com.tw

The whois record reveals that the skypetm.com.tw domain has been registered under the email ID [email protected]. This ID also registered the domain avstore.com.tw, which has been used as the control server.

t17

 

 

 

 

 

We have seen several other malware binaries communicating with the various subdomains of skypetm.com.tw and avstore.com.tw. All of them have been identified as “PittyTiger” malware, which appears in numerous CVE-2012-0158 exploits used in recent targeted attacks. The same payload was used in the “Tomato Garden” APT campaign, uncovered in June 2013, against Tibetan and Chinese democracy activists.

t18

 

 

 

 

 

65809985e57b9143a24ac57cccde8c77 asdf.skypetm.com.tw 113.10.240.54
vbnm.skypetm.com.tw 122.10.39.52
c0656b66b9f4180e59e1fd2f9f1a85f2 zeng.skypetm.com.tw 113.10.221.126
b84342528942cec03f5f2976294613ba gmail.skypetm.com.tw 122.208.59.188
d4f96dba1900d53f1d33ee66f7e5996d gmail.skypetm.com.tw 122.208.59.188
b84342528942cec03f5f2976294613ba gmail.skypetm.com.tw:8080 122.208.59.188
d4f96dba1900d53f1d33ee66f7e5996d gmail.skypetm.com.tw:8080 122.208.59.188
2be9fc56017aab1827bd30c9b2e3fc27 jamessmith.avstore.com.tw 58.64.175.191
be18418cafdb9f86303f7e419a389cc9 chanxe.avstore.com.tw 122.10.48.189
65809985e57b9143a24ac57cccde8c77 asdf.avstore.com.tw 122.10.39.105
17bc87b13b0a26caa2eb9a0d2a23fc72 bluer.avstore.com.tw 58.64.185.200
90f3973578ec9e2da4fb7f22da744e4c avast.avstore.com.tw 198.100.121.15

Additional domains related to this attack:
• 63.251.83.36
• 64.74.96.242
• 69.251.142.1
• 218.16.121.32
• 61.145.112.78
• star.yamn.net
• 216.52.184.230
• 212.118.243.118
• bz.kimoo.com.tw
• mca.avstore.com.tw

McAfee Product Coverage

McAfee coverage for CVE 2014-1761 is detailed here. McAfee Advance Threat Defense provides zero-day detection for CVE 2012-0158.

As usual, exercise extreme caution when opening documents from unknown sources and use the latest versions of software.

I would like to thank my colleague S. R. Venkatachalabathy for assistance in this research.

The post Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities appeared first on McAfee.