Days after Microsoft released six bulletins, we now have just spotted a number of Trojanized RTF files circulating in-the-wild. The said files are exploiting CVE-2012-0158, which is included in MS12-027. That particular bulletin affects a number of Microsoft programs, particularly versions of MS Office, Visual FoxPro, Commerce Server, BizTalk Server, as well as SQL Server.
We spotted a Trojanized RTF file that came in the following email message as an attachment:
The email again containing Pro-Tibetan sentiments and sent to a public Tibetan NGO email address that we have also seen being targeted in the past. Again, the said email claims to be coming from a public Tibetan figure.
The attachment RTF file Inside Information.doc, detected as TROJ_MDROP.GDL, has an embedded EXE file (encrypted) and an embedded decoy DOC file (also encrypted). The dropped EXE payload, detected as TSPY_GEDDEL.EVL, drops and installs a file named fxsst.dll also detected as TSPY_GEDDEL.EVL. Outbound connections are then seen to hosts whose NS record point to China.