As mentioned in our previous post, the actors behind the targeted attack campaigns we’re monitoring updated, and still are updating, the tools of their trade to further their agenda and achieve exploitation. Using a fairly new vulnerability such as CVE-2012-0158, patched barely 2 weeks ago, may allow these attackers the window of opportunity to effectively infiltrate their targets.
Moreover, the campaigns we’re seeing target sectors that span on a global scale, unlike the ones first seen and described in our previous post.
Just this week, the actors behind one campaign that we’ve been seeing/monitoring have started to exploit CVE-2012-0158 via an attachment with an original filename of 子女教育補助費101新版.doc. A snapshot of the malicious email sent can be seen below:
We’ve also seen this one sent to an industrial corporation in Japan, purportedly coming from another Japanese company:
We’ve been monitoring attacks against the said corporation for quite some time now and previously, the CVE of choice is CVE-2009-3129. RTF file dropped is 20120420.doc, which could pertain to the date April 20, 2012, a day after the malicious document has been sent.
Other malicious RTFs, exploiting CVE-2012-0158, that were also seen from Japan are as follows:
- 献金を受け取る機構及び人のリスト.doc (rough translation – A list of organization and people to receive the donation.doc)
Russia, Vietnam and others…
Other RTF files, also exploiting CVE-2012-0158, that we’ve seen targeted at a particular geographic audience include one that is supposedly targeted at a particular Russian audience, as the filename of the RTF file is ядерные материалы.doc whose literal translation is “nuclear materials.doc”, and a Vietnamese one with an original filename of Cập nhật tình hình 4.18.doc, meaning “Update 4:18.doc”. There were also submissions coming from India and Thailand as well – all exploiting CVE-2012-0158.
CVE-2012-0158 – Here To Stay
All in all, as captured above, as well as those seen by our friends in Contagio, we’ve seen various different targeted attacks now ramping up the usage of CVE-2012-0158 exploitation, in a span of just barely 2 weeks after the said vulnerability was patched by Microsoft. Moreover, the assumption of Contagio that there is an RTF generator being used by these campaigns is highly possible though we haven’t seen one yet. Evidently, this is now becoming a favorite method among those behind these targeted attack campaigns, and we’ll be seeing more of it.
CVE-2012-0158’s popularity among attackers may be due to the fact that Microsoft owns more than 90% of productivity software market share. This alone increases the target base for cybercriminals. In addition, not everyone owns an update-able (licensed) copy of MS software, which doubles the risk for the targets.
Trend Micro protects users
Trend Micro Smart Protection Network ensures that spammed email as well as the malicious attachments are detected and removed immediately from computers. Trend Micro Deep Security users are also protected with the following rules:
- 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File(CVE-2012-0158)
- 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
- 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)
Those who haven’t patched this vulnerability yet are advised to PATCH NOW. We can never be too sure on who will be targeted next.