Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    As mentioned in our previous post, the actors behind the targeted attack campaigns we’re monitoring updated, and still are updating, the tools of their trade to further their agenda and achieve exploitation. Using a fairly new vulnerability such as CVE-2012-0158, patched barely 2 weeks ago, may allow these attackers the window of opportunity to effectively infiltrate their targets.

    Moreover, the campaigns we’re seeing target sectors that span on a global scale, unlike the ones first seen and described in our previous post.

    Taiwan

    Just this week, the actors behind one campaign that we’ve been seeing/monitoring have started to exploit CVE-2012-0158 via an attachment with an original filename of 子女教育補助費101新版.doc. A snapshot of the malicious email sent can be seen below:

    Japan

    We’ve also seen this one sent to an industrial corporation in Japan, purportedly coming from another Japanese company:

    We’ve been monitoring attacks against the said corporation for quite some time now and previously, the CVE of choice is CVE-2009-3129. RTF file dropped is 20120420.doc, which could pertain to the date April 20, 2012, a day after the malicious document has been sent.

    Other malicious RTFs, exploiting CVE-2012-0158, that were also seen from Japan are as follows:

    • 献金を受け取る機構及び人のリスト.doc (rough translation – A list of organization and people to receive the donation.doc)

    • Development_plan_canon_2012.doc

    Incidentally, the dropped payload of the aforementioned RTF files, detected as TSPY_GEDDEL.EVL, was also seen as the same payload in this previous attack

    Russia, Vietnam and others…

    Other RTF files, also exploiting CVE-2012-0158, that we’ve seen targeted at a particular geographic audience include one that is supposedly targeted at a particular Russian audience, as the filename of the RTF file is ядерные материалы.doc whose literal translation is “nuclear materials.doc”, and a Vietnamese one with an original filename of Cập nhật tình hình 4.18.doc, meaning “Update 4:18.doc”. There were also submissions coming from India and Thailand as well – all exploiting CVE-2012-0158.

    CVE-2012-0158 – Here To Stay

    All in all, as captured above, as well as those seen by our friends in Contagio, we’ve seen various different targeted attacks now ramping up the usage of CVE-2012-0158 exploitation, in a span of just barely 2 weeks after the said vulnerability was patched by Microsoft. Moreover, the assumption of Contagio that there is an RTF generator being used by these campaigns is highly possible though we haven’t seen one yet. Evidently, this is now becoming a favorite method among those behind these targeted attack campaigns, and we’ll be seeing more of it.

    CVE-2012-0158′s popularity among attackers may be due to the fact that Microsoft owns more than 90% of productivity software market share. This alone increases the target base for cybercriminals. In addition, not everyone owns an update-able (licensed) copy of MS software, which doubles the risk for the targets.

    Trend Micro protects users

    Trend Micro Smart Protection Network ensures that spammed email as well as the malicious attachments are detected and removed immediately from computers. Trend Micro Deep Security users are also protected with the following rules:

    • 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File(CVE-2012-0158)
    • 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
    • 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)

    Those who haven’t patched this vulnerability yet are advised to PATCH NOW. We can never be too sure on who will be targeted next.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice