Days after Microsoft released six bulletins, we now have just spotted a number of Trojanized RTF files circulating in-the-wild. The said files are exploiting CVE-2012-0158, which is included in MS12-027. That particular bulletin affects a number of Microsoft programs, particularly versions of MS Office, Visual FoxPro, Commerce Server, BizTalk Server, as well as SQL Server.
We spotted a Trojanized RTF file that came in the following email message as an attachment:
The email again containing Pro-Tibetan sentiments and sent to a public Tibetan NGO email address that we have also seen being targeted in the past. Again, the said email claims to be coming from a public Tibetan figure.
The attachment RTF file Inside Information.doc, detected as TROJ_MDROP.GDL, has an embedded EXE file (encrypted) and an embedded decoy DOC file (also encrypted). The dropped EXE payload, detected as TSPY_GEDDEL.EVL, drops and installs a file named fxsst.dll also detected as TSPY_GEDDEL.EVL. Outbound connections are then seen to hosts whose NS record point to China.
Another noteworthy finding about TSPY_GEDDEL.EVL is that it is digitally-signed. However, the certificate used looks dubious:
There are also a number of malicious RTFs seen exploiting the same vulnerability but with different payloads. One sample that we found leads to a malware detected as TSPY_HANGAME.AN. TSPY_HANGAME.AN in turn leads to another malicious file that Trend Micro detects as BKDR_HUPIGO.GDM. The HUPIGON variant, also known as the Grey Pigeon remote access tool, is a popular tool in the cyber-criminal underground used as a backdoor payload.
HUPIGON variants have a vast array of features and components that enable them to achieve various data exfiltration activities which include but are not limited to:
- logged keystrokes
- passwords and other user credentials
- system information
- video recording using a built-in webcam
It also comes with a rootkit component to add to its persistence within the infected system.
The HANGAME variant mentioned earlier is also digitally-signed, and with an invalid signature similar to what was described above:
As we can see here, the actors behind these targeted attack campaigns are pretty relentless and waste no time in updating the tools of their trade. In past campaigns, one of their favorite Microsoft Office vulnerabilities to exploit is CVE-2010-3333, as was shown in our recently-published LuckyCat paper , as well as in our other posts about Tibetan-themed targeted attacks. By now, the intended targets could have already updated and patched their systems to prevent exploitation of CVE-2010-3333. Using a fairly new vulnerability such as CVE-2012-0158 may have allowed attackers to further their agenda and achieve exploitation.
Trend Micro Smart Protection Network ensures that users are protected from the malware in this attack. The File Reputation technology detects and removes all the malicious files mentioned in this post. Web Reputation technology blocks access to the IP address where TSPY_GEDDEL.EVL connects to.
Furthermore, Trend Micro Deep Security users are protected from attacks using CVE-2012-0158 via the following rules:
- 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File (CVE-2012-0158)
- 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
- 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)