Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts. Exploits that use patched vulnerabilities delivered via spear phishing email are one of the most successful combinations used by attackers to infiltrate targeted organizations and gain access to confidential information.
During the last month, McAfee Labs researchers have uncovered targeted attacks carried out via spear phishing email against a French company. We have seen email sent to a large group of individuals in the organization. The attachments exploit the recently patched RTF vulnerability CVE-2014-1761 and the previously patched ActiveX control vulnerability CVE-2012-0158. Both of these vulnerabilities have been popular in several ongoing targeted attacks.
The preceding spear phishing emails come from attackers using the French Yahoo and Laposte email services and possibly impersonating employees of the targeted organization.
These exploits target the recently discovered RTF zero-day vulnerability CVE-2014-1761. The flaw lies in the value of the “ListOverrideCount,” which is set to 25.
However, according to Microsoft’s RTF specifications this value should be either 1 or 9. This error eventually causes an out-of-bounds array overwrite that results in incorrect handling of the structure by Word and leads to the attacker’s controlling an extended instruction pointer (EIP).
McAfee Labs researchers discovered that all the bytes of the shellcode, the return oriented programming (ROP) chain, are directly controlled by the attacker and come straight from the RTF structure. Here is a high-level view of how the ROP chain is formed:
Next we see a snapshot of the parsed RTF structure in memory leading to the control of the EIP:
Successful execution of the shellcode opens the decoy document and drops the malware svohost.exe in the %TEMP% directory and then connects to the control server.
(McAfee Labs researchers Haifei Li and Xie Jun have already blogged on the technical details of the vulnerability and the shellcode.)
In this cycle of spear phishing attacks we’ve also seen email targeting the same organization with attachments that exploit the two-year-old CVE -2012-0158 vulnerability. The malicious payload arrives in the innocuous-sounding article.doc.
The following API trace gives an idea of the sequence of activities once the exploit is launched on the system:
Our analysis of the dropped binary reveals that it was specifically written to gather information about the network of the target organization as well as the configuration of the endpoint—leading us to believe that this is a spear phishing reconnaissance. The payload seems to have been compiled on April 9:
The malware starts by retrieving the %Temp% path and prepares to log the communication with its control server in the file %Temp%explorer.exe.
Subsequently, the malware collecting following information:
- System type by resolving IsWOW64Process AP
- Current TCP and UDP connections and open ports
- Organizational information from the registry key:
- Current running system services
- Installed software from the registry key:
- Information about network adapters, IP configuration, netcard numbers, IP mask, gateway, DHCP server, DHCP host, WINS server, and WINS host
Here is a high-level snapshot of the malware’s information gathering code:
Encryption is primarily done using the SYSTEMTIME structure. It forms the repetitive 256-byte key using SYSTEMTIME information, shown below:
The malware converts the key into 16 bytes to encrypt the information.
Once the buffer has been encrypted, it connects to the control server sophos.skypetm.com.tw.
Command and Control Research
During our analysis of this exploit, sophos.skypetm.com.tw resolved to the IP address 18.104.22.168. located in the Fremont, California. McAfee sensors first observed the outbound traffic to this domain on January 27, at which time it resolved to 22.214.171.124, located in Los Angeles.
From our passive DNS data, we found following MD5 hashes connecting to the same domain resolving to 126.96.36.199.
|4ab74387f7a02c115deea2110f961fd3||January 27, 2014||sophos.skypetm.com.tw|
|8dc8e02e06ca7c825d42d82ec19d8377||January 28, 2014||sophos.skypetm.com.tw|
|0331417d7fc3d075128da1353ae880d8||March 30, 2014||sophos.skypetm.com.tw|
|5e2360a8c4a0cce1ae22919d8bff49fd||April 25, 2014||sophos.skypetm.com.tw|
The whois record reveals that the skypetm.com.tw domain has been registered under the email ID firstname.lastname@example.org. This ID also registered the domain avstore.com.tw, which has been used as the control server.
We have seen several other malware binaries communicating with the various subdomains of skypetm.com.tw and avstore.com.tw. All of them have been identified as “PittyTiger” malware, which appears in numerous CVE-2012-0158 exploits used in recent targeted attacks. The same payload was used in the “Tomato Garden” APT campaign, uncovered in June 2013, against Tibetan and Chinese democracy activists.
Additional domains related to this attack:
McAfee Product Coverage
McAfee coverage for CVE 2014-1761 is detailed here. McAfee Advance Threat Defense provides zero-day detection for CVE 2012-0158.
As usual, exercise extreme caution when opening documents from unknown sources and use the latest versions of software.
I would like to thank my colleague S. R. Venkatachalabathy for assistance in this research.