McAfee Labs

Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities

By on Jul 15, 2014

Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts. Exploits that use patched vulnerabilities delivered via spear phishing email are one of the most successful combinations used by attackers to infiltrate targeted organizations and gain access to confidential information.

During the last month, McAfee Labs researchers have uncovered targeted attacks carried out via spear phishing email against a French company. We have seen email sent to a large group of individuals in the organization. The attachments exploit the recently patched RTF vulnerability CVE-2014-1761 and the previously patched ActiveX control vulnerability CVE-2012-0158. Both of these vulnerabilities have been popular in several ongoing targeted attacks.





















The preceding spear phishing emails come from attackers using the French Yahoo and Laposte email services and possibly impersonating employees of the targeted organization.

RTF Vulnerability

These exploits target the recently discovered RTF zero-day vulnerability CVE-2014-1761. The flaw lies in the value of the “ListOverrideCount,” which is set to 25.






However, according to Microsoft’s RTF specifications this value should be either 1 or 9. This error eventually causes an out-of-bounds array overwrite that results in incorrect handling of the structure by Word and leads to the attacker’s controlling an extended instruction pointer (EIP).


McAfee Labs researchers discovered that all the bytes of the shellcode, the return oriented programming (ROP) chain, are directly controlled by the attacker and come straight from the RTF structure. Here is a high-level view of how the ROP chain is formed:
















Next we see a snapshot of the parsed RTF structure in memory leading to the control of the EIP:






Successful execution of the shellcode opens the decoy document and drops the malware svohost.exe in the %TEMP% directory and then connects to the control server.







(McAfee Labs researchers Haifei Li and Xie Jun have already blogged on the technical details of the vulnerability and the shellcode.)

In this cycle of spear phishing attacks we’ve also seen email targeting the same organization with attachments that exploit the two-year-old CVE -2012-0158 vulnerability. The malicious payload arrives in the innocuous-sounding article.doc.













The following API trace gives an idea of the sequence of activities once the exploit is launched on the system:



Payload Analysis

Our analysis of the dropped binary reveals that it was specifically written to gather information about the network of the target organization as well as the configuration of the endpoint—leading us to believe that this is a spear phishing reconnaissance. The payload seems to have been compiled on April 9:








The malware starts by retrieving the %Temp% path and prepares to log the communication with its control server in the file %Temp%explorer.exe.




Subsequently, the malware collecting following information:

  • Hostname
  • Username
  • System type by resolving IsWOW64Process AP
  • Current TCP and UDP connections and open ports
    •     Organizational information from the registry key:
    •         HKLM/Software/Microsoft/WindowsNT/CurrentVersion,
    •         Productname,
    •         CSDVersion,
    •         CurrentVersion,
    •         CurrentBuildNumber,
    •         RegisteredOrganization,
    •         RegisteredOwner
  • Current running system services
  • Installed software from the registry key:
    •     HKLM/Software/Microsoft/Windows/CurrentVersion/Uninstall
  • Information about network adapters, IP configuration, netcard numbers, IP mask, gateway, DHCP server, DHCP host, WINS server, and WINS host

Here is a high-level snapshot of the malware’s information gathering code:















Encryption is primarily done using the SYSTEMTIME structure. It forms the repetitive 256-byte key using SYSTEMTIME information, shown below:













The malware converts the key into 16 bytes to encrypt the information.

Chintan Shah redacted t131

Once the buffer has been encrypted, it connects to the control server






















Command and Control Research

During our analysis of this exploit, resolved to the IP address located in the Fremont, California. McAfee sensors first observed the outbound traffic to this domain on January 27, at which time it resolved to, located in Los Angeles.

From our passive DNS data, we found following MD5 hashes connecting to the same domain resolving to


4ab74387f7a02c115deea2110f961fd3 January 27, 2014
8dc8e02e06ca7c825d42d82ec19d8377 January 28, 2014
0331417d7fc3d075128da1353ae880d8 March 30, 2014
5e2360a8c4a0cce1ae22919d8bff49fd April 25, 2014

The whois record reveals that the domain has been registered under the email ID This ID also registered the domain, which has been used as the control server.







We have seen several other malware binaries communicating with the various subdomains of and All of them have been identified as “PittyTiger” malware, which appears in numerous CVE-2012-0158 exploits used in recent targeted attacks. The same payload was used in the “Tomato Garden” APT campaign, uncovered in June 2013, against Tibetan and Chinese democracy activists.








Additional domains related to this attack:

McAfee Product Coverage

McAfee coverage for CVE 2014-1761 is detailed here. McAfee Advance Threat Defense provides zero-day detection for CVE 2012-0158.

As usual, exercise extreme caution when opening documents from unknown sources and use the latest versions of software.

I would like to thank my colleague S. R. Venkatachalabathy for assistance in this research.

Leave a Reply

Your email address will not be published. Required fields are marked *