Skip to main content


Showing posts from 2013

CVE-2012-0158 exploit evades AV in Mime HTML format

Since the end of April 2013 we've been seeing APT1, the NetTraveler/Netshark/Surtr group and others use Mime-MSO format files to deliver CVE-2012-0158 exploits to victims in spear phishing attacks.  By packaging the exploit within a Mime document instead of RTF or OLE Word document, the attackers appear to avoid detection by half or more of the AV products on VirusTotal.

The malicious file, while being mime and HTML content, is normally named with a with .doc or .rtf to associate it as a Microsoft office document. The content is similar to a mime email or single file web archive:

Unlike the RTF version of the CVE-2012-0158 exploit, the Mime version has received very little exposure and still bypasses many AV products despite the lack of obfuscation efforts.

This CVE-2012-0158 Mime delivery method was previously reported in May 2013 by Antiy Labs [PDF].

Instead of calling vuln…

MS13-051 / CVE-2013-1331 Office zero day patched by Microsoft

Here's some info on the now-patched (as of June 11 2013) zero day that's starting to come out.

MSFT advisory:


Sample on VT from March 4 2013 (credit Eromang):

And also a quick note that while no one submitted any CVE-2013-1331 samples to Cryptam before the public release, we would have detected the suspicious ScriptBridge reference in the above sample:

Update: @eromang has found samples of this exploit dating back to 2009, check out his blog post.

Tomato Garden Campaign: Part 2 - An Old "New" Exploit

Following up to our previous post, our analysis has shown the exploit is patched with MS12-060, however, it is not CVE-2012-1856 which deals with MSCOMCTL.OCX TabStrip.

The exploit we found used in targeted spear phishing in-the-wild uses the Toolbar activeX control to create a stack overflow - not TabStrip, but this new exploit is mitigated with the MS12-060 patch, making it old. Most of the samples extract a 256 byte xored executable after 0x8000.

As the exploit is indirectly patched, we will release all the related identifiers in the hopes that commercial AV can increase their detection rates for this exploit. As the current top document exploit is CVE-2012-0158, this new exploit requires a later patch to fix, and has lower detection rates than CVE-2012-0158 and CVE-2012-1856 we expect it to become even more popular.


Tomato Garden Campaign - Possible Microsoft Office zero day in the wild used against Tibet and China Democracy activists

Update:  So far some of the samples are killed with ms12-060 but are not a known exploit, so this might be a new, but patched exploit. The purpose of this campaign might be to evade AV while going after users without the latest patch - all samples are at 7 or 8 of 43 max on VirusTotal.

We are currently examining 40 samples of an unconfirmed zeroday in Microsoft Office circulating against Pro Democracy and Tibet activists. One of the exploit documents contains a "PittyTiger" payload, however, several different payload implants have been observed. The exploit is contained in a .doc file but could be delivered via RTF as well. We've seen attacks since June 4 2013 using payloads compiled on May 28, and some of the command and control domains have been registered as late as today June 6 2013.

We have provided the samples to Microsoft and are awaiting confirmation.

We will release detection signatures for our Cryptam document malware scanner - free online scanning at Cryptam.…

Tips for detecting cyber espionage attacks - how to find suspicious emails

State sponsored cyber espionage or targeted malware is most often delivered as email attachments or links within the body of an email. The other methods are compromised websites (waterhole attacks), and direct hacking via externally available systems such as servers and databases. Email is by far the most common and successful way to be targeted by a foreign state, but it's also best defended against by user awareness.

Typical Targets of APTHuman rights groups - Tibet, democracy etc.Fortune 500Military, foreign affairs, government, and contractorsResources and energyCommunicationsAerospace TransportationHealth Care Emerging TechnologyCompanies that trade with or compete with China
Tips to detect suspicious emails: Themes - socially engineered emails look somewhat related to your interests or business, but are often something general like a recent news event, or a related theme but not something you're involved with - like invitations or conference attendee lists for events you…

Yara Scanning added to command line tools

We've pushed out updates to PDFExaminer and Cryptam command line versions tonight that include Yara scanning capability, unlike running the standard Yara tool, using our Yara plugin in PDFExaminer and Cryptam allow you to look deeper inside document files.

PDFExaminer CLI - Yara Related FeaturesRun Yara signatures against decoded streams such as FlateDecode, AsciiHex85, CCITTFaxDecode, and many more.Run Yara signatures against decrypted streams of RC4/AES encrypted PDFsRun Yara signatures against decrypted parameter strings.
Cryptam CLI - Yara Related FeaturesRun Yara signatures against all the subfiles of OpenXML format documents such as docx, xlsx, pptx. Run Yara signatures against decoded RTF datastreamsRun Yara signatures against automatically decrypted embedded executables and dropped clean documents. Automate your triage of incoming targeted APT attacks.  Scan a malware RTF file, extract the executables, and identify the implant or intrusion set TTP with your own Yara signat…

Using PDFExaminer to analyse Mandiant_APT2_Report.pdf

Here's a quick walkthrough on using PDFExaminer to triage the Mandiant_APT2_Report.pdf file reported by @9bplus on his blog.

We've added a new feature to specify the user password for these types of encrypted documents to our command line version of the PDFExaminer:

$ php pdfex.php  -p "hello" Mandiant_APT2_Report.pdf summary key key_length
summary=72.0@1090: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
29.0@4378: suspicious.warning: object contains JavaScript
38.0@9351: suspicious.warning: object contains JavaScript
39.0@10793: suspicious.warning: object contains JavaScript
50.0@15082: suspicious.flash addFrameScript
50.0@15082: suspicious.flash Embedded Flash
50.0@15082: suspicious.flash Embedded Flash define obj
56.0@17726: suspicious.warning: object contains JavaScript
49.0@1095: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

First - the flash file stands our pretty quickly:
$ md5 14a6e24977ff6e7e8a8661aadfa1a…

New PDF Zero Day

We are currently investigating a new Adobe Zero Day which does bypass the Sandbox protections of Reader 11.0.1 as reported by FireEye. We anticipate a patch to be released very quickly.

We recommend avoiding opening any PDF received by email or from a website until Adobe releases more information.

PDFExaminer does detect the zero day PDF as suspicious due to the use of JavaScript obfuscation techniques used such as eval.