Skip to main content

Posts

Showing posts from August, 2013

CVE-2012-0158 exploit evades AV in Mime HTML format

Since the end of April 2013 we've been seeing APT1, the NetTraveler/Netshark/Surtr group and others use Mime-MSO format files to deliver CVE-2012-0158 exploits to victims in spear phishing attacks.  By packaging the exploit within a Mime document instead of RTF or OLE Word document, the attackers appear to avoid detection by half or more of the AV products on VirusTotal.



The malicious file, while being mime and HTML content, is normally named with a with .doc or .rtf to associate it as a Microsoft office document. The content is similar to a mime email or single file web archive:




Unlike the RTF version of the CVE-2012-0158 exploit, the Mime version has received very little exposure and still bypasses many AV products despite the lack of obfuscation efforts.

This CVE-2012-0158 Mime delivery method was previously reported in May 2013 by Antiy Labs [PDF http://www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf].


Instead of calling vuln…