Skip to main content

Posts

Showing posts from April, 2014

CVE-2012-0158 in Mime HTML MSO format still baffles AV + MH370 Theme

When we started working on the research for this blog post we were exploring Malaysia Airlines Flight 370 (MH370) malware lures using Yara to flag samples in Cryptam with the following rule:

rule theme_MH370 {
    meta:
        author = "MalwareTracker.com"
        version = "1.0"
        date = "2014-04-09"
    strings:
        $callsign1 = "MH370" ascii wide nocase fullword
        $callsign2 = "MAS370" ascii wide nocase fullword
        $desc1 = "Flight 370" ascii wide nocase fullword
    condition:
        any of them
}




In addition to APT1 use of the lure in Word document 5e8d64185737f835318489fda46f31a6 dropping an updated version of Trojan Elise, we were surprised to see that one of the recent MH370 lures was a Mime MSO document exploiting MS Office Word vulnerability CVE-2012-0158 with 0 detection rate on VirusTotal dropping a variant of Vidgrab/Evilgrab. FireEye nicely covered a number of the MH370 campaigns in their March blog po…

Cryptam Malware Document Analizer + imphash

The web and suite versions of the Cryptam document malware analysis system now calculate the imphash of embedded/dropped executables when possible and store this value within the dropped file info for searching. The imphash is a executable similarity hash based on the Import Address Table order and is included in pefile.py. Cryptam is designed to statically extract the xor/rol/ror/not obfuscated executables from malware documents such as RTF, MS Office, or PDF files and can automatically process the dropped files with Yara or an external sandbox.



This new feature allows you to link dropper executables to current or past attack campaigns and to cross reference older samples which may have already been identified with Yara signatures but now have been modified to evade the unique static string matching common to many Yara signatures.

Imphash searching is available to registered users under Advanced Search - drop_files like <your imphash>.

















Searching the example imphash c948ebda9bd9…