On October 18th 2017, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a Buffer Overflow Vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library, CVE-2012-0158. The malicious code can be triggered by a specially crafted DOC or RTF file for un-patched MS Office products.
VirusTotal Analysis of delivered document confirms presence of RTF exploit.
After opening the document in a vulnerable Microsoft Word application, a connection is established to “http://careers[.]fwo[.]com[.]pk/” to download a malicious executable payload, using shell code present in RTF file, which kicks off the following network events.
VirusTotal Analysis of final payload “printer.exe” confirms that it’s a Revenge, a Remote Access Trojan (RAT).
Once the download is complete, the binary is executed and post-infection traffic started. Request contains information in Base64 encoded form about infected m/c such as IP, domain and username, operating system, processor version and speed and language.
Breaking down request to each staring reveals specific pattern and information:
- Information
- Revenge-RAT R3Vlc3Q Guest
- Revenge-RAT XzQ0RkVDOTA4 _44FEC908
- Revenge-RAT 10.10.10.166 System IP
- Revenge-RAT Q0FGRVdFU1QgLyBqYW1lcw CAFEWEST / james
- Revenge-RAT No 6
- Revenge-RAT TWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwgIDMy Microsoft Windows 7 Professional 32
- Revenge-RAT SW50ZWwoUikgWGVvbihSKSBDUFUgICAgICAgICAgIFg1NjkwICBAIDMuNDdHSHo Intel(R) Xeon(R) CPU X5690 @ 3.47GHz
- Revenge-RAT 1073274880
- Revenge-RAT Ti9B N/A
- Revenge-RAT Ti9B N/A
- Revenge-RAT 3339
- Revenge-RAT UHJvZ3JhbSBNYW5hZ2Vy Program Manager
- Revenge-RAT ZW4tVVM en-US
- Revenge-RAT False
Current RSA NetWitness detection populates following meta for the download sessions:
Current RSA NetWitness detection populates following meta for Post Infection traffic:
More detailed information about CVE-2012-0158 can be found here:
Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.
