CVE-2012-0158

While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication: Cycldek is a long-known Chinese-speaking threat actor. Based on the group’s past activity, it has a str...

Update, update, update. Plus: Flash, Struts, Drupal also make appearances Sadly, 111 in this story isn't binary. It's decimal. It's the number of security fixes emitted by Microsoft this week

Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware. A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe. Microsoft ranks highly in the list because its software is widely used, and provides the mo...

Exploit combo fails to dodge Word warning prompts

Updated A booby-trapped .RTF file is doing the rounds that combines two publicly available Microsoft Office exploits. Opening the document in a vulnerable installation of Office is supposed to lead to arbitrary execution of any malicious code within the file. Cisco's security outfit Talos believes "the attackers used the combination to avoid Word displaying [an on-screen] prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination...

New spear-phishing method for copy-pasting military hardware

Chinese state-sponsored hackers are targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, a group began using a new downloader known as ZeroT, spear-phishing emails to install the PlugX remote access Trojan (RAT), according to security researchers at Proofpoint. In previous campaigns, the group used spear-phishing emails with Microsoft Word document attachments utilising CVE-2012-0158, or URLs linking to .rar-compressed executable nasties. These attacks have...

In September 2016, while researching a new wave of attacks, we found an interesting target which appeared to constantly receive spearphishes, a practice we commonly describe as a “magnet of threats”. Among all the attacks received by this magnet of threats, which included various older Office exploits such as CVE-2012-0158, one of them attracted our attention. This file, which was also uploaded to a multiscanner service in September 2016, had an extension that we were unfamiliar with – “...

Statistics  Download the full report (PDF) Targeted attack campaigns don’t need to be technically advanced in order to be successful. In July 2016 we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using a combination of social engineering, old exploit code and some PowerShell-based malware this group was able to steal sensitive data from its victims. This group, which has been active since November 2015, targets high profile diplomatic and ...

Gang has cunning way of hiding itself by using multiple names

Suspected hackers based in India have compromised thousands of computers, going about their business as far back as 2013. The group has been rumbled by three security firms over that time, but was until now considered to be several discrete entities. Now Forcepoint researchers Andy Settle, Nicholas Griffin, and Abel Toro say the Monsoon group, dubbed previously as Patchwork APT, Dropping Elephant, and Operation Hangover, has used spear phishing emails to effectively target organisations with inf...

Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks. Overall, the activities of this actor show that low investment and ready-made offensive toolsets can be very effective when combined ...

Rich text pwnage

Malware writers are exploiting four RTF parser vulnerabilities, in a long-running campaign to target journalists, human rights activists, and Tibetans across Hong Kong and Taiwan. An Arbor Networks study found miscreants are exploiting since-patched vulnerabilities in Microsoft Office's handling of rich text files (CVE-2012-0158; CVE-2012-1856; CVE-2015-1641; and CVE-2015-1770), which help deliver at least six forms of Chinese malware. The research team reckons the characteristics of the tools, ...

Beijing Someone in China casts baited lede hooks into news room feeding frenzy.

Chinese hackers who previously popped Western financial firms are now using Dropbox to target Hong Kong based journalists, FireEye says. The group, suspected to be an outfit known as "admin@338", is using the cloud service to host command and control for its infection operations. Its attacks drop the backdoor payload dubbed Lowball delivered through an old and since-patched Microsoft Office vulnerability (CVE-2012-0158) communicating over secure sockets to Dropbox. FireEye researchers say the ta...

Let’s examine a couple of interesting delivery techniques from an APT active for the past several years, the Spring Dragon APT. A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label “the Lotus Blossom Operation“, likely named for the debug string present in much of the “Elise” codebase since at least 2012: “d:\lstudio\projects\lotus\…”. The group’s capabilities are more than the much discussed CVE-2012-0158 ex...

Our recent report, “The Chronicles of the Hellsing APT: the Empire Strikes Back” began with an introduction to the Naikon APT, describing it as “One of the most active APTs in Asia, especially around the South China Sea”. Naikon was mentioned because of its role in what turned out to be a unique and surprising story about payback. It was a Naikon attack on a Hellsing-related organization that first introduced us to the Hellsing APT.  Considering the volume of Naikon activity observed an...

https://www.youtube.com/watch?v=gvAUfp4iDw4 One of the most active APT groups in Asia, and especially around the South China Sea area is “Naikon”. Naikon plays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our attention when they hit back at a Naikon attack. Naikon is known for its custom backdoor, called RARSTONE, which our colleagues at Trend Micro have described in detail. The name Naikon comes from a custom user agent string, �...

Yet another reason Excel is evil, and yet another reason to get up to date on patches

Malware writers are targeting international energy utilities with a new trojan that creates beachheads to enable subsequent more advanced attacks. Symantec security boffin Christian Tripputi says the campaign, detected in the first two months of 2015, has a particular focus on creating beachheads on petroleum and gas utilities operating in the Middle East. Tripputi says Britain and the United States account for a combined 10 per cent of infections by the "Laziok" trojan. "The [stolen] detailed i...

Two years ago, we published our research into RedOctober, a complex cyber-espionage operation targeting diplomatic embassies worldwide. We named it RedOctober because we started this investigation in October 2012, an unusually hot month. After our announcement in January 2013, the RedOctober operation was promptly shut down and the network of C&Cs was dismantled. As usually happens with these big operations, considering the huge investment and number of resources behind it, they don’t just...

PDF version In July we published our in-depth analysis into a targeted attack campaign that we dubbed ‘Crouching Yeti’. This campaign is also known as ‘Energetic Bear’. This campaign, which has been active since late 2010, has so far targeted the following sectors:  industrial/machinery, manufacturing, pharmaceutical, construction, education and information technology.  So far there have been more than 2,800 victims worldwide, and we have been able to identify 101 different organisatio...

More and more companies are asking Kaspersky Lab to carry out detailed investigations of malware-related IT security incidents affecting their business. In this article, we will describe a typical cybercriminal attack aiming at stealing corporate financial assets from a remote banking system. An organization recently asked Kaspersky Lab to investigate an incident that had occurred in its corporate remote banking system: a bank representative contacted the organization’s accounting department a...

We have written about NetTraveler before HERE and HERE. Earlier this year, we observed an uptick in the number of attacks against Uyghur and Tibetan supporters using an updated version of the NetTraveler backdoor. Here’s an example of a targeted spear-phishing e-mail directed at Uyghur activists in March 2014. The e-mail has two attachments, a non-malicious JPG file and a 373 KB Microsoft Word .DOC file. The .DOC file, which in reality is a “Single File Web Page” container, also known as �...

Stuxnet, Sality, Gauss, Flame still infecting your unpatched boxen

Nearly 20 million computers remain infected with malware targeting a vulnerability first targeted four years ago by the Stuxnet worm. The flaw (CVE-2010-2568) was a Windows operating system bug in the way shortcuts worked allowing quiet download of the random dynamic library on Win Server 2003 and XP through to version 7. Since July 2010 it has continued to power the Sality worm, and fueled Stuxnet and its derivatives Flame and Gauss on unpatched machines. The Red October malware emerged in Janu...

PDF Version On 1 July, new anti-spam legislation (CASL) came into effect in Canada. The new law covers commercial communications including email, messages on social networks and instant messaging services as well as SMS. Now, before a company starts sending emails, it must get the recipients’ consent. Canadian companies appear to have taken the new law seriously: in the second quarter, we saw a lot emails from Canadian companies asking users for permission to send their mailings. As well as as...

Antivirus doesn't stand a chance because there's nothing for it to scan

Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files. The malware resides in the computer registry only and is therefore not easy to detect. It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary. "A...

In April, holiday-themed mass mailings featured Easter, which was used not only to advertise spammer products, but by a variety of scammers who sent out fake lottery winnings notifications to Internet users and malware disguised as holiday e-greetings. Scammers also mailed out offers to earn money from stock in American pharmaceutical companies – so-called pump and dump spam. Several large mailings advertised the services of a variety of medical institutions and dental clinics, as well as ways...

Eight Microsoft Security Bulletins are being pushed out this month, MS13-096 through MS13-106. Five of them are rated “Critical” and another six are rated “Important”. The top priorities to roll out this month are the critical GDI+ (MS13-096), Internet Explorer (MS13-097), and Scripting Runtime (MS13-099) updates. Several of the vulnerabilities have been actively exploited as a part of targeted attacks around the world, and one of them is known to be ItW for at least six months or so. Th...

Tat’jana Šerbakova PDF Version The number of serious cyber-attacks detected over the last two years has increased so much that new attacks rarely cause much surprise. It’s now commonplace for antivirus companies to issue a report about the discovery of another botnet or highly sophisticated malware campaign that is gathering data. Companies are increasingly falling victim to cyber-attacks. According to a survey conducted by Kaspersky Lab and B2B International, 91% of the organizations polle...

Here are answers to the most frequently asked questions related to Icefog, an APT operation targeting entities in Japan and South Korea. Icefog refers to a cyber-espionage campaign that has been active at least since 2011. It targets governmental institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. It is likely that the crew targets organizations in ...

Latest version of data-stealer targets Uyghur dissidents

A piece of malware linked to attacks against governments and organisations involved in hi-tech industries such as space exploration and nuclear power has been adapted to exploit a recently uncovered Java security flaw. NetTraveler has been outfitted to exploit a recently patched Java bug as part of a watering-hole-style attack involving compromised websites that redirects victims to an attack site hosting exploit code. The latest variants of the malware appear, which surfaced over the last few d...

NetTraveler, which we described in depth in a previous post, is an APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler (also known as ‘Travnet’ or “Netfile”) include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors. During the last week, several spear-phishing e-mails were sent t...

In early June, Kaspersky Lab announced a discovery that opened a whole new chapter in the field of cyber-espionage. Named NetTraveler, this is family of malicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40 countries. The NetTraveler group infected victims across both the public and private sector including government institutions, embassies, the oil and gas industry, research centers, military contractors and activists. The threat, which has b...

CVE-2012-0158 is a buffer overflow vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library. The malicious code can be triggered by a specially crafted DOC or RTF file for MS Office versions 2003, 2007 and 2010. Although this vulnerability was patched by Microsoft more than a year ago, it seems that not everyone cared to install the updates. And those who didn’t may be at risk of getting all their documents, pictures and databases encrypted by a new version of the ...

May turned out to be fairly varied when it came to spammer creativity. In fraudulent and advertising messages the spammers made active use of well-known people and companies. The quantity of holiday-related spam fell, but we still came across mailings exploiting Mother’s Day and Memorial Day. In May spammers organized a phishing mailing disguised as messages from Microsoft customer service and support. The messages, which at first glance appear to come from the perfectly legitimate microsoft.c...

Supposed 'CIA list' with you on it actually contains malware

The Chinese group behind the recently discovered NetTraveler attacks is now using widespread interest in the infamous National Security Agency (NSA) PRISM surveillance program to encourage users to open malicious email attachments, it has emerged. Brandon Dixon of the 9bplus blog said he came across an email uploaded to VirusTotal entitled “CIA’s Prism Watchlist”. The intended recipient of the message was a Yahoo account associated with the Regional Tibet Youth Congress in Mundgod, India, ...

Campaign targeting governments, telcos, and other organisations

Security researchers are warning of yet another advanced, large-scale attack campaign using sophisticated techniques to hide itself from its targets – organisations across Asia. Trend Micro has dubbed the campaign Naikon, based on the HTTP user-agent string “NOKIAN95/WEB” found in various targeted attacks across the region in India, Malaysia, Singapore, and Vietnam and elsewhere. The attacks begin in time-honoured fashion with a spear-phishing email “using messages related to diplomatic ...

Spain, Kyrgyzstan, Mongolia, China, this malware has had quite a trip, we're told

A piece of government-bothering malware called NetTraveler has been active since 2004 - and targets agencies and organisations involved in space exploration, nanotechnology, nuclear power, lasers, medicine, communications and more. And that's according to researchers at security biz Kaspersky Lab. More than 350 high-profile outfits in 40 countries have been hit by strains of NetTraveler, we're told. Embassies, oil and gas corporations, research institutes, military contractors and activists have...

Two-pronged attack hits victims in 100 countries

Government ministries, technology firms, media outlets, academic research institutions and non-governmental organisations have all fallen victim to an ongoing cyberespionage operation with tendrils all over the world, according to researchers. Infosec researchers have uncovered SafeNet in as many as 100 countries. SafeNet targets potential marks using spear-phishing emails featuring a malicious attachment that exploits a Microsoft Office vulnerability that was patched last year (CVE-2012-0158). ...

Over the last few months we have seen a series of very similar targeted attacks being blocked in our Linux Mail Security Product. In each case the documents used were RTF and the exploit was CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability). The attacks seem to be from the same group and most appear to be sent from Australia or Republic of Korea. The sender IP addresses vary but many are sent via mail.mailftast.com. This domain is registered in China: The documents are in three categories: Most wee...

In the past, we’ve seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms. We’ve documented several interesting attacks (A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify) which used ZIP files as well as DOC, XLS and PDF documents rigged with exploits. Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates. P...

Based on the analysis of known cases, we identified two main ways through which Backdoor.Win32.Sputnik infects the victims. Both methods rely on spear-phishing e-mails which are sent to the prospective victims. The e-mails contain an attachment which is either an Excel or Word document, with enticing names. In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers also inf...

Since the publication of our report, our colleagues from Seculert have discovered and posted a blog about the usage of another delivery vector in the Red October attacks. In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers also infiltrated victim network(s) via Java exploitation (MD5: 35f1572eb7759cb7a66ca459c093e8a1 – ‘NewsFinder.jar’), known as the ‘Rhino’ exploit (CVE-2011-3544). We know the early February 2012 timeframe that ...

In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called “Red October” (after famous novel “The Hunt For The Red October”). This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, govern...

Today’s Microsoft updates include a few fixes for remote code execution, and several fixes for escalation of privilege and denial of service flaws. The priority for both general folks and corporate customers running Windows and Office will be to roll out MS12-064 effecting Microsoft Office immediately. Vulnerability CVE-2012-2528 and CVE-2012-0182 is patched by this bulletin, and -2528 predictably will be attacked with more malformed rtf formatted documents. These sorts of files have been deli...

Recently, we wrote about Dalai Lama being a frequent Mac user. While this is true for his holiness, not all his supporters use Macs yet. You may wonder why is this relevant? Well, on 6th of July, his holiness will be 77 years old, a kind of round number. There is no surprise that “Dalai Lama Birthday” attacks are already ongoing. On July 3rd, we’ve noticed a new APT campaign entitled “Dalai Lama’s birthday on July 6 to be low-key affair”: Attached to the e-mail there is a .DOC file w...

Recently, we came by an interesting targeted attack which was evading most antivirus products. This is a recent spearphish targeting various Tibetan and human rights activists. It demonstrates the level of effort put into infiltrating their groups with some unique characteristics, relative to the many other exploits targeting CVE-2012-0158. Here’s how such e-mails appear: Subject: 噶厦政府发起彻查中国民主人硬汉李旺阳被杀事件签名 Translates to “The Kashag the governmen...

Kill Bit for every MS boy and girl

Microsoft released six bulletins on Tuesday to fix a total of 11 vulnerabilities, one of which has become the target of active attacks against unpatched applications. One of the four critical patches in the batch – MS12-027 – addresses an Active X issue that impacts numerous application and creates a mechanism to drop malware onto vulnerable Windows systems. Microsoft warned of attacks in the wild against the zero-day flaw, which affects an unusually wide range of Microsoft products and Micr...

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources We're number one! We're number one! We're...

It's generally accepted that security flaws in Microsoft's products are a top magnet for crooks and fraudsters: its sprawling empire of hardware and software is a target-rich ecosystem in that there is a wide range of bugs to exploit, and a huge number of vulnerable organizations and users. And so we can believe it when Qualys yesterday said 15 of the 20 most-exploited software vulnerabilities it has observed are in Microsoft's code. These are the vulnerabilities abused by miscreants to infect v...