9.3
CVSSv2

CVE-2012-0158

Published: 10/04/2012 Updated: 12/10/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 979
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote malicious users to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft office 2003

microsoft office 2007

microsoft office 2010

microsoft office web components 2003

microsoft sql server 2000

microsoft sql server 2005

microsoft sql server 2008

microsoft biztalk server 2002

microsoft commerce server 2002

microsoft commerce server 2007

microsoft commerce server 2009

microsoft visual basic 6.0

microsoft visual foxpro 8.0

microsoft visual foxpro 9.0

Exploits

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit:: ...

Metasploit Modules

MS12-027 MSCOMCTL ActiveX Buffer Overflow

This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses "msgr3en.dll", which will load after office got load, so the malicious file must be loaded through "File / Open" to achieve exploitation.

msf > use exploit/windows/fileformat/ms12_027_mscomctl_bof
      msf exploit(ms12_027_mscomctl_bof) > show targets
            ...targets...
      msf exploit(ms12_027_mscomctl_bof) > set TARGET <target-id>
      msf exploit(ms12_027_mscomctl_bof) > show options
            ...show and set options...
      msf exploit(ms12_027_mscomctl_bof) > exploit

Github Repositories

Panopticon-GoblinPanda Panopticon Project GoblinPanda Aliases Other names the threat actor is known by * * Overview A high level summary of the threat actor 2013 Attack Pattern A type of Tactics, Techniques, and Procedures (TTP) that describes ways threat actors attempt to compromise targets Campaign A grouping of adversarial behaviors that describes a set of malicious activi

漏洞分析

Vulnerability-analysis 漏洞分析 MSCOMCTLOCX RCE 漏洞 - CVE-2012-0158 CVE-2017-11882 文档型漏洞

Custom rules for yara-integrated scans

yarasigs Custom rules for yara-integrated scans signatures/cveyar CVE-2012-0158 (Common OLE signature) CVE-2012-0158 (Newer variant) signatures/aptyar From AlienVault Labs labsalienvaultcom/labs/indexphp/2013/yara-rules-for-apt1comment-crew-malware-arsenal/ githubcom/jaimeblasco/AlienvaultLabs/blob/master/malware_analysis/CommentCrew/apt1yara signature

This repositories has all the best out of Bests RATs the world has ever seen

List of all the notorious RATS RAT bins by Qirit0 2500+ open source RAT/C&amp;C tools, 1200+ blogs and video about RAT/C&amp;C analysis Directory Popular Tools pupy -&gt; (1)Tools (6)Post Covenant -&gt; (3)Tools (18)Post Slackor -&gt; (1)Tools (3)Post QuasarRAT -&gt; (1)Tools (9)Post EvilOSX -&gt; (1)Tools (9)Post Merlin -&gt; (1)Tool

内容来自微信公众号:关注安全技术 Pentest_Note 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃

内容来自微信公众号:关注安全技术 Pentest_Note 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃

内容来自微信公众号:关注安全技术 Pentest_Note 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃

Задание 1 Управление уязвимостями Думаю, что нет смысла говорить, что такое уязвимость, поэтому сразу к делу Управление уязвимостями - это циклический процесс, направленный на обнаружение и классификацию у

内容来自微信公众号:关注安全技术 Pentest_Note 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃

Author:小y 公众号:关注安全技术 Pentest_Note 在家无聊总结的,后续会慢慢更新。 信息收集 Whois 网站IP 是否存在CDN Bypass cdn常规方式 域名历史IP 网站架构/服务器指纹/CMS识别/容器 子域名 网站使用的CMS的官方demo站 SSL证书信息 DNS历史解析记录 同服站点情况 同样架构或源码的站 网站js 网

文章出处: 微信公众号关注安全技术 此项目用于速查 Attack_Notes 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能

内容来自微信公众号:关注安全技术 Pentest_Note 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃

office-exploit-case-study Most samples are malware used in the real world,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding paper if mentionedExploits before 2012 not includedFeel free to open issues if you have any questions What did Microsoft do to make office more secure? 1Dat

office-exploit-case-study Collection of office exploit used in the real world recent years with samples and writeup,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding writeup if mentioned If you are looking for more poc(reported by researchers and never used in the real world),you ca

Recent Articles

MITRE shares this year's top 25 most dangerous software bugs
BleepingComputer • Sergiu Gatlan • 20 Aug 2020

MITRE today shared a list of the top 25 most common and dangerous weaknesses plaguing software during the last two previous years.
Software weaknesses can be flaws, bugs, vulnerabilities, and other types of errors found in a software solution's code, architecture, implementation, or design that could expose the systems it's running on to attacks.
To make this list, the American not-for-profit organization scored each weakness based on both severity and prevalence using Common Vulnera...

USBCulprit malware targets air-gapped systems to steal govt info
BleepingComputer • Ax Sharma • 04 Jun 2020

Thought your air-gapped devices were safe? Think again.
The newly revealed USBCulprit malware is used by a group known as Cycldek, Conimes, or Goblin Panda and is designed for compromising air-gapped devices via USB.
Cycldek is a Chinese APT group targeting that has been Southeast Asian nations for a long time to steal government information and state secrets.
The APT group has demonstrably taken an interest in "large organizations and government institutions in Vietnam," state...

Cycldek: Bridging the (air) gap
Securelist • GReAT Mark Lechtik Giampaolo Dedola • 03 Jun 2020

While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:
Cycldek is a long-known Chinese-speaking threat actor. Based on the group’s past activity, it has...

US govt shares list of most exploited vulnerabilities since 2016
BleepingComputer • Sergiu Gatlan • 12 May 2020

US Government cybersecurity agencies and specialists today have released a list of the top 10 routinely exploited security vulnerabilities between 2016 and 2019.
Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader US Government issued the AA20-133A alert through the National Cyber Awareness System to make it easier for organizations from the public and private sector to prioritize patching in their environments.
"The...

Cyberattacks Target Healthcare Orgs on Coronavirus Frontlines
Threatpost • Lindsey O'Donnell • 14 Apr 2020

Recent malware campaigns reveal that cybercriminals aren’t sparing healthcare firms, medical suppliers and hospitals on the frontlines of the coronavirus pandemic.
Researchers have shed light on two recently uncovered malware campaigns: one targeting a Canadian government healthcare organization and a Canadian medical research university, and the other hitting medical organizations and medical research facilities worldwide.
The emails sent to these unnamed organizations purported t...

8-Year-Old VelvetSweatshop Bug Resurrected in LimeRAT Campaign
Threatpost • Elizabeth Montalbano • 31 Mar 2020

Researchers have discovered a fresh campaign using Excel files to spread LimeRAT malware – making use of the hardcoded, VelvetSweatshop default password for encrypted files.
LimeRAT is a full-featured remote access tool/backdoor that can allow attackers to access an infected system and install a range of malware strains, like ransomware, cryptominers, keyloggers or botnet clients.
In the observed campaign, threat actors are creating read-only Excel files containing a LimeRAT payloa...

Defense Takeaways from Three Adversary Playbooks
Threatpost • Derek Manky • 28 Aug 2019

In these days of advanced threats, the perimeter defense strategy – though still useful and necessary – is incomplete. IT security teams need as much information about existing threats as possible, so they know what to look for and how to position proactive countermeasures. Creating and using adversary playbooks that dive-deep into current threats help in this endeavor.
Rather than focusing on the perimeter mindset of keeping the bad actors out, this new strategy focuses on preventing ...

Fresh Microsoft Office franken-exploit flops – and you should have patched by now anyway
The Register • John Leyden • 15 Aug 2017

Exploit combo fails to dodge Word warning prompts

Updated A booby-trapped .RTF file is doing the rounds that combines two publicly available Microsoft Office exploits.
Opening the document in a vulnerable installation of Office is supposed to lead to arbitrary execution of any malicious code within the file.
Cisco's security outfit Talos believes "the attackers used the combination to avoid Word displaying [an on-screen] prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this...

Office Exploit Gets New Life With PowerPoint Variation
BleepingComputer • Catalin Cimpanu • 15 Aug 2017

Over the past few months, an Office vulnerability has become one of the most popular and efficient ways of delivering malware to vulnerable computers.
The vulnerability — tracked as CVE-2017-0199 — was found by McAfee and FireEye employees in April of this year, and
at the time of its discovery.
In April, attackers were using it to deliver an RTF file to their targets, which when opened would automatically execute an OLE2link object and run malicious code to compromise us...

2016's Most Popular Exploit Was the Vulnerability Used for the Stuxnet Attacks
BleepingComputer • Catalin Cimpanu • 24 Apr 2017

One of the vulnerabilities used to spread the Stuxnet virus was 2016's most popular exploit, according to telemetry data gathered by Russia cyber-security firm Kaspersky Labs.
Identified as CVE-2010-2568, this is a security bug found in older versions of the Windows Shell (CplLnk) that affects Microsoft's Windows 7, Vista, XP, Server 2008 and Server 2003 operating systems.
Discovered and patched in 2010, the vulnerability was one of the four zero-days used in the cyber-attacks agains...

Stuxnet LNK Exploits Still Widely Circulated
Threatpost • Michael Mimoso • 20 Apr 2017

One of the alleged mandates around the development of the Stuxnet worm was that malware’s numerous components—which included a handful of zero days—should never escape the Natanz uranium enrichment facility in Iran. Eight years later, evidence continues to mount as to how that mandate was categorically not met.
Kaspersky Lab today released a report on exploits in the wild that indicates that endpoints are still running head-on into exploits for the since-patched LNK vulnerability (CV...

Chinese hackers switch tactics for spying on Russian jet makers
The Register • John Leyden • 03 Feb 2017

New spear-phishing method for copy-pasting military hardware

Chinese state-sponsored hackers are targeting military and aerospace interests in Russia and Belarus.
Since the summer of 2016, a group began using a new downloader known as ZeroT, spear-phishing emails to install the PlugX remote access Trojan (RAT), according to security researchers at Proofpoint.
In previous campaigns, the group used spear-phishing emails with Microsoft Word document attachments utilising CVE-2012-0158, or URLs linking to .rar-compressed executable nasties. These ...

InPage zero-day exploit used to attack financial institutions in Asia
Securelist • Denis Legezo • 23 Nov 2016

In September 2016, while researching a new wave of attacks, we found an interesting target which appeared to constantly receive spearphishes, a practice we commonly describe as a “magnet of threats”. Among all the attacks received by this magnet of threats, which included various older Office exploits such as CVE-2012-0158, one of them attracted our attention. This file, which was also uploaded to a multiscanner service in September 2016, had an extension that we were unfamiliar with – “...

IT threat evolution Q3 2016
Securelist • David Emm • 03 Nov 2016

Statistics
 Download the full report (PDF)
Targeted attack campaigns don’t need to be technically advanced in order to be successful. In July 2016 we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using a combination of social engineering, old exploit code and some PowerShell-based malware this group was able to steal sensitive data from its victims.
This group, which has been active since November 2015, targets high profi...

Indian hacking gang goes on three-year Chinese phishing trip
The Register • Darren Pauli • 11 Aug 2016

Gang has cunning way of hiding itself by using multiple names

Suspected hackers based in India have compromised thousands of computers, going about their business as far back as 2013.
The group has been rumbled by three security firms over that time, but was until now considered to be several discrete entities.
Now Forcepoint researchers Andy Settle, Nicholas Griffin, and Abel Toro say the Monsoon group, dubbed previously as Patchwork APT, Dropping Elephant, and Operation Hangover, has used spear phishing emails to effectively target organisati...

Dropping Elephant APT Targets Old Windows Flaws
Threatpost • Tom Spring • 08 Jul 2016

Don’t judge an APT by its exploits alone. That’s the takeaway from a report that details a unique advanced persistent threat that leverages a kludge of unsophisticated, outdated and rudimentary attack tools to conduct cyber espionage. The target of the attacks are government and diplomatic agencies in Asia with close ties to China.
Researchers discovered the APT group, dubbed Dropping Elephant, and report that it was active between November 2015 and this June. The APT, discovered by r...

The Dropping Elephant – aggressive cyber-espionage in the Asian region
Securelist • GReAT • 08 Jul 2016

Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.
Overall, the activities of this actor show that low investment and ready-made offensive toolsets can be very effective when com...

Four bugs bait hooks in Asian phishing trip
The Register • Darren Pauli • 20 Apr 2016

Rich text pwnage

Malware writers are exploiting four RTF parser vulnerabilities, in a long-running campaign to target journalists, human rights activists, and Tibetans across Hong Kong and Taiwan.
An Arbor Networks study found miscreants are exploiting since-patched vulnerabilities in Microsoft Office's handling of rich text files (CVE-2012-0158; CVE-2012-1856; CVE-2015-1641; and CVE-2015-1770), which help deliver at least six forms of Chinese malware.
The research team reckons the characteristics of...

APT Targeting Tibetans Packs Four Vulnerabilities in One Compromise
Threatpost • Tom Spring • 19 Apr 2016

Tibetans, journalists and human rights workers in Hong Kong and Taiwan have been targeted in an APT campaign that makes use of Microsoft Rich Text File (RTF) documents to compromise computers. Researchers say it’s a new strategy by attackers in an ongoing advanced persistent threat that dates back to 2009.
According to Arbor Networks, the RTF document-based attack uses four known vulnerabilities (CVE-2012-0158, CVE-2012-1856, CVE-2015-1641 and CVE-2015-1770)  in one attachment. This is...

Espionage Malware, Watering Hole Attacks Target Diplomats
Threatpost • Tom Spring • 04 Mar 2016

Diplomats and military personnel in India have been victimized in targeted espionage attacks that use a number of means of infection including phishing and watering hole sites.
Researchers at Proofpoint this week published a report on Operation Transparent Tribe, which was ongoing as of Feb. 11 when Proofpoint uncovered live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan. Proofpoint found IP addresses in Pakistan involved in the attacks, which invol...

Hong Kong hacks hacked in democracy protest yap flap
The Register • Darren Pauli • 02 Dec 2015

Beijing Someone in China casts baited lede hooks into news room feeding frenzy.

Chinese hackers who previously popped Western financial firms are now using Dropbox to target Hong Kong based journalists, FireEye says.
The group, suspected to be an outfit known as "admin@338", is using the cloud service to host command and control for its infection operations.
Its attacks drop the backdoor payload dubbed Lowball delivered through an old and since-patched Microsoft Office vulnerability (CVE-2012-0158) communicating over secure sockets to Dropbox.
FireEye rese...

Naikon APT Group Tied to China’s PLA Unit 78020
Threatpost • Michael Mimoso • 24 Sep 2015

Chinese president Xi Jinping is supposed to have dinner this evening with U.S. president Barack Obama. Wonder if the name Ge Xing will come up?
Ge Xing is the subject of a joint report published this morning by ThreatConnect and Defense Group Inc., computer and national security service providers respectively. Ge is alleged to be a member of the People’s Liberation Army unit 78020, a state-sponsored hacking team whose mission is to collect intelligence from political and military sources...

The Spring Dragon APT
Securelist • Kurt Baumgartner • 17 Jun 2015

Let’s examine a couple of interesting delivery techniques from an APT active for the past several years, the Spring Dragon APT. A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label “the Lotus Blossom Operation“, likely named for the debug string present in much of the “Elise” codebase since at least 2012: “d:\lstudio\projects\lotus\…”.

The group’s capabilities are more than the much discussed CVE...

The Naikon APT
Securelist • Kurt Baumgartner Maxim Golovkin • 14 May 2015

Our recent report, “The Chronicles of the Hellsing APT: the Empire Strikes Back” began with an introduction to the Naikon APT, describing it as “One of the most active APTs in Asia, especially around the South China Sea”. Naikon was mentioned because of its role in what turned out to be a unique and surprising story about payback. It was a Naikon attack on a Hellsing-related organization that first introduced us to the Hellsing APT.  Considering the volume of Naikon activity observed an...

The Chronicles of the Hellsing APT: the Empire Strikes Back
Securelist • Costin Raiu Maxim Golovkin • 15 Apr 2015

https://www.youtube.com/watch?v=gvAUfp4iDw4
One of the most active APT groups in Asia, and especially around the South China Sea area is “Naikon”. Naikon plays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our attention when they hit back at a Naikon attack.
Naikon is known for its custom backdoor, called RARSTONE, which our colleagues at Trend Micro have described in detail. The name Naikon comes from a custom user ...

Operation Buhtrap, the trap for Russian accountants Targets Installation Overview System Preparation – mimi.exe and xtm.exe Backdoor – lmpack.exe Spying module – pn_pack.exe Conclusion Hashes Indicators of Compromise
welivesecurity • Jean-Ian Boutin • 09 Apr 2015

Late in 2014, we noticed and started to track an undocumented malicious campaign targeting Russian businesses, and that has been active for well over a year. The malware used in this campaign is a mix of off-the-shelf tools, NSIS-packed malware and bespoke spyware that abuses Yandex’s Punto software, a program for Russian users which silently and automatically changes the keyboard language depending on what the user is typing. Once the cybercriminals have compromised a computer, they use custo...

Energy utilities targeted by Office-spawned recon attack tool
The Register • Darren Pauli • 02 Apr 2015

Yet another reason Excel is evil, and yet another reason to get up to date on patches

Malware writers are targeting international energy utilities with a new trojan that creates beachheads to enable subsequent more advanced attacks.
Symantec security boffin Christian Tripputi says the campaign, detected in the first two months of 2015, has a particular focus on creating beachheads on petroleum and gas utilities operating in the Middle East.
Tripputi says Britain and the United States account for a combined 10 per cent of infections by the "Laziok" trojan.
"The [...

PlugX, Go-To Malware for Targeted Attacks, More Prominent Than Ever
Threatpost • Chris Brook • 10 Feb 2015

Existing in some form since 2008, the popular remote access tool PlugX has as notorious a history as any malware, but according to researchers the tool saw a spike of popularity in 2014 and is the go-to malware for many adversary groups.
Many attacks, especially those occurring during the latter half of the year, were seen using the tool. In fact, researchers are theorizing the further proliferation of PlugX, which enables attackers to log keystrokes, modify and copy files, capture screens...

Red October Attackers Return With CloudAtlas APT Campaign
Threatpost • Dennis Fisher • 10 Dec 2014

The attackers behind the Red October APT campaign that was exposed nearly two years ago have resurfaced with a new campaign that is targeting some of the same victims and using similarly constructed tools and spear phishing emails.
Red October emerged in January 2013 and researchers found that the attackers were targeting diplomats in some Eastern European countries, government agencies and research organizations with malware that could steal data from desktops, mobile devices and FTP serv...

Cloud Atlas: RedOctober APT is back in style
Securelist • GReAT • 10 Dec 2014

Two years ago, we published our research into RedOctober, a complex cyber-espionage operation targeting diplomatic embassies worldwide. We named it RedOctober because we started this investigation in October 2012, an unusually hot month.
After our announcement in January 2013, the RedOctober operation was promptly shut down and the network of C&Cs was dismantled. As usually happens with these big operations, considering the huge investment and number of resources behind it, they don’...

IT threat evolution Q3 2014
Securelist • David Emm Maria Garnaeva Victor Chebyshev Roman Unuchek Denis Makrushin Anton Ivanov • 18 Nov 2014

PDF version
In July we published our in-depth analysis into a targeted attack campaign that we dubbed ‘Crouching Yeti’. This campaign is also known as ‘Energetic Bear’.
This campaign, which has been active since late 2010, has so far targeted the following sectors:  industrial/machinery, manufacturing, pharmaceutical, construction, education and information technology.  So far there have been more than 2,800 victims worldwide, and we have been able to identify 101 d...

G20 2014 Summit Lure used to target Tibetan activists
welivesecurity • ESET Research • 14 Nov 2014

APT actors trying to use big events as a lure to compromise their targets is nothing new. Tibetan NGOs being targeted by APT actors is also nothing new. Thus, surrounding the upcoming G20 2014 summit that is held in Brisbane, Australia, we were expecting to see G20 themed threats targeted at Tibetan NGOs. A Win32/Farfli (alias Gh0st RAT) sample ultimately confirmed our suspicions.
Gh0st RAT is an off-the-shelf RAT that is used by a variety of threat actors. It has been used in the past in ...

Korplug military targeted attacks: Afghanistan & Tajikistan List of SHA1 hashes:
welivesecurity • Robert Lipovsky • 12 Nov 2014

After taking a look at recent Korplug (PlugX) detections, we identified two larger scale campaigns employing this well-known Remote Access Trojan. This blog gives an overview of the first one, related to Afghanistan & Tajikistan. The other campaign, where the targets were a number of high-profile organizations in Russia, will be the subject of Anton Cherepanov’s presentation at the ZeroNights security conference in Moscow this week.
Sometimes malware used in various attacks is unique...

Russian APT28 Group Linked to NATO, Political Attacks
Threatpost • Michael Mimoso • 28 Oct 2014

A Russian APT group tied to ongoing attacks against military and political targets in Eastern Europe and against NATO could also have ties to the MiniDuke espionage campaign uncovered more than a year ago.
Dubbed APT28 by FireEye in a report published last night, the Russian hackers have targeted Eastern European governments and military organizations, the government of the country of Georgia, as well as NATO and the Organization for Security and Cooperation in Europe (OSCE). The group, Fi...

Thefts in remote banking systems: incident investigations
Securelist • Mikhail Prokhorenko • 11 Sep 2014

More and more companies are asking Kaspersky Lab to carry out detailed investigations of malware-related IT security incidents affecting their business.
In this article, we will describe a typical cybercriminal attack aiming at stealing corporate financial assets from a remote banking system.
An organization recently asked Kaspersky Lab to investigate an incident that had occurred in its corporate remote banking system: a bank representative contacted the organization’s acco...

NetTraveler APT Gets a Makeover for 10th Birthday
Securelist • Costin Raiu Kurt Baumgartner • 27 Aug 2014

We have written about NetTraveler before HERE and HERE.
Earlier this year, we observed an uptick in the number of attacks against Uyghur and Tibetan supporters using an updated version of the NetTraveler backdoor.
Here’s an example of a targeted spear-phishing e-mail directed at Uyghur activists in March 2014.

The e-mail has two attachments, a non-malicious JPG file and a 373 KB Microsoft Word .DOC file.
The .DOC file, which in reality is a “Single File Web Pag...

Oi! Rip Van Winkle: PATCH, already
The Register • Darren Pauli • 20 Aug 2014

Stuxnet, Sality, Gauss, Flame still infecting your unpatched boxen

Nearly 20 million computers remain infected with malware targeting a vulnerability first targeted four years ago by the Stuxnet worm.
The flaw (CVE-2010-2568) was a Windows operating system bug in the way shortcuts worked allowing quiet download of the random dynamic library on Win Server 2003 and XP through to version 7.
Since July 2010 it has continued to power the Sality worm, and fueled Stuxnet and its derivatives Flame and Gauss on unpatched machines.
The Red October malwa...

Spam and phishing in Q2 2014
Securelist • Darya Gudkova Nadezhda Demidova • 12 Aug 2014

PDF Version
On 1 July, new anti-spam legislation (CASL) came into effect in Canada. The new law covers commercial communications including email, messages on social networks and instant messaging services as well as SMS. Now, before a company starts sending emails, it must get the recipients’ consent. Canadian companies appear to have taken the new law seriously: in the second quarter, we saw a lot emails from Canadian companies asking users for permission to send their mailings. A...

Windows Registry-infecting malware has no files, survives reboots
The Register • Darren Pauli • 04 Aug 2014

Antivirus doesn't stand a chance because there's nothing for it to scan

Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files.
The malware resides in the computer registry only and is therefore not easy to detect.
It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Window...

Spam in April 2014
Securelist • Tatyana Shcherbakova Maria Vergelis • 28 May 2014

In April, holiday-themed mass mailings featured Easter, which was used not only to advertise spammer products, but by a variety of scammers who sent out fake lottery winnings notifications to Internet users and malware disguised as holiday e-greetings.
Scammers also mailed out offers to earn money from stock in American pharmaceutical companies – so-called pump and dump spam. Several large mailings advertised the services of a variety of medical institutions and dental clinics, as well a...

MH 370-Related Phishing Attacks Spotted Against Government Targets
Threatpost • Michael Mimoso • 25 Mar 2014

Hold off on the notion that watering hole attacks may supplant phishing as the initial means of compromise in advanced attacks. A number of recent targeted campaigns have used the crash of Malaysia Airlines 370 as a lure to infect government officials in the U.S. and Asia-Pacific.
FireEye today published research on a number of spear phishing attacks that contained either infected attachments or links to malicious websites. One Chinese group, admin@338, has been active in the past targetin...

Microsoft Updates December 2013
Securelist • Kurt Baumgartner • 10 Dec 2013

Eight Microsoft Security Bulletins are being pushed out this month, MS13-096 through MS13-106. Five of them are rated “Critical” and another six are rated “Important”. The top priorities to roll out this month are the critical GDI+ (MS13-096), Internet Explorer (MS13-097), and Scripting Runtime (MS13-099) updates.
Several of the vulnerabilities have been actively exploited as a part of targeted attacks around the world, and one of them is known to be ItW for at least six months or ...

Kaspersky Security Bulletin 2013. Corporate threats
Securelist • Vitaly Kamluk Sergey Lozhkin • 05 Dec 2013

Tat’jana Šerbakova
PDF Version
The number of serious cyber-attacks detected over the last two years has increased so much that new attacks rarely cause much surprise. It’s now commonplace for antivirus companies to issue a report about the discovery of another botnet or highly sophisticated malware campaign that is gathering data.
Companies are increasingly falling victim to cyber-attacks. According to a survey conducted by Kaspersky Lab and B2B International, 91% of the o...

Extensible Attack Platform Has Familiar Feel
Threatpost • Michael Mimoso • 25 Nov 2013

Researchers have discovered a mature attack platform that’s enjoyed great success eluding detection and made good use of an exploit present in a number of espionage campaigns.
The attacks have concentrated largely on the automotive industry, hitting large companies primarily in Asia and only after being tested against activist targets in the region. Nicknamed Grand Theft Auto Panda by researcher Jon Gross of Cylance, the attacks rely on the well-worn exploits used against CVE-2012-0158. ...

The Icefog APT: Frequently Asked Questions
Securelist • GReAT • 26 Sep 2013

Here are answers to the most frequently asked questions related to Icefog, an APT operation targeting entities in Japan and South Korea.

Icefog refers to a cyber-espionage campaign that has been active at least since 2011. It targets governmental institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. It is likely that the crew targets orga...

Icefog Espionage Campaign is ‘Hit and Run’ Targeted Operation
Threatpost • Michael Mimoso • 25 Sep 2013

An espionage campaign featuring precise targeting of victims and malware that allows the attackers one-on-one interaction with compromised systems has been uncovered. Government agencies, manufacturers, high tech companies and media organizations in South Korea and Japan have been the primary targets of the campaign called Icefog, which was reported today by researchers at Kaspersky Lab.
The China-based campaign is two years old and follows the pattern of similar APT-style attacks where vi...

Nasty nuke-lab data-slurper EVOLVES, now feeds off new Java hole
The Register • John Leyden • 05 Sep 2013

Latest version of data-stealer targets Uyghur dissidents

A piece of malware linked to attacks against governments and organisations involved in hi-tech industries such as space exploration and nuclear power has been adapted to exploit a recently uncovered Java security flaw.
NetTraveler has been outfitted to exploit a recently patched Java bug as part of a watering-hole-style attack involving compromised websites that redirects victims to an attack site hosting exploit code.
The latest variants of the malware appear, which surfaced over th...

NetTraveler Is Back: The ‘Red Star’ APT Returns With New Tricks
Securelist • Costin Raiu • 03 Sep 2013

NetTraveler, which we described in depth in a previous post, is an APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler (also known as ‘Travnet’ or “Netfile”) include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.
During the last week, several spear-phishing e-mails were ...

NetTraveler Variant Adds Java Exploits, Watering Hole Attacks to Bag of Tricks
Threatpost • Michael Mimoso • 03 Sep 2013

When NetTravler was unveiled in June, Costin Raiu of Kaspersky Lab warned that the espionage campaign was an “ugly gorilla with a thousand faces” and that we hadn’t seen them all yet.
A little more than two months later, another profile of the malware targeting activists, diplomats, government targets and the scientific research community, has reared its head.
Raiu said today that a variant has been spotted by Kaspersky’s Global Research and Analysis Team and unlike its first...

IT Threat Evolution: Q2 2013
Securelist • Christian Funk Denis Maslennikov • 15 Aug 2013

In early June, Kaspersky Lab announced a discovery that opened a whole new chapter in the field of cyber-espionage.
Named NetTraveler, this is family of malicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40 countries. The NetTraveler group infected victims across both the public and private sector including government institutions, embassies, the oil and gas industry, research centers, military contractors and activists.
The threat,...

The curious case of a CVE-2012-0158 exploit
Securelist • Marta Janus • 06 Aug 2013

CVE-2012-0158 is a buffer overflow vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library. The malicious code can be triggered by a specially crafted DOC or RTF file for MS Office versions 2003, 2007 and 2010. Although this vulnerability was patched by Microsoft more than a year ago, it seems that not everyone cared to install the updates. And those who didn’t may be at risk of getting all their documents, pictures and databases encrypted by a new version of the ...

Spam in May 2013
Securelist • Tatyana Shcherbakova Maria Vergelis Darya Gudkova • 20 Jun 2013

May turned out to be fairly varied when it came to spammer creativity. In fraudulent and advertising messages the spammers made active use of well-known people and companies. The quantity of holiday-related spam fell, but we still came across mailings exploiting Mother’s Day and Memorial Day.
In May spammers organized a phishing mailing disguised as messages from Microsoft customer service and support. The messages, which at first glance appear to come from the perfectly legitimate micro...

Chinese hackers launch PRISM scare campaign
The Register • Phil Muncaster • 19 Jun 2013

Supposed 'CIA list' with you on it actually contains malware

The Chinese group behind the recently discovered NetTraveler attacks is now using widespread interest in the infamous National Security Agency (NSA) PRISM surveillance program to encourage users to open malicious email attachments, it has emerged.
Brandon Dixon of the 9bplus blog said he came across an email uploaded to VirusTotal entitled “CIA’s Prism Watchlist”.
The intended recipient of the message was a Yahoo account associated with the Regional Tibet Youth Congress in Mund...

NetTraveler Attackers Using NSA PRISM Program as Bait
Threatpost • Dennis Fisher • 18 Jun 2013

Never let it be said that attackers don’t keep up with the news. The crew behind the NetTraveler cyberespionage attacks is now using the news about the NSA’s PRISM surveillance program as bait in a new spear-phishing campaign.
Security researcher Brandon Dixon of 9bplus came across a malicious email this week that plays off the recent spate of news stories about the leaked data on the National Security Agency’s PRISM program, which is designed to gather data on users from a variety o...

You dirty RAT: Trend Micro spots new Asia-wide attack
The Register • Phil Muncaster • 14 Jun 2013

Campaign targeting governments, telcos, and other organisations

Security researchers are warning of yet another advanced, large-scale attack campaign using sophisticated techniques to hide itself from its targets – organisations across Asia.
Trend Micro has dubbed the campaign Naikon, based on the HTTP user-agent string “NOKIAN95/WEB” found in various targeted attacks across the region in India, Malaysia, Singapore, and Vietnam and elsewhere.
The attacks begin in time-honoured fashion with a spear-phishing email “using messages related to...

Space boffins, oil giants, nuke plants 'raided' by MYSTERY code nasty
The Register • John Leyden • 05 Jun 2013

Spain, Kyrgyzstan, Mongolia, China, this malware has had quite a trip, we're told

A piece of government-bothering malware called NetTraveler has been active since 2004 - and targets agencies and organisations involved in space exploration, nanotechnology, nuclear power, lasers, medicine, communications and more.
And that's according to researchers at security biz Kaspersky Lab.
More than 350 high-profile outfits in 40 countries have been hit by strains of NetTraveler, we're told. Embassies, oil and gas corporations, research institutes, military contractors and ac...

NetTraveler Espionage Campaign Uncovered, Links to Gh0st RAT, Titan Rain Found
Threatpost • Michael Mimoso • 04 Jun 2013

A new cyberespionage malware campaign with ties to China going back to the Titan Rain and Gh0stNet attacks has been targeting diplomats, military contractors and government agencies in 40 countries.
Researchers at Kaspersky Lab today unveiled details on NetTraveler, a data exfiltration tool, which has infected more than 350 high profile victims using primarily exploits targeting two patched Microsoft vulnerabilities. Costin Raiu, senior security researcher and head of the Global Research a...

Securo-boffins uncover new GLOBAL cyber-espionage operation
The Register • John Leyden • 20 May 2013

Two-pronged attack hits victims in 100 countries

Government ministries, technology firms, media outlets, academic research institutions and non-governmental organisations have all fallen victim to an ongoing cyberespionage operation with tendrils all over the world, according to researchers.
Infosec researchers have uncovered SafeNet in as many as 100 countries.
SafeNet targets potential marks using spear-phishing emails featuring a malicious attachment that exploits a Microsoft Office vulnerability that was patched last year (CVE-...

Targeted Espionage Attack Borrowing from Cybercriminals
Threatpost • Michael Mimoso • 20 May 2013

More and more, we’re hearing about a crossing of the streams, if you will, between cybercrime and state-sponsored attackers. Elements of malware, code persistence and distribution techniques are bleeding over between one realm of hacking into the other as each side tries to fill gaps in their respective portfolios.
The most recent example comes from Safe, a targeted espionage malware campaign recently reported on by Trend Micro. Safe has all the elements of a state-sponsored endeavor yet...

New India-Based Spy Malware Campaign Targeting Pakistanis
Threatpost • Chris Brook • 16 May 2013

A new malware campaign has been hitting Pakistan hard over the last few months and after a little e-sleuthing, it appears the not-so-stealthy attacks have been originating from nearby India and exploiting a certificate to run its binaries.
Security firm Eset has a full rundown of the campaign today on its WeliveSecurity.com blog by malware researcher Jean-Ian Boutin, including an array of details involving how the attack has been executed and the types of payloads being deployed on unsuspe...

Targeted information stealing attacks in South Asia use email, signed binaries
welivesecurity • Jean-Ian Boutin • 16 May 2013

[Update: Norman released a comprehensive white paper profiling the group behind these attacks]
In the past few months, we have analyzed a targeted campaign that tries to steal sensitive information from different organizations throughout the world, but particularly in Pakistan. During the course of our investigations we uncovered several leads that indicate this threat has its origin in India and has been going on for at least two years. The journey began with a code-signing certificate an...

Military Hardware and Men-s Health
Securelist • Ben Godwood • 29 Mar 2013

Over the last few months we have seen a series of very similar targeted attacks being blocked in our Linux Mail Security Product. In each case the documents used were RTF and the exploit was CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability).
The attacks seem to be from the same group and most appear to be sent from Australia or Republic of Korea. The sender IP addresses vary but many are sent via mail.mailftast.com. This domain is registered in China:
The documents are in three categori...

Android Trojan Found in Targeted Attack
Securelist • Kurt Baumgartner Costin Raiu Denis Maslennikov • 26 Mar 2013

In the past, we’ve seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms. We’ve documented several interesting attacks (A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify) which used ZIP files as well as DOC, XLS and PDF documents rigged with exploits.
Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advoca...

Researchers Uncover Targeted Attack Campaign Using Android Malware
Threatpost • Dennis Fisher • 26 Mar 2013

Android attacks have become all the rage in the last year or two, and targeted attacks against political activists in Tibet, Iran and other countries also have been bubbling up to the surface more and more often lately. Now those two trends have converged with the discovery of a targeted attack campaign that’s going after Tibetan and Uyghur activists with a spear-phishing message containing a malicious APK file. Researchers say the attack appears to be coming from Chinese sources.<...

Attacks on SCADA, ICS Honeypots Modified Critical Operations
Threatpost • Michael Mimoso • 19 Mar 2013

With antiquated gear running the country’s industrial control systems that oversee critical infrastructure, it’s no shock attackers targeting SCADA networks do their fair share of reconnaissance looking for weak spots in that equipment.
A researcher decided to put that theory to a practical test recently when he deployed three dummy websites, honeypots essentially, that accurately mimicked Internet-facing management interfaces for a real-world water pressure station, a serv...

Anti-Tibetan Attack Stems from Nvidia Abuse, Old RTF Vulnerability
Threatpost • Chris Brook • 27 Feb 2013

A series of targeted attacks are continuing to bully a signed Nvidia application into dropping a backdoor that lets attackers root their way through the systems of Tibetan sympathizers.
According to Sophos’ Gabor Szappanos, the multifaceted attack can install a backdoor on unsuspecting users’ machines to siphon off system information, including the computer’s name and OS version along with other bits of sensitive information.
First the campaign makes use of an old M...

Inside the 1,000 Red October Cyberespionage Malware Modules
Threatpost • Michael Mimoso • 17 Jan 2013

The Red October espionage malware campaign is providing security researchers with a deep dive into the complexity of targeted attacks, which in this case made use of more than 1,000 malware modules for everything from reconnaissance on targets to exfiltration of data to command and control servers.
The moving parts behind Red October are vast and have been under wraps for the better part of five years, Kaspersky Lab researchers revealed this week. The attackers behind this camp...

“Red October”. Detailed Malware Description 1. First Stage of Attack
Securelist • GReAT • 17 Jan 2013


Based on the analysis of known cases, we identified two main ways through which Backdoor.Win32.Sputnik infects the victims. Both methods rely on spear-phishing e-mails which are sent to the prospective victims. The e-mails contain an attachment which is either an Excel or Word document, with enticing names. In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2...

Red October – Java Exploit Delivery Vector Analysis
Securelist • GReAT • 16 Jan 2013

Since the publication of our report, our colleagues from Seculert have discovered and posted a blog about the usage of another delivery vector in the Red October attacks.
In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers also infiltrated victim network(s) via Java exploitation (MD5: 35f1572eb7759cb7a66ca459c093e8a1 – ‘NewsFinder.jar’), known as the ‘Rhino’ exploit (CVE-2011-3544).
We know the early February 2012 tim...

“Red October” Diplomatic Cyber Attacks Investigation
Securelist • GReAT • 14 Jan 2013

In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called “Red October” (after famous novel “The Hunt For The Red October”).
This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, ...

Rocra Espionage Malware Campaign Uncovered After Five Years of Activity
Threatpost • Michael Mimoso • 14 Jan 2013

For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole...

Patch Tuesday October 2012 – More Microsoft Word Spearphish Risks
Securelist • Kurt Baumgartner • 10 Oct 2012

Today’s Microsoft updates include a few fixes for remote code execution, and several fixes for escalation of privilege and denial of service flaws. The priority for both general folks and corporate customers running Windows and Office will be to roll out MS12-064 effecting Microsoft Office immediately. Vulnerability CVE-2012-2528 and CVE-2012-0182 is patched by this bulletin, and -2528 predictably will be attacked with more malformed rtf formatted documents. These sorts of files have been del...

Tool Scans for RTF Files Spreading Malware in Targeted Attacks
Threatpost • Michael Mimoso • 14 Sep 2012

Exploits embedded inside Microsoft Office documents such as Word, PDFs and Excel spreadsheets have been at the core of many targeted attacks during the past 24 months. Detection of these attack methods is improving and nimble hackers are recognizing the need for new avenues into enterprise networks. Some have been finding success using rich text format (RTF) files to spread malware that exploits Office vulnerabilities.
Researcher Mila Parkour reported in June she’d collected...

A Gift for Dalai Lama’s Birthday
Securelist • Costin Raiu • 04 Jul 2012

Recently, we wrote about Dalai Lama being a frequent Mac user. While this is true for his holiness, not all his supporters use Macs yet.
You may wonder why is this relevant? Well, on 6th of July, his holiness will be 77 years old, a kind of round number. There is no surprise that “Dalai Lama Birthday” attacks are already ongoing.
On July 3rd, we’ve noticed a new APT campaign entitled “Dalai Lama’s birthday on July 6 to be low-key affair”:

Attached to the e-ma...

New APT Attack Shows Technical Advance in Exploit Development
Securelist • Kurt Baumgartner • 15 Jun 2012

Recently, we came by an interesting targeted attack which was evading most antivirus products. This is a recent spearphish targeting various Tibetan and human rights activists. It demonstrates the level of effort put into infiltrating their groups with some unique characteristics, relative to the many other exploits targeting
CVE-2012-0158. Here’s how such e-mails appear:

Subject: 噶厦政府发起彻查中国民主人硬汉李旺阳被杀事件签名
Translates to ...

Microsoft seals up Windows zero-day flaw in April Patch Tuesday
The Register • John Leyden • 11 Apr 2012

Kill Bit for every MS boy and girl

Microsoft released six bulletins on Tuesday to fix a total of 11 vulnerabilities, one of which has become the target of active attacks against unpatched applications.
One of the four critical patches in the batch – MS12-027 – addresses an Active X issue that impacts numerous application and creates a mechanism to drop malware onto vulnerable Windows systems.
Microsoft warned of attacks in the wild against the zero-day flaw, which affects an unusually wide range of Microsoft produ...

The Register

Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware.
A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe.
Microsoft ranks highly in the list because its software is widely used, and pro...