The instigators of many targeted attacks are fond of using the CVE-2012-0158 vulnerability, which affects Microsoft Windows Common Controls ( mscomctl.ocx ) in Microsoft Office and some other Microsoft products. We have seen several APT campaigns using this exploit against Chinese and Tibetian activists and several other recent attacks. In a yet another recent targeted attack against Japanese organization , same vulnerability has been found to be used.
In the recent wave of the attacks using this exploit, the potential target seems to be one of the Japanese government agency.We have found Word .doc exploits taking advantage of CVE-2012-0158 with the decoy document contents indicating the target organization .Similar malware attacks had been carried out in the past against the same target , which led to the possible data exfilteration information / leakage indicating a possible cyber espionage attempt.
Exploit-laden doc files in the wild was first observed on April 7 2014 with the following file name:
xxx運営調整会議議事録(最終版).doc
(xxx was the abbreviated form for one of the centres / departments of the target organization )
Threat Vector
The threat arrives in a Word doc file that exploits the CVE-2012-0158 vulnerability in the mscomctl.ocx ActiveX control. Opening the doc exploit opens another decoy document and drops a binary, services.exe, in the %Temp% directory. This binary copies itself into C:\Program Files\Windows NT\Accessories\Microsoft and runs from there.
The following diagram gives a high-level picture of how the attack works:
The decoy document roughly translates as follows:
Analysis of the payload
The exploit drops the binary services.exe (MD5 677EC884F6606A61C81FC06F6F73DE6D) into %Temp% and later into C:\Program Files\Windows NT\Accessories\Microsoft, and adds registry start-up entries for persistence. The initial part of the binary has a simple but fairly uncommon antidebugging technique using Windows Message loops. It uses RegisterClassA( ) to register the Windows procedure and then calls CreateWindowExA( ) , transfering the execution to registered callback function before the API actually returns.
Once the location has been identified, breaking at the right spot will expose the hidden code and an additional domain to connect to, and eventually exposes the supposedly malicious iframe to redirect the victim to download additional malware.
Network communication
While analyzing this exploit, we found that it connects to the domain www.sitclogi.co.jp, resolving to 111.68.158.66. This domain is legitimate at the moment and possibly recovered from compromise :
But was apparently compromised to host malware during this attack. A historical scan of this domain confirms our assumption.
The following are additional malwares seen communicating with the same domain:
2b91011e122364148698a249c2f4b7fe www.sitclogi.co.jp
6c040be9d91083ffba59405f9b2c89bf www.sitclogi.co.jp
As usual , excercise extreme caution while opening documents from the unknown sources and use the patched versions of the softwares . You may never know what is hidden inside..!!.