On October 18th 2017, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a Buffer Overflow Vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library, CVE-2012-0158. The malicious code can be triggered by a specially crafted DOC or RTF file for un-patched MS Office products.
VirusTotal Analysis of delivered document confirms presence of RTF exploit.
After opening the document in a vulnerable Microsoft Word application, a connection is established to “http://careers[.]fwo[.]com[.]pk/” to download a malicious executable payload, using shell code present in RTF file, which kicks off the following network events.
VirusTotal Analysis of final payload “printer.exe” confirms that it’s a Revenge, a Remote Access Trojan (RAT).
Once the download is complete, the binary is executed and post-infection traffic started. Request contains information in Base64 encoded form about infected m/c such as IP, domain and username, operating system, processor version and speed and language.
Breaking down request to each staring reveals specific pattern and information:
Current RSA NetWitness detection populates following meta for the download sessions:
Current RSA NetWitness detection populates following meta for Post Infection traffic:
More detailed information about CVE-2012-0158 can be found here:
Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.