Days after Microsoft released six bulletins, we now have just spotted a number of Trojanized RTF files circulating in-the-wild. The said files are exploiting CVE-2012-0158, which is included in MS12-027. That particular bulletin affects a number of Microsoft programs, particularly versions of MS Office, Visual FoxPro, Commerce Server, BizTalk Server, as well as SQL Server.
We spotted a Trojanized RTF file that came in the following email message as an attachment:
The attachment RTF file Inside Information.doc, detected as TROJ_MDROP.GDL, has an embedded EXE file (encrypted) and an embedded decoy DOC file (also encrypted). The dropped EXE payload, detected as TSPY_GEDDEL.EVL, drops and installs a secondary file named fxsst.dll. Outbound connections are then seen to hosts whose NS record point to China.
Another noteworthy finding about TSPY_GEDDEL.EVL is that it is digitally-signed. However, the certificate used looks dubious:
HUPIGON variants have a vast array of features and components that enable them to achieve various data exfiltration activities which include but are not limited to:
- logged keystrokes
- passwords and other user credentials
- system information
- video recording using a built-in webcam
It also comes with a rootkit component to add to its persistence within the infected system.
The HANGAME variant mentioned earlier is also digitally-signed, and with an invalid signature similar to what was described above:
Trend Micro Smart Protection Network ensures that users are protected from the malware in this attack. The File Reputation technology detects and removes all the malicious files mentioned in this post. Web Reputation technology blocks access to the IP address where TSPY_GEDDEL.EVL connects to.
Furthermore, Trend Micro Deep Security users are protected from attacks using CVE-2012-0158 via the following rules:
- 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File (CVE-2012-0158)
- 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
- 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)
Leave a reply