Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Request a Demo

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Request a Demo
Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
SpiderLabs Blog

Analysis of Malicious Document Files Spammed by Cutwail

May 15, 2013 2 minutes read Rodel Mendrez

In our Global Security Report, we highlighted a zero day vulnerability in the Windows Common Controls affecting Microsoft Office (CVE-2012-0158). This was reportedly being used for targeted attacked against NGOs and human rights activist.

Over the past week, the Cutwail botnet has been sending out spam containing malicious documents of the aforementioned vulnerability, CVE-2012-0158. The use of a loaded RTF attachment is a departure from normal for Cutwail, usually it distributes executable attachments or links to exploit kits.

The spam claims to be from Citibank or Bank of America. The spam may use the "Merchant Statement" as a subject line and has an accompanying .DOC file attached.

12016_d4f3908a-d50a-416e-ac24-ca7a7b794127
Spam Campaign Samples

The .DOC attachment is actually an RTF file format which was crafted to exploit an error in the ActiveX controls found in MSCOMCTL.OCX (Windows Common Controls). The vulnerability is also known as "MSCOMCTL.OCX RCE Vulnerability".

11055_a6618a68-83a6-44b8-9a62-8e7fe2093877
The Malicious RTF File Header

This exploit affects older versions of Microsoft Office such as Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1 etc. This issue was patched a year ago and was included in the Microsoft Security Bulletin MS12-027.

The Shellcode and the Payload

To verify if the RTF file was indeed malicious, we initially scanned the file using a tool from Office MalScanner suite,RTFScan.exe. This provided an overview of the malicious RTF file. The tool also dumped the embedded suspicious OLE document found in the RTF file. RTF Scanner found a seemingly malicious object inside the file; and Virus Total's high detection rate gave us high confidence that we were indeed dealing with a malicious RTF document.

9503_5cdfa344-4feb-4699-aa21-4fca85238dc0
RTF Scan Result

 

11076_a78d8ec9-f296-4087-8889-21682ed0213b
The suspicious embedded OLE object that RTF Scan detected.

One of the objectives of this analysis is to find the shellcode that will be executed when the exploit is triggered. Luckily, the shellcode string can be easily spotted within the malicious RTF document, characterized by the string "E9" (an opcode for relative JMP) and a series of90s (NOP instructions). So by dumping the shellcode strings and converting to binary, we can disassemble and analyze it easily.

9474_5b6e04f7-da2b-4a45-8c16-f358dba9b29b
The disassembled shellcode

 

The disassembled shellcode shows the initial scanning of the Process Environment Block (PEB) to resolve the Kernel32.dll address space and after that is the manual retrieval of Imported API (Application Program Interface) through hashing. This common shellcode technique is used to resolve the addresses of API functions it needs to execute when running in a Windows system.

Here's the list of hashes and its corresponding APIs that the shellcode use:

0xBBAFDF85 GetProcAddress
0xAC0A138E GetFileSize
0x9424D45A GlobalAlloc
0xDBACBE43 SetFilePointer
0x130F36B2 ReadFile
0x94E43293 CreateFileA
0x837DE239 GetTempPathA
0x741F8DC4 WriteFile
0xFF0D6657 CloseHandle
0x01A22F51 WinExec
0xB4FFAFED GetModuleFileNameA
0x4FD18963 ExitProcess

Given that list of APIs, it gives an idea of what the shellcode is going to do.

With further investigation, we saw the shellcode decrypt a Trojan executable file embedded in the malicious RTF document using a simple XOR operation. The file will then be dropped and installed in the user TEMP  directory with the filename PAW.EXE.

8774_3932a060-0494-4f45-986d-b62967b2c2b3

The Trojan is encrypted and embedded in RTF document XO Reducing the key 0x3F.

9144_4bc8cb72-0b1c-420b-9965-ee4f59d5def1
The payload is embedded and XOR encrypted in the RTF document

Additionally, the code also drops another Word document file in the Temp directory with the filename VC.DOC. The dropped decoy document file is non-malicious and opened after the shellcode has installed the Trojan.

The installed Trojan is no other than the Zeus Trojan. An analysis of this well-known Trojan can be further read in our previous blog.

Conclusion

To sum up, once an unsuspecting victim is lured to open the malicious RTF document, the exploit will trigger the vulnerability in Microsoft Word, causing it to run the embedded shell code. The shell code eventually drops and installs its payload.

It is worth noting though, that even after a year the patch for this Microsoft Office vulnerability was released, cyber-criminals continue to use this exploit. It is always a good advice to keep all your software up to date and avoid opening unsolicited email.

Trustwave MailMarshal and Mailmax customer are protected from this threat.

Latest SpiderLabs Blogs

Clockwork Blue: Automating Security Defenses with SOAR and AI

It’s impractical to operate security operations alone, using manual human processes. Finding opportunities to automate SecOps is an underlying foundation of Zero Trust and an essential architecture...

Read More

Professional Services Sector Under Attack - Trustwave SpiderLabs Report 2024

Recent research by Trustwave SpiderLabs, detailed in their newly published report "2024 Professional Services Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies,"...

Read More

Atlas Oil: The Consequences of a Ransomware Attack

Overview Atlas Oil, a major player in the oil and fuel distribution industry, fell victim to a ransomware attack orchestrated by the Black Basta group. This attack not only compromised sensitive...

Read More