Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Earlier Flaws Revisited: MS Office and PDF Combo Attack

Recently, we came across a campaign spamming out emails containing both DOC and PDF attachments together. This type of email and attachment combo (as shown in Figure 1) is common to normal office transactions but the email body and filenames of these attachments should definitely raise red flags for security experts.

9469_5b4b2626-48af-4875-983f-6ea75c36eab3

Figure 1. Email Sample

Checking out the attachments, the DOC file contains a malicious code that exploits the old CVE-2012-0158 (MS12-027) vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library for MS Office versions 2003, 2007 and 2010. More details about this exploit attack can be found in an earlier blog in the following link. The mal-crafted code in the DOC file downloads and executes a malicious binary executable in the affected system. Often, the downloaded executable steals information from the affected system and sends it to a controlling server or remote user. In this case, the downloaded executable belongs to the family of FareIt, a password stealing Trojan, known for stealing stored account information such as server names, port numbers, login IDs and passwords for FTP clients including cloud storage accounts.

The PDF file, on the other hand, uses the Windows-based PowerShell application to execute its malicious code. Again, it uses an old vulnerability in PDF readers – the /OpenAction method, to trigger the execution of malicious code (CVE-2010-1240). Like the name suggests, /OpenAction is a feature of PDF reader that triggers when a PDF document is opened. The bad guys use it to run automatically an application or script within the PDF file. A few years ago, /OpenAction is commonly associated with /AA (Additional Action) to execute a code, most of the time, a JavaScript code. Later, the /Launch action was also used to execute code by launching an application found in the affected system to execute the malicious code.

We saw two separate PDF samples that used this technique. Figure 2 shows the earlier attempt and luckily the exploit code was incomplete. The executable code following the –EncodedCommand, which allows a base64 chunk of code to be passed to PowerShell, was missing.

10724_96a1a873-1ffc-4b8e-9f26-801129979ac6

Figure 2. Earlier attempt of using /OpenAction to launch Windows PowerShell.

Notice that the skeleton for the code execution is already set up and just missing the actual malicious code. But just a few days after, we noticed a second campaign, with again, an email with both DOC and PDF attachments. There was not much new with the DOC file as it attempted to exploit the same old vulnerability, except that it downloaded an updated version of the FareIt information stealing Trojan. However, the PDF file had the complete recipe as shown in Figure 3.

10633_9297b6ab-17a4-4b6a-be54-194e66720ba5

Figure 3. /OpenAction to launch Windows PowerShell with the malicious code.

The -EncodedCommand is followed by a chunk of Base64 encoded data and decoding it gives the script as follows. It is clear as day as to what the script does to the victim's machine.

9751_6a66fd8f-8c16-4cb6-8f9d-9029e9c317d1

Figure 4. Decoded Base64 string.

Attack Impact

Since both attachments used quite old vulnerabilities to exploit and execute malicious code, the impact of the attack must be close to nil. New versions of the supposed target software applications that are immune to the targeted vulnerabilities are already out there and used widely. However, users of MS Office 2003, 2007 and 2010 are still affected by such an attack if they have failed to apply the appropriate security update for the said vulnerability. For the DOC vulnerability, Microsoft released Microsoft Security Bulletin MS12-027 patch on April 10, 2012 that addressed this issue.

As for the PDF exploit, we tested the PDF file in various versions of Adobe Reader from the latest release down to some older versions several years ago. We tried opening the PDF file using the latest Adobe Reader and it just ignored the /OpenAction in the PDF file as if it didn't exist. We tried the same until we reached Adobe Reader version 9.3 and then the exploit code was executed. So that and prior versions of Adobe Reader allow the execution of the exploit code. The affected Adobe Reader versions that we tested gave out a warning dialog box as shown below:

10840_9c37c42c-5fea-4a1e-a50b-5a0da759b43c
Figure 5. Adobe OpenAction Launch Warning.

Though the method of attack uses an old Adobe Reader vulnerability, the only thing new in the above sample is the use of Windows PowerShell to execute the shellcode. Earlier methods commonly use scripting to execute shellcodes.

What's the point?

This campaign was interesting in that the spam email had two distinct malicious documents attached. Although the methods used in both these attacks are old, we can't think of many reasons why the malware author had gone to the trouble. Was it an amateur, or someone merely trying to get the odd low-hanging fruit? Whatever the reason, as long as users are up-to-date with their software applications rest assured they are protected by these two specific attacks. These attacks will only succeed if users use vulnerable software applications and continue to ignore applying security updates on the affected software applications.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo