Targeted Attacks Against Japanese Firm Use Old ActiveX Vulnerability

The instigators of many targeted attacks are fond of using the CVE-2012-0158  vulnerability, which affects mscomctl.ocx in Microsoft Office and some other Microsoft products. We have seen several campaigns using this exploit against Chinese and Tibetian activists and in other recent attacks. Now McAfee Labs has uncovered another apparent targeted attack using the same vulnerability against a Japanese firm.

In the recent wave of the attacks using this exploit, the potential target seems to be the Japan Aerospace Exploration Agency (JAXA). We have found Word .doc exploits taking advantage of CVE-2012-0158 with the decoy document contents related to JAXA.

We first saw exploit-laden doc files in the wild on April 7 with the following file name: 

EOC運営調整会議議事録(最終版).doc. Rough translation: “EOC management coordination meeting minutes (final version)”

Author: RESTEC観測部. “RESTEC observation section”

Title: ALOS地球観測班準備連絡会 議事録. “ALOS Earth observation team preparation Liaison Committee meeting minutes”

Threat Vector

The threat arrives in a Word doc file that exploits the CVE-2012-0158 vulnerability in the mscomctl.ocx ActiveX control. Opening the doc exploit opens another decoy document and drops a binary, services.exe, in the %Temp% directory. This binary copies itself into C:\Program Files\Windows NT\Accessories\Microsoft and runs from there.

The following diagram gives a high-level picture of how the attack works:

jaxa_3

 

 

 

 

 

 

 

 

 

 

 

The decoy document roughly translates as follows:

JAXA_5

 

 

 

 

 

 

 
Analyzing the payload

The exploit drops the binary services.exe (MD5 677EC884F6606A61C81FC06F6F73DE6D) into %Temp% and later into C:\Program Files\Windows NT\Accessories\Microsoft, and adds registry start-up entries for persistence. The initial part of the binary has a simple but fairly uncommon antidebugging technique using Windows Message loops. It uses RegisterClassA( ) to register the Windows procedure and then calls CreateWindowExA( ) to call further hidden code before the API actually returns.

jaxa_4
jaxa_6

 

 

 

 

 

 

Once the location has been identified, breaking at the right spot will expose the hidden code and an additional domain to connect to, and  eventually exposes the supposedly malicious iframe to redirect the victim to download additional malware. 

jaxa_7

 

Network communication

While analyzing this exploit, we found that it  connects to www.sitclogi.co.jp, which resolves to 111.68.158.66. This domain is legitimate and was apparently compromised to host malware during this attack. A historical scan of this domain confirms our assumption:

jaxa_2

 

 

 

 

 

 

The following are additional malware we’ve seen communicating with the same domain:

2b91011e122364148698a249c2f4b7fe www.sitclogi.co.jp
6c040be9d91083ffba59405f9b2c89bf www.sitclogi.co.jp

 

McAfee detection: 

McAfee Advanced Threat Detection provides zero-day detection against this exploit based on its behaviour analysis. As always, we advise users to consider carefully before opening documents from unknown sources.

The post Targeted Attacks Against Japanese Firm Use Old ActiveX Vulnerability appeared first on McAfee.