In our Global Security Report, we highlighted a zero day vulnerability in the Windows Common Controls affecting Microsoft Office (CVE-2012-0158). This was reportedly being used for targeted attacked against NGOs and human rights activist.
Over the past week, the Cutwail botnet has been sending out spam containing malicious documents of the aforementioned vulnerability, CVE-2012-0158. The use of a loaded RTF attachment is a departure from normal for Cutwail, usually it distributes executable attachments or links to exploit kits.
The spam claims to be from Citibank or Bank of America. The spam may use the “Merchant Statement” as a subject line and has an accompanying .DOC file attached.
This exploit affects older versions of Microsoft Office such as Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1 etc. This issue was patched a year ago and was included in the Microsoft Security Bulletin MS12-027.
The Shellcode and the Payload
To verify if the RTF file was indeed malicious, we initially scanned the file using a tool from OfficeMalScanner suite, RTFScan.exe. This provided an overview of the malicious RTF file. The tool also dumped the embedded suspicious OLE document found in the RTF file. RTFScanner found a seemingly malicious object inside the file; and VirusTotal’s high detection rate gave us high confidence that we were indeed dealing with a malicious RTF document.
One of the objectives of this analysis is to find the shellcode that will be executed when the exploit is triggered. Luckily, the shellcode string can be easily spotted within the malicious RTF document, characterized by the string “E9” (an opcode for relative JMP) and a series of 90s (NOP instructions). So by dumping the shellcode strings and converting to binary, we can disassemble and analyze it easily.
The dissassembled shellcode shows the initial scanning of the Process Environment Block (PEB) to resolve the Kernel32.dll address space and after that is the manual retrieval of Imported API (Application Program Interface) through hashing. This common shellcode technique is used to resolve the addresses of API functions it needs to execute when running in a Windows system.
Here's the list of hashes and its corresponding APIs that the shellcode use:
Given that list of APIs, it gives an idea of what the shellcode is going to do.
With further investigation, we saw the shellcode decrypt a Trojan executable file embedded in the malicious RTF document using a simple XOR operation. The file will then be dropped and installed in the user %TEMP% directory with the filename PAW.EXE.
The Trojan is encrypted and embedded in RTF document XORed using the key 0x3F.
Additionally, the code also drops another Word document file in the Temp directory with the filename VC.DOC. The dropped decoy document file is non-malicious and opened after the shellcode has installed the Trojan.
To sum up, once an unsuspecting victim is lured to open the malicious RTF document, the exploit will trigger the vulnerability in Microsoft Word, causing it to run the embedded shell code. The shell code eventually drops and installs its payload.
It is worth noting though, that even after a year the patch for this Microsoft Office vulnerability was released, cyber-criminals continue to use this exploit. It is always a good advice to keep all your software up to date and avoid opening unsolicited email.