# Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities **securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-** vulnerabilities/ July 15, 2014 [Chintan Shah](https://www.mcafee.com/blogs/author/chintan-shah/) Jul 15, 2014 7 MIN READ Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts. Exploits that use patched vulnerabilities delivered via spear phishing email are one of the most successful combinations used by attackers to infiltrate targeted organizations and gain access to confidential information. During the last month, McAfee Labs researchers have uncovered targeted attacks carried out via spear phishing email against a French company. We have seen email sent to a large group of individuals in the organization. The attachments exploit the recently patched RTF vulnerability CVE-2014-1761 and the previously patched ActiveX control vulnerability CVE2012-0158. Both of these vulnerabilities have been popular in several ongoing targeted attacks. ----- \ The preceding spear phishing emails come from attackers using the French Yahoo and Laposte email services and possibly impersonating employees of the targeted organization. ## RTF Vulnerability These exploits target the recently discovered RTF zero-day vulnerability CVE-2014-1761. The flaw lies in the value of the “ListOverrideCount,” which is set to 25. However, according to Microsoft’s RTF specifications this value should be either 1 or 9. This error eventually causes an out-of-bounds array overwrite that results in incorrect handling of the structure by Word and leads to the attacker’s controlling an extended instruction pointer (EIP). ----- ## Shellcode McAfee Labs researchers discovered that all the bytes of the shellcode, the return oriented programming (ROP) chain, are directly controlled by the attacker and come straight from the RTF structure. Here is a high-level view of how the ROP chain is formed: Next we see a snapshot of the parsed RTF structure in memory leading to the control of the EIP: Successful execution of the shellcode opens the decoy document and drops the malware svohost.exein the %TEMP%directoryandthen connects to the control server. [(McAfee Labs researchers Haifei Li and Xie Jun have already blogged on the technical](https://mcafee.com/blogs/others/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/) details of the vulnerability and the shellcode.) In this cycle of spear phishing attacks we’ve also seen email targeting the same organization with attachments that exploit the two-year-old CVE -2012-0158 vulnerability. The malicious payload arrives in the innocuous-sounding article.doc. ----- The following API trace gives an idea of the sequence of activities once the exploit is launched on the system: **Payload Analysis** Our analysis of the dropped binary reveals that it was specifically written to gather information about the network of the target organization as well as the configuration of the endpoint— leading us to believe that this is a spear phishing reconnaissance. The payload seems to have been compiled on April 9: The malware starts by retrieving the %Temp% path and prepares to log the communication with its control server in the file %Temp%explorer.exe. Subsequently, the malware collecting following information: Hostname Username System type by resolving IsWOW64Process AP ----- Current TCP and UDP connections and open ports Organizational information from the registry key: HKLM/Software/Microsoft/WindowsNT/CurrentVersion, Productname, CSDVersion, CurrentVersion, CurrentBuildNumber, RegisteredOrganization, RegisteredOwner Current running system services Installed software from the registry key: HKLM/Software/Microsoft/Windows/CurrentVersion/Uninstall Information about network adapters, IP configuration, netcard numbers, IP mask, gateway, DHCP server, DHCP host, WINS server, and WINS host Here is a high-level snapshot of the malware’s information gathering code: ----- Encryption is primarily done using the SYSTEMTIME structure. It forms the repetitive 256byte key using SYSTEMTIME information, shown below: The malware converts the key into 16 bytes to ----- encrypt the information. Once the buffer has been encrypted, it connects to the control server sophos.skypetm.com.tw. ----- ## Command and Control Research During our analysis of this exploit, sophos.skypetm.com.tw resolved to the IP address 66.220.4.100. located in the Fremont, California. McAfee sensors first observed the outbound traffic to this domain on January 27, at which time it resolved to 198.100.113.27, located in Los Angeles. From our passive DNS data, we found following MD5 hashes connecting to the same domain resolving to 198.100.113.27. 4ab74387f7a02c115deea2110f961fd3 January 27, 2014 sophos.skypetm.com.tw 8dc8e02e06ca7c825d42d82ec19d8377 January 28, 2014 sophos.skypetm.com.tw 0331417d7fc3d075128da1353ae880d8 March 30, 2014 sophos.skypetm.com.tw 5e2360a8c4a0cce1ae22919d8bff49fd April 25, 2014 sophos.skypetm.com.tw The whois record reveals that the skypetm.com.tw domain has been registered under the email ID longsa33@yahoo.com. This ID also registered the domain avstore.com.tw, which has been used as the control server. We have seen several other malware binaries communicating with the various subdomains of skypetm.com.tw and avstore.com.tw. All of them have been identified as “PittyTiger” malware, which appears in numerous CVE-2012-0158 exploits used in recent targeted attacks. The same payload was used in the “Tomato Garden” APT campaign, uncovered in June 2013, against Tibetan and Chinese democracy activists. ----- 65809985e57b9143a24ac57cccde8c77 asdf.skypetm.com.tw 113.10.240.54 vbnm.skypetm.com.tw 122.10.39.52 c0656b66b9f4180e59e1fd2f9f1a85f2 zeng.skypetm.com.tw 113.10.221.126 b84342528942cec03f5f2976294613ba gmail.skypetm.com.tw 122.208.59.188 d4f96dba1900d53f1d33ee66f7e5996d gmail.skypetm.com.tw 122.208.59.188 b84342528942cec03f5f2976294613ba gmail.skypetm.com.tw:8080 122.208.59.188 d4f96dba1900d53f1d33ee66f7e5996d gmail.skypetm.com.tw:8080 122.208.59.188 2be9fc56017aab1827bd30c9b2e3fc27 jamessmith.avstore.com.tw 58.64.175.191 be18418cafdb9f86303f7e419a389cc9 chanxe.avstore.com.tw 122.10.48.189 65809985e57b9143a24ac57cccde8c77 asdf.avstore.com.tw 122.10.39.105 17bc87b13b0a26caa2eb9a0d2a23fc72 bluer.avstore.com.tw 58.64.185.200 90f3973578ec9e2da4fb7f22da744e4c avast.avstore.com.tw 198.100.121.15 Additional domains related to this attack: - 63.251.83.36 - 64.74.96.242 - 69.251.142.1 - 218.16.121.32 - 61.145.112.78 - star.yamn.net - 216.52.184.230 - 212.118.243.118 - bz.kimoo.com.tw - mca.avstore.com.tw **McAfee Product Coverage** ----- [McAfee coverage for CVE 2014-1761 is detailed here. McAfee Advance Threat Defense](https://www.mcafee.com/blogs/others/mcafee-labs/product-coverage-mitigation-cve-2014-1761-microsoft-word) provides zero-day detection for CVE 2012-0158. As usual, exercise extreme caution when opening documents from unknown sources and use the latest versions of software. I would like to thank my colleague S. R. Venkatachalabathy for assistance in this research. [Chintan Shah](https://www.mcafee.com/blogs/author/chintan-shah/) Chintan Shah is currently working as a Security Researcher with McAfee Intrusion Prevention System team and holds broad experience in the network security industry. He primarily focuses on Exploit and... ### More from McAfee Labs [Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-scammers-exploit-talk-on-cryptocurrency/%20) By Oliver Devane Update: In the past 24 hours (from time of publication) McAfee has identified 15... May 05, 2022 | 4 MIN READ [Instagram Credentials Stealer: Disguised as Mod App](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealer-disguised-as-mod-app/%20) Authored by Dexter Shin McAfee’s Mobile Research Team introduced a new Android malware targeting Instagram users who... May 03, 2022 | 4 MIN READ [Instagram Credentials Stealers: Free Followers or Free Likes](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealers-free-followers-or-free-likes/%20) Authored by Dexter Shin Instagram has become a platform with over a billion monthly active users. Many... May 03, 2022 | 6 MIN READ [Scammers are Exploiting Ukraine Donations](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/%20) Authored by Vallabh Chole and Oliver Devane Scammers are very quick at reacting to current events, so... ----- Apr 01, 2022 | 7 MIN READ [Imposter Netflix Chrome Extension Dupes 100k Users](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/imposter-netflix-chrome-extension-dupes-100k-users/%20) Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi McAfee has recently observed several malicious Chrome Extensions... Mar 10, 2022 | 8 MIN READ [Why Am I Getting All These Notifications on my Phone?](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/why-am-i-getting-all-these-notifications-on-my-phone/%20) Authored by Oliver Devane and Vallabh Chole Notifications on Chrome and Edge, both desktop browsers, are commonplace,... Feb 25, 2022 | 5 MIN READ [Emotet’s Uncommon Approach of Masking IP Addresses](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/emotets-uncommon-approach-of-masking-ip-addresses/%20) In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was... Feb 04, 2022 | 4 MIN READ ----- [HANCITOR DOC drops via CLIPBOARD](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via-clipboard/%20) Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,... Dec 13, 2021 | 6 MIN READ [‘Tis the Season for Scams](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tis-the-season-for-scams/%20) ‘Tis the Season for Scams Nov 29, 2021 | 18 MIN READ [The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/%20) Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors... Nov 10, 2021 | 4 MIN READ ----- [Social Network Account Stealers Hidden in Android Gaming Hacking Tool](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/social-networks-account-stealer-hidden-in-android-gaming-hacking-tool/%20) Authored by: Wenfeng Yu McAfee Mobile Research team recently discovered a new piece of malware that specifically... Oct 19, 2021 | 6 MIN READ [Malicious PowerPoint Documents on the Rise](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-powerpoint-documents-on-the-rise/%20) Authored by Anuradha M McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available... Sep 21, 2021 | 6 MIN READ -----