On August 15th, Jaime Blasco over at AlienVault Labs posted a description of a malicious word document with an embedded flash file that exploits CVE-2012-1535 (Original here). The document described within the specific attack was titled “iPhone 5 Battery.doc”, and the dummy document displayed after exploitation is a legitimate article that was posted on August 10th, 2012 on Techrunch here. Metadata on the document analysis via VirusTotal here shows that the malicious file was created on the same day. We also know that the VirusTotal analysis was completed on August 15th, which suggests a relatively short period of infection of 5 days (probably less given the AV article). However, the malicious dll (taskman.dll) has a compile time of 2012-07-26 07:20:06+2:00, which also suggests the specific payload could have been in use for up to 2 weeks prior to this round of delivery. Yes, it is acknowledged that the timestamp could be manipulated, but due to the general relation to the rest of the attack, it doesn’t seem likely. Lastly, the generic topic selected for this document does little to suggest potential targets since it could be of interest to almost anyone.
Since this article, several other sample malicious documents (8 additional, 9 total as of 8/19) have emerged from open sources covering an array of popular topics.
Running Mate.doc displays a dummy document after exploitation takes place. Again, the document is a valid article, this times sourced from Huffington Post. This document does introduce an interesting complication in the timeline of the attack. As in the first example, the timestamp of the word document is 2012:08:10 11:38:00, but the article from the Huffington Post wasn’t posted until 2012:08:12 12:04. Making the assumption that the article was written in a GMT-X timezone (U.S.) and the malicious documents were created in a GMT+X timezone (.EU, .RU, .CN), the timestamps present are incongruent. This, combined with the fact the timestamps for each document are exactly the same, suggests that the document timestamps were altered. However, the (PURELY CONJECTURE) possibility also exists that the attackers have some level of access within the Huffington Post and stole the article prior to making it up on the website… hmm…
MedalTop10.doc doesn’t display an article after exploitation, but does display a chart of the 2012 London Olympic Medal Count available here. This corroborates the theory that the document timestamps aren’t correct. Again, this document has the 2012:08:10 timestamp, but the final medal count for the Olympics didn’t occur until 2012:08:12. As a result, the timestamp was either intentionally set to an altered date, or they are the same across the documents due to an artifact of the builder. It’s possible that the base malicious document was created on the 10th, and the document was then just edited with new content as desired. Again, this is another example of a topic that doesn’t suggest a specific target and could be applicable to almost anyone (English speaking though…).
tickets.doc again displays a dummy file post exploitation, but there is little definitive evidence of a specific timeframe from which the information was sourced. When opened, a general description of the Front of the Line Pass from Universal Studios Hollywood is displayed. I couldn’t find any exact matches of the text, though many variations exist on various sites. The dummy doc did mention the Transformers ride that opened in May of 2012, so the text was probably taken from someplace within at least the previous couple of months. In general, this topic seems less relevant than the others involved in this campaign. However, without knowing the specific target, we’re not able to say whether or not is was actually less targeted or less effective.
page 1-2.doc A.K.A. Wage Data.doc is the text source from an Illinois Department of Employment Security document Wage Data 2010. The source page suggests that someone at a state government level may have been a target. However, the generic naming of the document could could have made it an effective lure for almost anyone that received it, especially if the email was crafted for a specific recipient.
Wireless Tests.doc is another document that displayed information post exploitation, though this one seemed locally crafted. That is, I couldn’t find a duplicate online and the grammar wasn’t 100%. The text discusses internal wireless network testing (generic/no org named), but the feel is off and it didn’t seem like something an organization would officially post. Again, this leaves the potential victim pool relatively wide.
Message from PerInge.doc failed to successfully display a dummy doc in the sandbox I was using at the time of this writing. Searching for the name didn’t yield any documents, but PerInge seems to be a semi-common Northern European name, which may suggest the location of the potential targets. Two more documents, AWE Platinum Partners.doc and TYBRIN Project Review Report_Aug 12.doc also failed to successfully display a dummy document. However, these two are set apart from the rest because the titles are much more specific. AWE Limited is an Australian Oil & Gas company that currently has a job listed with Platinum Pacific Partners, an Australian executive search firm. Obviously, either of these companies could be an attractive target for an adversary. TYBRIN Group is a subsidiary of Jacobs Technology Inc. that focuses on software engineering for DoD and other USG area. I don’t think I have to tell anyone that that’s a juicy topic.
Based on a new F-Secure article, the AWE Platinum Partners document is also related to the TYBRIN Group of Jacobs Technology Inc. Thanks for looking deeper and linking the two! I think it’s interesting that two different documents targeting the same firm were identified. IMO, that’s definitely a signal since many of the other docs were fairly general.
Seven of these samples are available over at Contagio in one neat package. Mila notes that the SSDeep signatures for each of the documents is extremely close, which can also be seen in this search over at viCheck. Overall, this campaign seems to have been fairly far-reaching. The general topics included in the malicious documents are generic enough (in most cases) to have been used against multiple targets. Additionally, much of the information was extremely timely and sourced from reputable & popular websites. Since these documents emerged over the period of almost 1 week, it’s possible that there are still others out there undetected.
This information is definitely not the extent of the OSINT available regarding this campaign. Data exists regarding the domains that have been publicized, IP addresses, emails sent, etc. I posted what I currently had time to research & smack together. It would be great if others could contribute. Time permitting, I may add more info this week, but can’t guarantee anything.