Attacks on New Microsoft Zero Day Using Multi-Stage Malware

Attackers exploiting the Microsoft Windows and Office zero day revealed yesterday are using an exploit that includes a malicious RAR file as well as a fake Office document as the lure, and are installing a wide variety of malicious components on newly infected systems. The attacks seen thus far are mainly centered in Pakistan.

Attackers exploiting the Microsoft Windows and Office zero day revealed yesterday are using an exploit that includes a malicious RAR file as well as a fake Office document as the lure, and are installing a wide variety of malicious components on newly infected systems. The attacks seen thus far are mainly centered in Pakistan.

The CVE-2013-3906 vulnerability, disclosed Tuesday by Microsoft, is a remote code execution flaw that involves the way that Windows and Office handle some TIFF files. Microsoft said that attackers who are able to exploit the bug would be able to run arbitrary code on compromised machines. In the targeted attacks seen by researchers so far, attackers are using ROP techniques to exploit the vulnerability and then installing a downloader that pulls down some additional components, including an Office document that is shown to the user as a distraction from what’s going on in the background.

Researchers at AlienVault analyzed the exploit and malware being used in the targeted attacks and found that once the attackers have compromised the machine, they also download a RAR file that includes components that calls back out to the command-and-control server and then downloads a number of malicious components. The malware installs a keylogger, a remote backdoor and a component that steals various files, including XLS, DOC, PPT and PDF files.

The CVE-2013-3906 vulnerability affects Windows Vista and Office 2003-2010 and Microsoft recommended that users running vulnerable versions install the FixIt tool they released Tuesday, which helps prevent exploitation. Installing the EMET toolkit also can protect users against attacks on this vulnerability.

Most of the IPs connecting to the C&Cs used in these attacks are coming from Pakistan, the AlienVault researchers said. Researchers at Kaspersky Lab analyzed the malware and its behavior and found some interesting behavior.

“This is not the first vulnerability in TIFF. The notorious CVE-2010-0188 (based on TIFF too) is widely used in PDF exploits even now. The new 0day uses malformed TIFF data included in Office documents in order to run a shellcode using heap spray and ROP techniques. We have already researched some shellcodes – they perform common actions (for shellcodes): search API functions, download and launch payload. We took a glance at a downloaded payload – backdoors and Trojan-spies. Our AEP technology prevents a launch of any executable file by exploited applications. In this case our AEP protected and continues protecting users too,” said Vyacheslav Zakorzhevsky, head of the vulnerability research group at Kaspersky.

Image from Flickr photos of Elliott Brown.

Suggested articles