Since the end of April 2013 we’ve been seeing APT1, the NetTraveler/Netshark/Surtr group and others use Mime-MSO format files to deliver CVE-2012-0158 exploits to victims in spear phishing attacks. By packaging the exploit within a Mime document instead of RTF or OLE Word document, the attackers appear to avoid detection by half or more of the AV products on VirusTotal.
The malicious file, while being mime and HTML content, is normally named with a with .doc or .rtf to associate it as a Microsoft office document. The content is similar to a mime email or single file web archive:
Unlike the RTF version of the CVE-2012-0158 exploit, the Mime version has received very little exposure and still bypasses many AV products despite the lack of obfuscation efforts.
This CVE-2012-0158 Mime delivery method was previously reported in May 2013 by Antiy Labs [PDF http://www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf].
Instead of calling vulnerable class names such as with RTF, class IDs such as BDD1F04B-858B-11D1-B16A-00C0F0283628 (ListView ActiveX MS12-027 CVE-2012-0158) are used along with base 64 encoded document content:
This format can also be used to deliver Shockwave Flash exploits within MS Office.
We’ve seen 3 identified groups, including APT1 using this exploit to deliver over 6 different trojans.
Our Cryptam online scanner detects this threat as “exploit.office MSO MSCOMCTL.OCX RCE CVE-2012-0158”.
APT1 / “Operation Beebus” / WARP:
7c55a62b935171d1c0bb6d3a923e7436 Draft Agenda_PCC V3.doc