Tomato Garden Campaign – Possible Microsoft Office zero day in the wild used against Tibet and China Democracy activists

Update:  So far some of the samples are killed with ms12-060 but are not a known exploit, so this might be a new, but patched exploit. The purpose of this campaign might be to evade AV while going after users without the latest patch – all samples are at 7 or 8 of 43 max on VirusTotal.

We are currently examining 40 samples of an unconfirmed zeroday in Microsoft Office circulating against Pro Democracy and Tibet activists. One of the exploit documents contains a “PittyTiger” payload, however, several different payload implants have been observed. The exploit is contained in a .doc file but could be delivered via RTF as well. We’ve seen attacks since June 4 2013 using payloads compiled on May 28, and some of the command and control domains have been registered as late as today June 6 2013.

We have provided the samples to Microsoft and are awaiting confirmation.

We will release detection signatures for our Cryptam document malware scanner – free online scanning at Cryptam.com and more details soon.

We recommend taking extra precautions to not open DOC or RTF files received via email or weblinks at this time.

Update 1: Some of the command a control domains are using blog sites for C2. There’s at least 4 different implants, so in all probability the exploit has been shared with multiple groups already. We have 40 unique MD5 hashes of OLE .doc files over the past 2 days. Cryptam has been updated with the detection signature – check suspicious docs here.

command and control domains (partial list):
board.nboard.net
98.126.9.34
comsskk.wordpress.com
comsskk.sosblogs.com
comsskk.livejournal.com
www.tigdiho.com
114.142.147.51
tianshao007.vicp.cc
rss.groups.yahoo.com
wut.mophecfbr.com
radiomusictv.wordpress.com
wikipedia.authorizeddns.org (pitty tiger)
login.aerotche.com (Creation date: 05 Jun 2013 13:58:00)
HHGJGOCNHIHADCCNDC.terhec.com (Creation date: 06 Jun 2013 07:24:00)
silence.phdns01.com
cpnet.phmail.us
imlang.phmail.org

Update 2: We extracted the following code signing certificates used in 3 of the samples:

code signing certificates:
VMWare (invalid):

Shenzhen OuMing Keji Co.,Ltd (expired):

Update 3: We’re hearing the exploit may be older – patched with ms12-060 but not previously reported.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips