Update: So far some of the samples are killed with ms12-060 but are not a known exploit, so this might be a new, but patched exploit. The purpose of this campaign might be to evade AV while going after users without the latest patch – all samples are at 7 or 8 of 43 max on VirusTotal.
We are currently examining 40 samples of an unconfirmed zeroday in Microsoft Office circulating against Pro Democracy and Tibet activists. One of the exploit documents contains a “PittyTiger” payload, however, several different payload implants have been observed. The exploit is contained in a .doc file but could be delivered via RTF as well. We’ve seen attacks since June 4 2013 using payloads compiled on May 28, and some of the command and control domains have been registered as late as today June 6 2013.
We have provided the samples to Microsoft and are awaiting confirmation.
We will release detection signatures for our Cryptam document malware scanner – free online scanning at Cryptam.com and more details soon.
We recommend taking extra precautions to not open DOC or RTF files received via email or weblinks at this time.
Update 1: Some of the command a control domains are using blog sites for C2. There’s at least 4 different implants, so in all probability the exploit has been shared with multiple groups already. We have 40 unique MD5 hashes of OLE .doc files over the past 2 days. Cryptam has been updated with the detection signature – check suspicious docs here.
command and control domains (partial list):
wikipedia.authorizeddns.org (pitty tiger)
login.aerotche.com (Creation date: 05 Jun 2013 13:58:00)
HHGJGOCNHIHADCCNDC.terhec.com (Creation date: 06 Jun 2013 07:24:00)
Update 2: We extracted the following code signing certificates used in 3 of the samples:
code signing certificates:
Shenzhen OuMing Keji Co.,Ltd (expired):
Update 3: We’re hearing the exploit may be older – patched with ms12-060 but not previously reported.