A fake email attached a document containing code to exploit the vulnerability software (MIME-version: 1.0). This document used CVE-2012-0158 to install malware into a computer.
Figure 1. A document in the email was encrypted by base64
The shellcode decoded itself and saved “xpsfiltsvcs.tmp” file in the %TEMP% folder. Then, it added a “Software\Microsoft\Windows\CurrentVersion\Run\” Regedit key of a “rundll32.exe %TEMP%\ xpsfiltsvcs.tmp,XpsRegisterServer” value to execute the malware when the computer started.
Figure 2. The shellcode decoded itself by the XOR algorithm.
A payload was decrypted repeatedly by the XOR algorithm with different decoding keys corresponding to each values that malware required as the information of the infected computer, the version of operation system, the IP address, the information of user, the address of control server, the version of downloaded malware…
Figure 3. The XOR decryption function
The link and the URL address of this malware were XOR with 0x3D value.
Figure 4. The URL address of this malware
This malware decrypted part of itself on the memory while it was executed. These codes weren’t detected by AV and made difficult for the analysts. These executed code were decrypted by XOR with 0x2F value.
Figure 5. These code were obfuscated.
Figure 6. After decrypting the obfuscated code.
After decrypting, this code downloaded file from http://xxsbea.padazusu.com:8080/bin/0423y/2.tmp, decrypted functions and saved it into the disk. Its name is “~DF[random]”. This is probably a latest version and it use rundll32.exe to execute the same as like older versions.
Figure 7. The new payload was downloaded and executed.
The attacker was seemingly wrong when he tried to execute “RegisterServer” function, but in fact, this function wasn’t exist in the new downloaded payload. Therefore, when the new payload was executed, an error message appeared.
Figure 8. An error message appeared when executing the new payload.
Analyzing the new payload and comparing it with the older payload
The new payload was download when analyzing, and the contact server was used in this attack was still active.
Compare to the old payload, the new payload was completely rewritten. It changed completely functions, made them become more complex. Besides, it made a faked file named “MSOProtect.acl”. (ACL is a file extension for a list file used by Microsoft Office. ACL stands for AutoCorrect List. ACL files contain a list of corrections used across all applications of the Microsoft Office Suite. ACL files are used for automated spelling and grammar corrections. ACL files can be edited from within the Microsoft Office suite, but are not intended to be edited directly). For normal users, this file look like a part of Microsoft Office software.
Figure 9. The new payload has an icon the same as a Microsoft Office software.
Figure 10. Comparing the old payload (right) to the new payload (left).
Contact addresses in the new payload were decrypted by XOR with 0x45 value. This malware connected to 3 domains following:
These domains refer to the same IP address: 126.96.36.199.
The information were send to a server including: the name of computer, the using MAC address and the IP address in the LAN network. Then, the data was encrypted by XOR with 0x45 value.
Figure 11. The information of computer was encrypted.
These information was saved at %TEMP%\ ~DF5P0YUTQ1YI016U42.TMP folder. Then, they were sent to a server by the POST method.
This malware found the .TMP and tmp[random].VBS files in %TEMP% folder to delete. For payloads which we have or track, we don’t found signs of .VBS file.
This malware was designed to attack computers installing the Microsoft Word software of the old version or not be patched since 2012. The attack via email was commonly used.
- Install the Microsoft Word software of the newer version (Microsoft Word 2013) and update the patch of software.
- Not open documents at unknown You should view directly contents on your browser to prevent malware install into your computer.
- The information of control server: