Earlier Flaws Revisited: MS Office and PDF Combo Attack

Recently, we came across a campaign spamming out emails containing both DOC and PDF attachments together. This type of email and attachment combo (as shown in Figure 1) is common to normal office transactions but the email body and filenames of these attachments should definitely raise red flags for security experts.

PDF OpenAction sample email

Figure 1. Email Sample

Checking out the attachments, the DOC file contains a malicious code that exploits the old CVE-2012-0158 (MS12-027) vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library for MS Office versions 2003, 2007 and 2010. More details about this exploit attack can be found in an earlier blog in the following link. The mal-crafted code in the DOC file downloads and executes a malicious binary executable in the affected system. Often, the downloaded executable steals information from the affected system and sends it to a controlling server or remote user. In this case, the downloaded executable belongs to the family of FareIt, a password stealing Trojan, known for stealing stored account information such as server names, port numbers, login IDs and passwords for FTP clients including cloud storage accounts.

The PDF file, on the other hand, uses the Windows-based PowerShell application to execute its malicious code. Again, it uses an old vulnerability in PDF readers – the /OpenAction method, to trigger the execution of malicious code (CVE-2010-1240). Like the name suggests, /OpenAction is a feature of PDF reader that triggers when a PDF document is opened. The bad guys use it to run automatically an application or script within the PDF file. A few years ago, /OpenAction is commonly associated with /AA (Additional Action) to execute a code, most of the time, a JavaScript code. Later, the /Launch action was also used to execute code by launching an application found in the affected system to execute the malicious code.

We saw two separate PDF samples that used this technique. Figure 2 shows the earlier attempt and luckily the exploit code was incomplete. The executable code following the –EncodedCommand, which allows a base64 chunk of code to be passed to PowerShell, was missing.

Earlier OpenAction

Figure 2. Earlier attempt of using /OpenAction to launch Windows PowerShell.

Notice that the skeleton for the code execution is already set up and just missing the actual malicious code. But just a few days after, we noticed a second campaign, with again, an email with both DOC and PDF attachments. There was not much new with the DOC file as it attempted to exploit the same old vulnerability, except that it downloaded an updated version of the FareIt information stealing Trojan. However, the PDF file had the complete recipe as shown in Figure 3.

OpenAction

Figure 3. /OpenAction to launch Windows PowerShell with the malicious code.

The -EncodedCommand is followed by a chunk of Base64 encoded data and decoding it gives the script as follows. It is clear as day as to what the script does to the victim's machine.

DecodedScript

Figure 4. Decoded Base64 string.

Attack Impact

Since both attachments used quite old vulnerabilities to exploit and execute malicious code, the impact of the attack must be close to nil. New versions of the supposed target software applications that are immune to the targeted vulnerabilities are already out there and used widely. However, users of MS Office 2003, 2007 and 2010 are still affected by such an attack if they have failed to apply the appropriate security update for the said vulnerability. For the DOC vulnerability, Microsoft released Microsoft Security Bulletin MS12-027 patch on April 10, 2012 that addressed this issue.

As for the PDF exploit, we tested the PDF file in various versions of Adobe Reader from the latest release down to some older versions several years ago. We tried opening the PDF file using the latest Adobe Reader and it just ignored the /OpenAction in the PDF file as if it didn't exist. We tried the same until we reached Adobe Reader version 9.3 and then the exploit code was executed. So that and prior versions of Adobe Reader allow the execution of the exploit code. The affected Adobe Reader versions that we tested gave out a warning dialog box as shown below:

OpenAction Warning
Figure 5. Adobe OpenAction Launch Warning.

Though the method of attack uses an old Adobe Reader vulnerability, the only thing new in the above sample is the use of Windows PowerShell to execute the shellcode. Earlier methods commonly use scripting to execute shellcodes.

What's the point?

This campaign was interesting in that the spam email had two distinct malicious documents attached. Although the methods used in both these attacks are old, we can't think of many reasons why the malware author had gone to the trouble. Was it an amateur, or someone merely trying to get the odd low-hanging fruit? Whatever the reason, as long as users are up-to-date with their software applications rest assured they are protected by these two specific attacks. These attacks will only succeed if users use vulnerable software applications and continue to ignore applying security updates on the affected software applications.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.