CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Earlier Flaws Revisited: MS Office and PDF Combo Attack

Recently, we came across a campaign spamming out emails containing both DOC and PDF attachments together. This type of email and attachment combo (as shown in Figure 1) is common to normal office transactions but the email body and filenames of these attachments should definitely raise red flags for security experts.


Figure 1. Email Sample

Checking out the attachments, the DOC file contains a malicious code that exploits the old CVE-2012-0158 (MS12-027) vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library for MS Office versions 2003, 2007 and 2010. More details about this exploit attack can be found in an earlier blog in the following link. The mal-crafted code in the DOC file downloads and executes a malicious binary executable in the affected system. Often, the downloaded executable steals information from the affected system and sends it to a controlling server or remote user. In this case, the downloaded executable belongs to the family of FareIt, a password stealing Trojan, known for stealing stored account information such as server names, port numbers, login IDs and passwords for FTP clients including cloud storage accounts.

The PDF file, on the other hand, uses the Windows-based PowerShell application to execute its malicious code. Again, it uses an old vulnerability in PDF readers – the /OpenAction method, to trigger the execution of malicious code (CVE-2010-1240). Like the name suggests, /OpenAction is a feature of PDF reader that triggers when a PDF document is opened. The bad guys use it to run automatically an application or script within the PDF file. A few years ago, /OpenAction is commonly associated with /AA (Additional Action) to execute a code, most of the time, a JavaScript code. Later, the /Launch action was also used to execute code by launching an application found in the affected system to execute the malicious code.

We saw two separate PDF samples that used this technique. Figure 2 shows the earlier attempt and luckily the exploit code was incomplete. The executable code following the –EncodedCommand, which allows a base64 chunk of code to be passed to PowerShell, was missing.


Figure 2. Earlier attempt of using /OpenAction to launch Windows PowerShell.

Notice that the skeleton for the code execution is already set up and just missing the actual malicious code. But just a few days after, we noticed a second campaign, with again, an email with both DOC and PDF attachments. There was not much new with the DOC file as it attempted to exploit the same old vulnerability, except that it downloaded an updated version of the FareIt information stealing Trojan. However, the PDF file had the complete recipe as shown in Figure 3.


Figure 3. /OpenAction to launch Windows PowerShell with the malicious code.

The -EncodedCommand is followed by a chunk of Base64 encoded data and decoding it gives the script as follows. It is clear as day as to what the script does to the victim's machine.


Figure 4. Decoded Base64 string.

Attack Impact

Since both attachments used quite old vulnerabilities to exploit and execute malicious code, the impact of the attack must be close to nil. New versions of the supposed target software applications that are immune to the targeted vulnerabilities are already out there and used widely. However, users of MS Office 2003, 2007 and 2010 are still affected by such an attack if they have failed to apply the appropriate security update for the said vulnerability. For the DOC vulnerability, Microsoft released Microsoft Security Bulletin MS12-027 patch on April 10, 2012 that addressed this issue.

As for the PDF exploit, we tested the PDF file in various versions of Adobe Reader from the latest release down to some older versions several years ago. We tried opening the PDF file using the latest Adobe Reader and it just ignored the /OpenAction in the PDF file as if it didn't exist. We tried the same until we reached Adobe Reader version 9.3 and then the exploit code was executed. So that and prior versions of Adobe Reader allow the execution of the exploit code. The affected Adobe Reader versions that we tested gave out a warning dialog box as shown below:

Figure 5. Adobe OpenAction Launch Warning.

Though the method of attack uses an old Adobe Reader vulnerability, the only thing new in the above sample is the use of Windows PowerShell to execute the shellcode. Earlier methods commonly use scripting to execute shellcodes.

What's the point?

This campaign was interesting in that the spam email had two distinct malicious documents attached. Although the methods used in both these attacks are old, we can't think of many reasons why the malware author had gone to the trouble. Was it an amateur, or someone merely trying to get the odd low-hanging fruit? Whatever the reason, as long as users are up-to-date with their software applications rest assured they are protected by these two specific attacks. These attacks will only succeed if users use vulnerable software applications and continue to ignore applying security updates on the affected software applications.

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

This is Part 8 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...

Read More

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More