Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Tsar Team Microsoft Office Zero Day CVE-2015-2424

After the publication of Flash and IE zero days following the Hacking Team leak, researchers have discovered the use of another zero-day vulnerability by the Tsar Team sometimes referred to as the APT28 and Operation Pawn Storm. iSIGHT Partners discovered Tsar Team leveraging an Office document that included an exploit of a Microsoft Office zero-day vulnerability to execute malicious code remotely. This vulnerability results in a memory corruption of the heap and is known as CVE-2015-2424.

In this post we will provide a brief introduction to how modern shellcode works using this exploit as our example.

Tsar Team used an RTF file (md5=112c64f7c07a959a1cbff6621850a4ad), discussing Iran's nuclear program to lure the victims to open the document resulting in exploitation. Here is a snippet from the document:


Opening the document with a text editor reveals a shellcode about to be executed when the vulnerability (CVE-2015-2424) is triggered:


The first stage of any shellcode is to determine where in memory it is located so it can perform valid calculations and alterations to the code based on its real address in memory. This is achieved with a very simple sequence of instructions: (1) JMP + (2) CALL + (3) POP. The CALL operation will push the current EIP value onto the stack, and the successive POP instruction will place this address into the desired register:


After determining the location of the execution in memory, and thus where the XOR'd shellcode portion is, the shellcode will proceed through two phases of decoding before the execution.

At first it uses a one byte XOR key 0x67 to decode the shellcode:


On the next decoding phase it uses a 21-byte XOR key: 0x703A94849CECD642C65AB66022E4BE08684AAE1018 for the extraction of the actual code:


On this decoding section, the code uses a 0x23D long loop to xor the bytes of the shellcode. On every cycle the AL register is set with another byte from the xor key and then it xors the byte in the memory located in ESI+ECX-1, where ESI points to a constant location in memory (0x40309D) and ECX is the counter, which decreases in each loop. Every 21 loops, AL register starts from the beginning of the xor key.

The next step for the shellcode would be to resolve the base address of kernel32.dll in memory. This can be achieved by parsing the PEB , which is located at FS:[0x30]. Knowing the base address of kernel32.dll will allow the shellcode to further resolve various helpful WinAPI functions, such as finding the addresses of GetProcAddress and LoadLibraryA, which can later be used by the shellcode to proceed with the actual payload execution. A classic example would be to load the library "urlmon.dll" by calling LoadLibraryA (which we already resolved) and later using GerProcAddress to resolve the function URLDownloadToFile to download the payload and eventually call CreateProcess to execute it.


Microsoft was notified about the use of this zero day on June 30. On July 14, Microsoft patched the flaw as part of MS15-070, which affects Office versions 2007 to 2013. For more details about the various vulnerable Office versions read Microsoft's MS15-070 advisory. If you haven't installed the patch yet, we urge you to do so as soon as possible.

Trend Micro also found evidence of Tsar Team using another zero-day vulnerability in Java - CVE-2015-2590 - affecting versions up to Oracle has patched the vulnerability during their July 2015 Critical Patch Update.

Customers of Trustwave's SWG were protected against these two CVEs out of the box.

Latest SpiderLabs Blogs

Network Isolation for DynamoDB with VPC Endpoint

DynamoDB is a fully managed NoSQL database service offered by Amazon Web Services (AWS). It is renowned for its scalability, dependability, and easy connection with other AWS services....

Read More

The Underdog of Cybersecurity: Uncovering Hidden Value in Threat Intelligence

Threat Intelligence, or just TI, is sometimes criticized for possibly being inaccurate or outdated. However, there are compelling reasons to incorporate it into your cybersecurity defense strategy....

Read More

Clockwork Blue: Automating Security Defenses with SOAR and AI

It’s impractical to operate security operations alone, using manual human processes. Finding opportunities to automate SecOps is an underlying foundation of Zero Trust and an essential architecture...

Read More