CVE-2013-3906 : Another 0-day for Microsoft Office

On November 5, Microsoft announced the discovery of a new vulnerability CVE-2013-3906 which can be exploited when TIFF images are processed. By exploiting this vulnerability it is possible to attack software – including Microsoft Office and Lync – that uses a vulnerable DLL for processing TIFF images. On the same day, there were reports that Microsoft had recorded attacks that exploit CVE-2013-3906.

Several malware samples became available to us that exploit CVE-2013-3906. We analyzed them in detail. All of them make use of heap spraying, recording their code to the address 0x08080808, and execute the code from that location. Exception generation and memory rewrite is performed in the vulnerable ogl.dll.

Fragment of WinDbg shellcode execution

The exploits that we had access to can be divided into two groups according to the shellcodes used in them.

The exploits in the first group use a primitive and unencrypted shellcode whose only task is to download and launch malicious software.


Shellcode of an exploit in the first group

The payload drops a clean .doc file that is displayed to dispel any suspicions the user may have, as well as a malicious program that was earlier spotted in the HangOver attack. That is a backdoor, written in C++ and which isn’t even encrypted.

Fragment of the contents of the clean .docx file

The exploits in the second group are much more sophisticated. For starters, the shellcode they use is already encrypted with standard XOR. After decryption, it became clear that it doesn’t download and launch malicious code, unlike most exploits, including those in the first group targeting CVE-2013-3906.


Decrypted shellcode of an exploit from the second group

There is an OLE2 object integrated into the original .docx document; this object is read in the shellcode. It contains a data stream, consisting of 6 bytes located ahead of the encrypted data, which contains the original decryption key, a dynamic decryption key, and the length of the decrypted data stream. The decryption algorithm is a standard XOR with a key modified with the byte operation ADD.


Fragment of packed data and the header (in red box) containing the keys and the size

After decryption, this data transforms into a DLL named a.l, which is loaded within the process winword.exe. This DLL drops a.exe which is the backdoor Citadel.


Fragment of an unpacked sample of Citadel

It means there are already two groups of cybercriminals out there who are using the new vulnerability.

Interestingly, the TIFF files in the second category of exploits are dated March 2013, but we registered the first appearance of these exploits on July 31. They used the storage, encryption and payload launch technique described above. But the actual payload differs in earlier exploits. In the new samples a dynamic library is dropped which in turn drops and runs an executable file and a clean .docx. In earlier samples the DLL is different and it drops a different clean .docx file and a vbe script. The same vbe script is used in the cross-platform malware Janicab.

Fragment of the dropped .docx from the July sample of the exploit

It appears that either the same people were responsible for spreading Citadel and Janicab – from the exploit to the payload – or someone is selling malware distribution services that make use of 0-day exploits.

From the moment such exploits appear, our Advanced Exploit Prevention (AEP) technology protects users from the launch of malicious code by applications that have been attacked by exploits targeting CVE-2013-3906. By responding to anomalies in the behavior of popular app processes, AEP makes it possible to block the launch of exploits.

These exploits are detected by static signatures as Exploit.Win32.CVE-2013-3906.a.

CVE-2013-3906 : Another 0-day for Microsoft Office

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox