The rush for CVE-2013-3906 – a Hot Commodity

Two days ago FireEye reported that the recent CVE-2013-3906 exploit has begun to be used by new threat actors other than the original ones. The new infected documents share similarities with previously detected exploits but carry a different payload. This time these exploits are being used to deliver Taidoor and PlugX backdoors, according to FireEye.

At Kaspersky Lab we have also detected that yet another APT group has just started spreading malicious MS Word documents exploiting CVE-2013-3906. This APT actor is the Winnti group, which we described in detail here. They have sent spear-phishing emails with an attached document containing the exploit. As usual the Winnti perpetrators are trying to use this technique to deliver 1st stage malware – PlugX.

We became aware of an attack against one gaming company which constantly undergoes attacks from the Winnti group. The MS Word document containing the exploit shows the same TIFF “picture” –7dd89c99ed7cec0ebc4afa8cd010f1f1 – that triggers the exploitation of the vulnerability, as in the Hangover attacks. If the exploitation is successful, the PlugX backdoor is downloaded from a remote URL:

According to the PE header, this PlugX sample was compiled on November 4, 2013. The internal functional PlugX Dynamic Link Library that is decrypted and allocated in memory during malware execution is a little bit older – it dates from October 30, 2013. In terms of its development branches, the version of PlugX which is downloaded is slightly different from the conventional PlugX but the same type as the one discovered by FireEye when the malware sends CnC HTTP POST packets with noticeable additional headers:

FireEye sample Winnti’s variant
FireEye sample
POST /<random [0-9A-F]{24}> HTTP/1.1
Accept: */*
FZLK1: 0
FZLK2: 0
FZLK3: 61456
FZLK4: 1
Winnti’s variant
POST /<random [0-9A-F]{24}> HTTP/1.1
Accept: */*
HHV1: 0
HHV2: 0
HHV3: 61456
HHV4: 1

Winnti’s PlugX is connecting to a new, previously unknown C2, This domain points to the IP-address Other Winnti-related domains have been pointing here starting with October 3, 2013:

Once again, we are witnessing a rapid spread of the usage of a recently discovered vulnerability by different APT actors. Due to the high level of competition, we have already seen how quickly new exploits are added to different Exploit Packs when cybercriminals get involved. It’s not yet clear how the new APT actors have come into possession of the CVE-2013-3906 – perhaps they obtained the same “builder” as the Hangover attackers, or acquired just a few samples of poisoned MS Word documents and adapted them for own needs. Anyway, we can conclude that just as regular cybercriminals under competition pressure, APT actors too will not rest on their laurels but aim to constantly evolve, perfecting their everyday processes and working more closely together becoming an ever more dangerous threat.

Discovered samples

MS Word document: Questionnaire.docx, 63ffbe83dccc954f6a9ee4a2a6a93058

PlugX backdoor: update.exe, 4dd49174d6bc559105383bdf8bf0e234
PlugX internal library: 6982f0125b4f28a0add2038edc5f038a

The rush for CVE-2013-3906 – a Hot Commodity

Your email address will not be published. Required fields are marked *



Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox