Incidents

The rush for CVE-2013-3906 – a Hot Commodity

Two days ago FireEye reported that the recent CVE-2013-3906 exploit has begun to be used by new threat actors other than the original ones. The new infected documents share similarities with previously detected exploits but carry a different payload. This time these exploits are being used to deliver Taidoor and PlugX backdoors, according to FireEye.

At Kaspersky Lab we have also detected that yet another APT group has just started spreading malicious MS Word documents exploiting CVE-2013-3906. This APT actor is the Winnti group, which we described in detail here. They have sent spear-phishing emails with an attached document containing the exploit. As usual the Winnti perpetrators are trying to use this technique to deliver 1st stage malware – PlugX.

We became aware of an attack against one gaming company which constantly undergoes attacks from the Winnti group. The MS Word document containing the exploit shows the same TIFF “picture” –7dd89c99ed7cec0ebc4afa8cd010f1f1 – that triggers the exploitation of the vulnerability, as in the Hangover attacks. If the exploitation is successful, the PlugX backdoor is downloaded from a remote URL:
hxxp://211.78.90.113/music/cover/as/update.exe.

According to the PE header, this PlugX sample was compiled on November 4, 2013. The internal functional PlugX Dynamic Link Library that is decrypted and allocated in memory during malware execution is a little bit older – it dates from October 30, 2013. In terms of its development branches, the version of PlugX which is downloaded is slightly different from the conventional PlugX but the same type as the one discovered by FireEye when the malware sends CnC HTTP POST packets with noticeable additional headers:

FireEye sample Winnti’s variant
FireEye sample
POST /<random [0-9A-F]{24}> HTTP/1.1
Accept: */*
FZLK1: 0
FZLK2: 0
FZLK3: 61456
FZLK4: 1
Winnti’s variant
POST /<random [0-9A-F]{24}> HTTP/1.1
Accept: */*
HHV1: 0
HHV2: 0
HHV3: 61456
HHV4: 1

Winnti’s PlugX is connecting to a new, previously unknown C2, av4.microsoftsp3.com. This domain points to the IP-address 163.43.32.4. Other Winnti-related domains have been pointing here starting with October 3, 2013:

ad.msnupdate.bz ap.msnupdate.bz
book.playncs.com data.msftncsl.com ns3.oprea.biz

Once again, we are witnessing a rapid spread of the usage of a recently discovered vulnerability by different APT actors. Due to the high level of competition, we have already seen how quickly new exploits are added to different Exploit Packs when cybercriminals get involved. It’s not yet clear how the new APT actors have come into possession of the CVE-2013-3906 – perhaps they obtained the same “builder” as the Hangover attackers, or acquired just a few samples of poisoned MS Word documents and adapted them for own needs. Anyway, we can conclude that just as regular cybercriminals under competition pressure, APT actors too will not rest on their laurels but aim to constantly evolve, perfecting their everyday processes and working more closely together becoming an ever more dangerous threat.

Discovered samples

Exploit.MSOffice.CVE-2013-3906.a
MS Word document: Questionnaire.docx, 63ffbe83dccc954f6a9ee4a2a6a93058

Backdoor.Win32.Gulpix.tu
PlugX backdoor: update.exe, 4dd49174d6bc559105383bdf8bf0e234

Backdoor.Win32.Gulpix.tt
PlugX internal library: 6982f0125b4f28a0add2038edc5f038a

The rush for CVE-2013-3906 – a Hot Commodity

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox