Fireeye. CVE-2015-0097 Exploited in the Wild

July 30, 2015

https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-0097_exploi.html

• "Microsoft Word Local Zone Remote Code Execution Vulnerability."

• In the wild

• Does not require common exploitation techniques like a heapspray or ROP chain

• Exploit. Office can open documents as HTML files via the MSScriptControl.ScriptControl.1 control. If the document contains valid HTML (in this case, appended to the end of the document), the HTML is launched in the Local Security Zone. Scripts embedded within the HTML content then write to disk with the ADODB.Recordset Active X Control. By writing scripts to the users Startup directory as shown in Figure 1, the attacker's scripts achieve full RCE and persistence.
• Payload - config.vbs - downloads and executes a binary from the attacker's server. The script saves and executes the binary as %temp%\svchost.exe.
• One of the variants we observed is a Word Document named mat khau wifi thuong dung.doc (Vietnamese language) that is used to drop PlugX malware on a system.
• The payload is a RAR SFX file named KB3002659.exe. This RAR SFX file contains the following three components:
• 1.     AhnI2.exe - Legitimate AhnLab Internet Security Software digitally signed by AhnLab, Inc.
• 2.     AhnI2.dll - Malicious PlugX DLL
• 3.     AhnI2.asf - Encrypted file used by PlugX DLL
• Producs affected 
• Microsoft Excel 2007 and 2010
• Microsoft Word 2007 and 2010
• Microsoft Powerpoint 2007 and 2010

Labels: App - MS Office, CVE-2015-0097 - MS Office, 

[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0097
[2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0097
[3] https://technet.microsoft.com/en-us/library/security/ms15-022.aspx