Fresh news and nice article that explains nature of such attack:
http://arstechnica.com/security/2013/01 ... ed-google/
Story was started since cfr.org was infected with JS that involves latest 0day (CVE-2012-4792) targeted to IE6,7,8.
http://blog.fireeye.com/research/2012/1 ... tails.html
http://eromang.zataz.com/2012/12/29/att ... relations/
According to Symantec has Elderwood group roots:
http://www.symantec.com/connect/blogs/e ... nerability
Latest fix for IE -
http://blogs.technet.com/b/srd/archive/ ... and-8.aspx
But according guys from Exodus intel, patch is not complete.
CVE-2012-4792 analysis by Exodus Intel:
http://blog.exodusintel.com/2013/01/02/ ... 2012-4792/
and http://stopmalvertising.com/malware-rep ... y.swf.html
swf exploit
https://www.virustotal.com/file/ac335a4 ... /analysis/
Metasploit:
https://community.rapid7.com/community/ ... nd-of-2012
In case of CFR it distributed DLL named test_gaga.dll with Chinese root. Decrypted dll has fingerprints (in attach):
SHA256: 3191180d32c3fc044fa67c5a0aa75589a0a809ef3275d609666c77d7b7b68675
SHA1: 5b00e78079354dcd6e235d757a10830b5d3f1c11
MD5: 715e692ed2b48e455734f2d43b936ce1
File size: 509440 bytes
SHA256: 0a26268515a661149cef152d67861d5805040e23aa41ea947710ef55f26b5e0a
SHA1: a245efda08f2b63e0e5c1dfc0d221e3e41949194
MD5: a2e119106c38e09d2202e2a33e64adc9
File size: 57344 bytes
http://arstechnica.com/security/2013/01 ... ed-google/
Story was started since cfr.org was infected with JS that involves latest 0day (CVE-2012-4792) targeted to IE6,7,8.
http://blog.fireeye.com/research/2012/1 ... tails.html
http://eromang.zataz.com/2012/12/29/att ... relations/
According to Symantec has Elderwood group roots:
http://www.symantec.com/connect/blogs/e ... nerability
Latest fix for IE -
http://blogs.technet.com/b/srd/archive/ ... and-8.aspx
But according guys from Exodus intel, patch is not complete.
CVE-2012-4792 analysis by Exodus Intel:
http://blog.exodusintel.com/2013/01/02/ ... 2012-4792/
and http://stopmalvertising.com/malware-rep ... y.swf.html
swf exploit
https://www.virustotal.com/file/ac335a4 ... /analysis/
Metasploit:
https://community.rapid7.com/community/ ... nd-of-2012
In case of CFR it distributed DLL named test_gaga.dll with Chinese root. Decrypted dll has fingerprints (in attach):
SHA256: 3191180d32c3fc044fa67c5a0aa75589a0a809ef3275d609666c77d7b7b68675
SHA1: 5b00e78079354dcd6e235d757a10830b5d3f1c11
MD5: 715e692ed2b48e455734f2d43b936ce1
File size: 509440 bytes
DeactivateActCtx ActivateActCtx ReleaseActCtx CreateActCtxA KERNEL32 Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRun NoDrives RestrictRun NoNetConnectDisconnect NoRecentDocsHistory NoClose Software\Microsoft\Windows\CurrentVersion\Policies\Network NoEntireNetwork Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 NoPlacesBar NoBackButton NoFileMru LOC ntdll.dll GetSystemDefaultUILanguage GetUserDefaultUILanguage kernel32.dll %s%s.dll %s (%s:%d) %s (%s:%d) Exception thrown in destructor f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp CCmdTarget CWinThread Software\Classes\ Software\ CObject CreateActCtxWDll contains on board another PE (with final encrypted payload) that will run on execution. (In attach)
comctl32.dll comdlg32.dll shell32.dll .INI .HLP .CHM NotifyWinEvent f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl AfxWnd90s f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl commctrl_DragListMsg f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp CMapPtrToPtr %2\CLSID %2\Insertable CLSID\%1
SHA256: 0a26268515a661149cef152d67861d5805040e23aa41ea947710ef55f26b5e0a
SHA1: a245efda08f2b63e0e5c1dfc0d221e3e41949194
MD5: a2e119106c38e09d2202e2a33e64adc9
File size: 57344 bytes
Attachments
pass:infected
(29.66 KiB) Downloaded 59 times
(29.66 KiB) Downloaded 59 times
pass:infected
(143.8 KiB) Downloaded 62 times
(143.8 KiB) Downloaded 62 times
