Skip to content ↓ | Skip to navigation ↓

A malware campaign is exploiting a 2012 Windows flaw in order to infect a vulnerable machine with the NewCore remote access trojan (RAT).

The campaign begins when a recipient receives an attack email that comes with an Rich Text Format (RTF) attachment. When opened, these documents exploit a 2012 remote code execution vulnerability affecting the Windows common controls (CVE-2012-0158) to drop files in the Microsoft Credentials, Microsoft System Certificates, or Windows Templates folder. These files usually consist of the following resources: a legitimate version of GoogleUpdate.exe, an encrypted blog containing malware, and a decrypter for the malware.

Sample decoy documents. (Source: Fortinet)

To evade the watchful eye of security software, the malware campaign uses DLL hijacking to trick GoogleUpdate.exe into loading a DLL containing malicious code. Doing so calls forth a Trojan downloader as a DLL file that executes in memory only. This downloader, in turn, creates an autostart registry key to ensure its payload executes every time the computer boots up. It then finally downloads NewCore.

Compiled on 16 March 2017, NewCore has thus far evaded the detection of all but a handful of security products. Fortinet’s Jasper Manuel and Artem Semenchenko explain why this is so:

“This RAT is a DLL file. Its malicious routines are contained in its imported function ‘ProcessTrans’. However, executing the DLL without using the downloader will not work as the C&C server string is not embedded in its body. When the downloader calls the function ‘ProcessTrans’, it supplies to the function the C&C server string and a handle to the C&C server internet session. In this case, Heuristic detection based on behavior will not work on the DLL alone.”

It’s currently unclear who’s responsible for developing NewCore, malware which can execute files, monitor an infected computer’s screen, and start a command shell. Votiro Labs, which originally detected the campaign targeting Vietnamese organizations in August 2017, identified several domains that a Chinese APT group known as “1937cn” is thought to use. For their part, Manuel and Semenchenko used an embedded PDB file string to identify “hoogle168,” someone whom they believe to be is NewCore’s developer. This individual appears to be active on Chinese coding forums and to possess knowledge when it comes to developing remote control software. Even so, it’s unclear whether they’re actually responsible for the malware.

The embedded PDB file string with “hoogle168” outlined. (Source: Fortinet)

To defend against the above-described malware campaign and others like it that leverage RTF files and Windows vulnerabilities, users should avoid clicking on suspicious links and email attachments. They should also make sure to patch any and all relevant software flaws on a timely basis.

Learn how Tripwire’s solutions can help your organization keep track of its patches here.