A fresh threat that Sophos is calling “Rotten Tomato” has splattered on the scene, and it shows that common hackers are now sharing code and techniques more common to advanced persistent threat (APT) malware campaigns.
The name is a reference to the Tomato Garden campaign. As in that attack, several different groups used the same zero-day Microsoft Word exploit; except in this case, some of the samples were rotten in the sense that they were not effectively executed.
The attackers not only used the aging CVE-2012-0158 vulnerability, but the newer CVE-2014-1761 as well, exploiting these to download or drop a Zbot variant.
“Rotten Tomato is a real targeted attack campaign, mostly deployed in Russia,” said SophosLabs researcher Gabor Szappanos, in a technical analysis. “It attempted to be a dual weapon, but one of the weapons turned out to be bogus. Nevertheless, it was a real threat. It increased their chances to infect systems where the older vulnerability was already fixed.”
However, the malware writers made some mistakes along the way. In Rotten Tomato, the groups somehow got hold of a document that exploited the vulnerability, left the exploiting document part and the shellcode intact, and only changed the appended encrypted executable at the end to Plugx.
Meanwhile, they left intact the encrypted Zbot executable at the beginning of the file and the second vulnerability, making this sample a real dual weapon: not only that it exploits two vulnerabilities, but contains two totally different payloads.
“However, Word can only be exploited once: during the exploitation procedure the current instance of Word exits, and a new one is started that displays the decoy document,” said Szappanos. “So this creates a race condition: whichever vulnerability is triggered first (or gets lucky in an environment where the other one is patched) will have the chance to run its own payload.”
As common malware groups copy APTs, the narrow line between them is becoming harder to define.
“The partially successful Plugx attempt raises a few questions,” Szappanos said. “Should it be considered as a common cybercrime sample (as the dropped Zbot suggests) or as an APT (as Plugx does)?"
Actually, it depends on the patch level of the targeted computer, he said. "The narrow line between APT and common malware shrank to zero with that sample…The fact that the attempt was less successful does not deny the fact that a symbiosis exists between the two distinct criminal groups, and ideas are floating in both directions.”