Stories
Slash Boxes
Comments

SoylentNews is people

Multiple Chinese Groups Share the Same RTF Weaponizer

posted by Fnord666 on Friday July 05 2019, @11:21PM   Printer-friendly
from the no-windows-file-is-safe dept.

upstart writes:

Submitted via IRC for Carny

Multiple Chinese Groups Share the Same RTF Weaponizer

During an investigation into a possibly shared RTF[*] weaponizer by Indian and Chinese APT[**] groups, researchers have discovered that multiple Chinese groups have updated the weaponizer to exploit the Microsoft Equation Editor (EE) vulnerability CVE-2018-0798. The same weaponizer had previously delivered exploits for EE vulnerabilities CVE-2017-11882 and CVE-2018-0802.

Researchers at Anomali believe that the earlier weaponizer was favored because the two vulnerabilities initially employed are easier to exploit than that used with the latter weaponizer. The CVE-2018-0798 vulnerability, however, has the advantage of affecting all versions of EE. The earliest sample of an RTF file with this vulnerability exploited in the wild dates back to October 2018.

Weaponizers are scripts used to inject a malicious RTF object into a pre-crafted RTF phishing document. Anomali has been investigating whether multiple groups are using the same supply chain for their weaponizer. A weaponizer can be recognized through shared object dimensions across weaponized exploits within the delivered RTF files. The actor can be recognized through different post-exploitation behaviors.

Anomali has detected numerous Chinese actors sharing the same new RTF weaponizer, which they all updated at around the same time. These include Goblin Panda (aka Conimes), KeyBoy (aka APT 23), Emissary Panda (aka APT27), Rancor Group, and Temp.Trident (aka Icefog).

[...] The conclusions from Anomali's research confirm that there is a strong sharing culture among Chinese groups. The first weaponizer was used exclusively by Chinese state actors for about a year before it began to be used by cybercriminals. The second weaponizer was used by the state actors for around six months before it too began to be used by cybercriminals. It's not clear whether a state actor developed the weaponizer and shared it with other groups, or whether it was developed by a third-party and supplied to the actors.

[*] RTF(Rich Text Format) is usually a safer document format. Not anymore. Maybe we should all switch to Markdown.

[**] APT: Advanced Persistent Threat

Original Submission

 
This discussion has been archived. No new comments can be posted.
Multiple Chinese Groups Share the Same RTF Weaponizer | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday July 06 2019, @03:31AM (1 child)

    by Anonymous Coward on Saturday July 06 2019, @03:31AM (#863729)

    RTF files are in ascii. Sure, they have various codes in them making them difficult to read, but I've opened in a text editor (microEmacs) a number of times to see what I was getting--before opening with MS-Word to see the formatted version.

    Also, I'm going to guess that opening RTF with Open/Libre Office is still pretty safe, they don't share the same Equation Editor with Word.

  • (Score: 1, Informative) by Anonymous Coward on Saturday July 06 2019, @07:10PM

    by Anonymous Coward on Saturday July 06 2019, @07:10PM (#863913)

    I've written an RTF parser, and let me tell you, they are all probably full of crazy stack overflows. RTF uses control codes to change what is happening with the text (a special character, a flag, destination, value, or toggle) and these control codes can either be used as a trigger code, a group code, or both (depending on the type). In order to get the example output "Hello, World!", the you can either switch the toggle using the trigger method "{\rtf1\ansi Hello, \b1World\b0!}" or the group method "{\rtf1\ansi Hello, {\b World}!}" In the first example, you can see that the bold control word "b" is used as a trigger to turn on boldness for all text that follows until it hits the toggle trigger to turn it off (although, for ease of implementation, most also reverse the toggles when any parent group ends too, although depending on the exact version you are following that violates the spec.). In the second example, the bold control word "b" is used in its group syntax. In addition, the magic destination control word "rtf" is used as a group around the whole document and the character set is used as a trigger flag.

    Now the problem comes in because it seems that the easiest way to handle RTF files is with a stack, just append and pop stack as groups are open and closed. However, that is wrong way to do it because your control codes don't have to be perfectly nested and they aren't perfectly symmetrical. For example (with certain syntax left out), "regular text\b bold text \i bold and italic\b0 just italic \i0 regular \i\b both again {\strike both with strike-through} \plain regular text" Try to do that in a stack, and you can easily pull your hair out, or you do what many implementations do and just pretend they are nested (the way HTML requires) and break the RTF spec. So instead, to do it properly you have an unholy Eldritch abomination of a hybrid with a ton of state you have to carry around with you with a bunch of sub-stacks, and the whole thing quickly becomes a mess. Or you can use a purely iterative method, which has its own, and distinct, set of problems when it comes to processing files with a lot of groups (which most implementations use heavily, due to being the aforementioned abominations).