CVE-2018-0798
published 2018-01-10CVE-2018-0798: Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability…
PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
95.12%
99.9th percentile
Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability".
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | word | — | — |
| microsoft | word | — | — |
| microsoft | word | — | — |
| microsoft | word | — | — |
| microsoft_corporation | equation_editor | — | — |
| msrc | microsoft_office_2007_service_pack_3 | — | — |
| msrc | microsoft_office_2010_service_pack_2 | — | — |
| msrc | microsoft_office_2013_service_pack_1 | — | — |
| msrc | microsoft_office_2016 | — | — |
| msrc | microsoft_office_2016_click-to-run_for_32-bit_editions | — | — |
| msrc | microsoft_office_2016_click-to-run_for_64-bit_editions | — | — |
| msrc | microsoft_office_compatibility_pack_service_pack_3 | — | — |
| msrc | microsoft_word_2007_service_pack_3 | — | — |
| msrc | microsoft_word_2010_service_pack_2 | — | — |
| msrc | microsoft_word_2013_rt_service_pack_1 | — | — |
| msrc | microsoft_word_2013_service_pack_1 | — | — |
| msrc | microsoft_word_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
XOR key B2 A6 6D FF
- →CVE-2018-0798 is exploited via malicious RTF documents built with the Royal Road (8.t) builder, which embeds OLE objects with class name 'Equation 3.0' containing shellcode as equation formulas executed by Microsoft Equation Editor (EQNEDT32.EXE). ↗
- →Royal Road RTF samples exploiting CVE-2018-0798 drop a WMF-named file (e.g., dcnx18pwh.wmf) XOR-encoded with key B2 A6 6D FF; detection of this XOR pattern in dropped WMF files is a strong indicator of Royal Road exploitation. ↗
- →Malicious Excel spreadsheets exploiting CVE-2018-0798 create scheduled tasks named 'Rdx' and 'RdxFac' running every five minutes, and create a folder 'RdxFact' in the Windows tasks folder; monitor for these scheduled task names as indicators of compromise. ↗
- →Shellcode from CVE-2018-0798 exploitation creates the folder C:\$Utf to stage downloaded payloads; presence of this folder is a host-based indicator of exploitation. ↗
- →The LOWZERO backdoor dropped after CVE-2018-0798 exploitation communicates with its C2 over TCP port 110 (typically POP3), which is anomalous for most endpoints and should be monitored for outbound connections to non-mail servers. ↗
- →Chinoxy backdoor variants use a base64-encoded C2 server stored in an external configuration file named 'k1.ini'; presence of this file alongside a malicious LBTServ.dll is a strong indicator of Chinoxy infection. ↗
- ·CVE-2018-0798 is exploited via the Microsoft Equation Editor (EQNEDT32.EXE) component present in Microsoft Office 2007, 2010, 2013, and 2016; organizations that have applied the January 9, 2018 patch or disabled/removed Equation Editor are not vulnerable. ↗
- ·The Royal Road builder is shared across multiple distinct Chinese APT groups (including Tonto Team, TA413, Bitter, Mustang Panda, Scarab, and others); IOCs derived from Royal Road documents alone are insufficient for precise actor attribution. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Office Memory Corruption Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2018-0802 [HIGH] CWE-787 Microsoft Office Memory Corruption Vulnerability
Vulnerability: Microsoft Office Memory Corruption Vulnerability
Affected: Microsoft Office
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0798.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-0802
Remediation Due Date: 2022-05-03
CISA
Microsoft Office Memory Corruption Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2018-0798 [HIGH] CWE-787 Microsoft Office Memory Corruption Vulnerability
Vulnerability: Microsoft Office Memory Corruption Vulnerability
Affected: Microsoft Office
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0802.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-0798
Remediation Due Date: 2022-05-03
Microsoft
Microsoft Office Memory Corruption Vulnerability
vendor_msrc·2018-01-09·CVSS 8.8
CVE-2018-0798 [HIGH] Microsoft Office Memory Corruption Vulnerability
Microsoft Office Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Exploitation of the vulnerability requires that a user open a specially crafted file with
GHSA
GHSA-4prc-qxrc-76p6: Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulne
ghsa_unreviewed·2022-05-13
CVE-2018-0798 [HIGH] CWE-787 GHSA-4prc-qxrc-76p6: Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulne
Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability".
VulnCheck
Microsoft Office Memory Corruption Vulnerability
vulncheck·2018·CVSS 8.8
CVE-2018-0798 [HIGH] CWE-787 Microsoft Office Memory Corruption Vulnerability
Microsoft Office Memory Corruption Vulnerability
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0802.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/; https://www.africacybersecurityconference.com/document/CrowdStrike_GTR_2019.pdf; https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.p
VulnCheck
Microsoft Office Memory Corruption Vulnerability
vulncheck·2018·CVSS 8.8
CVE-2018-0802 [HIGH] CWE-787 Microsoft Office Memory Corruption Vulnerability
Microsoft Office Memory Corruption Vulnerability
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0798.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2018-Jan; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.freebuf.com/column/159865.html; https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf; https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html; https://www.trendmicro.com/en_u
No detection rules found.
No public exploits indexed.
Fortinet
A Tale of PivNoxy and Chinoxy Puppeteer | FortiGuard Labs
blogs_fortinet·2022-08-22·CVSS 7.8
[HIGH] A Tale of PivNoxy and Chinoxy Puppeteer | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
A Tale of PivNoxy and Chinoxy Puppeteer
By Shunichi Imano and Fred Gutierrez | August 22, 2022
Recently, a simple and short email with a suspicious RTF attachment that had been sent to a telecommunications agency in South Asia caught the attention of FortiGuard Labs. The email was disguised as having come from a Pakistan government division and delivered the PivNoxy malware.
Affected Platforms: Windows
Impacted Parties: Windows users
Impact: Controls victim’s machine and collects sensitive information
Severity Level: Medium
This blog describes how the attack works, suggests who the threat actor behind the operation might be, and details the techniques used by the attacker.
Attack Overview
The attack started with a simple email that included a bare doc
Tenable
Cybersecurity Snapshot: 6 Things That Matter Right Now
blogs_tenable·2022-08-19
Cybersecurity Snapshot: 6 Things That Matter Right Now
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
blogs_tenable·2022-08-04
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
blogs_sentinelone·2022-07-07
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
## Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
## Executive Summary
SentinelLabs has identified a new cluster of threat activity targeting Russian organizations.
We assess with high-confidence that the threat actor responsible for the attacks is a Chinese state-sponsored cyber espionage group, as also recently noted by Ukraine CERT (CERT-UA).
The attacks use phishing emails to deliver Office documents to exploit targets in order to deliver their RAT of choice, most commonly Bisonal.
SentinelLabs has also identified associated activity targeting telecommunication organizations in Pakistan leveraging similar attack techniques.
## Overview
On June 22nd 2022, CERT-UA publicly released Alert #4860 , which contains a collection of documents built
Sentinelone
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
blogs_sentinelone·2022-07-07
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
## Executive Summary
- SentinelLabs has identified a new cluster of threat activity targeting Russian organizations.
- We assess with high-confidence that the threat actor responsible for the attacks is a Chinese state-sponsored cyber espionage group, as also recently noted by Ukraine CERT (CERT-UA).
- The attacks use phishing emails to deliver Office documents to exploit targets in order to deliver their RAT of choice, most commonly Bisonal.
- SentinelLabs has also identified associated activity targeting telecommunication organizations in Pakistan leveraging similar attack techniques.
## Overview
On June 22nd 2022, CERT-UA publicly released Alert #4860, which contains a collection of documents built with the Royal Road malicious document builder, themed around Russian government inter
Talos
Bitter APT adds Bangladesh to their targets
blogs_talos·2022-05-11·CVSS 7.8
[HIGH] Bitter APT adds Bangladesh to their targets
- Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
- As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.
- Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.
### Executive Summary
Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government entities.
This campaign targets an elite
Talos
Bitter APT adds Bangladesh to their targets
blogs_talos·2022-05-11·CVSS 7.8
[HIGH] Bitter APT adds Bangladesh to their targets
## Bitter APT adds Bangladesh to their targets
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.
Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.
## Executive Summary
Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Trendmicro
Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
blogs_trendmicro·2021-04-09
Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
APT & Targeted Attacks
# Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
This blog details how Iron Tiger threat actors have updated their toolkit with an updated SysUpdate malware variant that now uses five files in its infection routine instead of the usual three.
By: Daniel Lunghi, Kenney Lu
2021/04/09
Read time: ( words)
Save to Folio
Update as of April 27, 2021, 7 A.M. E.T.: We've updated the "Rootkits From a Public Repository" section and the appendix to include a second sample.
More than a year after Operation DRBControl, a campaign by a cyberespionage group that targets gambling and betting companies in Southeast Asia, we found evidence that the Iron Tiger threat actor is still interested in the gambling industry.
This blog details how Iron Tiger threat actors
Talos
Bisonal: 10 years of play
blogs_talos·2020-03-05
Bisonal: 10 years of play
By Warren Mercer, Paul Rascagneres and Vitor Ventura.
Update 06/03/20: added samples from 2020.
## Executive summary
- Security researchers detected and exposed the Bisonal malware over the past 10 years. But the Tonto team, the threat actor behind it, didn't stop.
- The victimology didn't change over time, either. Japanese, South Korean and Russian organizations were the prime targets for this threat actor.
- The malware evolved to lower its detection ratio and improve the initial vector success rate.
### What's new? Bisonal is a remote access trojan (RAT) that's part of theTonto Teamarsenal. The peculiarity of the RAT is that it's been in use for more than 10 years — this is an uncommon and long period for malware. Over the years, it has evolved and adapted mechanisms to avoid detect
Securelist
IT threat evolution Q2 2019. Statistics
blogs_securelist·2019-08-19
IT threat evolution Q2 2019. Statistics
Table of Contents
- Quarterly figures
- Mobile threats
- Attacks on Apple macOS
- IoT attacks
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyber attacks
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Boris Larin
- Oleg Kupreev
- Evgeny Lopatin
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network,
- Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe.
- 217,843,293 unique URLs triggered Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were
Unit42
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
blogs_unit42·2018-07-24
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
Nearly all of us have a use for Microsoft Office documents. Whether they are work documents, e-receipts, or a lease on a new apartment – Office documents are useful to all of us, and this is part of the reason we’re very likely to open an office document we receive as an attachment in e-mail. Armed with the knowledge that many people will open nearly any document, even those from an untrusted source, adversaries commonly choose these files in attacks to compromise a system.
In this threat brief we show you five different ways that Office documents can be subverted and abused to attack and compromise a Windows endpoint, some we’ve already posted about before, and some are new.
Macros
Macros are the most straight-forward way for an attacker to weaponize Office documents. Office applicatio
Unit42
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
blogs_unit42·2018-07-24
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
## Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
Liat Hayun
Published: July 24, 2018
High Profile Threats
Malware
Embedded Flash files
HTA Handlers
Macros
Microsoft Office Documents
OLE Objects
Nearly all of us have a use for Microsoft Office documents. Whether they are work documents, e-receipts, or a lease on a new apartment – Office documents are useful to all of us, and this is part of the reason we’re very likely to open an office document we receive as an attachment in e-mail. Armed with the knowledge that many people will open nearly any document, even those from an untrusted source, adversaries commonly choose these files in attacks to compromise a system.
In this threat brief we show you five different ways that Office documents
Talos
Microsoft Patch Tuesday - January 2018
blogs_talos·2018-01-09·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - January 2018
## Microsoft Patch Tuesday - January 2018
Today Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 56 new vulnerabilities with 16 of them rated critical, 39 of them rated important and 1 of them rated Moderate. These vulnerabilities impact ASP.NET, Edge, Internet Explorer, Office, Windows, and more.
In addition to the 56 vulnerabilities addressed, Microsoft has also released an update that addresses Meltdown and Spectre. Mitigations for these two vulnerabilities were published for Windows in ADV180002 . Note that due to incompatibilities with anti-virus products, users and organizations may not have received this update yet. For more information, users shoul
Talos
Microsoft Patch Tuesday - January 2018
blogs_talos·2018-01-09·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - January 2018
Today Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 56 new vulnerabilities with 16 of them rated critical, 39 of them rated important and 1 of them rated Moderate. These vulnerabilities impact ASP.NET, Edge, Internet Explorer, Office, Windows, and more.
In addition to the 56 vulnerabilities addressed, Microsoft has also released an update that addresses Meltdown and Spectre. Mitigations for these two vulnerabilities were published for Windows in ADV180002. Note that due to incompatibilities with anti-virus products, users and organizations may not have received this update yet. For more information, users should refer to Microsoft's knowledge base articl
Recorded Future
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
blogs_recorded_future·CVSS 9.8
[CRITICAL] Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
# Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
This report details multiple campaigns conducted by the likely Chinese state-sponsored threat activity group TA413. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. This report will be of most interest to individuals and organizations with strategic and operational intelligence requirements relating to Chinese cyber threat activity, as well as humanitarian and other organizations concerned with Tibetan interests. With thanks to our colleagues at Sophos for early sharing and collaboration.
Threat Intel
BITTER (BITTER, T-APT-17)
threat_intel·CVSS 8.8
[HIGH] BITTER (BITTER, T-APT-17)
# Threat Actor Profile: BITTER
ATT&CK ID: G1002
Also known as: BITTER, T-APT-17
Suspected origin: China
## Overview
BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: BITTER has obtained tools such as PuTTY for use in their operations.(Citation: Forcepoint BITTER Pakistan Oct 2016)
- T1608.001 Upload Malware
Usage: BITTER has registered domains to stage payloads.(Citation: Forcepoint BITTER Pakistan Oct 2016)
- T1583.001 Domains
Usage: BITTER has regis
Threat Intel
SongXY
threat_intel·CVSS 8.8
CVE-2018-0798 [HIGH] SongXY
# Threat Actor: SongXY
## Description
SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.
Threat Intel
BRONZE BUTLER (BRONZE BUTLER, REDBALDKNIGHT, Tick)
threat_intel·CVSS 7.8
[HIGH] BRONZE BUTLER (BRONZE BUTLER, REDBALDKNIGHT, Tick)
# Threat Actor Profile: BRONZE BUTLER
ATT&CK ID: G0060
Also known as: BRONZE BUTLER, REDBALDKNIGHT, Tick
Suspected origin: China
## Overview
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.(Citation: Symantec Tick Apr 2016)
### Initial Access
- T1566.001 Spearphishing A
Threat Intel
Higaisa (Higaisa)
threat_intel·CVSS 8.8
[HIGH] Higaisa (Higaisa)
# Threat Actor Profile: Higaisa
ATT&CK ID: G0126
Also known as: Higaisa
Suspected origin: China
## Overview
Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)
## Techniques (TTPs)
### Initial Access
- T1566.001 Spearphishing Attachment
Usage: Higaisa has sent spearphishing emails containing malicious attachments.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)
### Execution
- T1059.0
Threat Intel
Tonto Team (Tonto Team, Earth Akhlut, BRONZE HUNTLEY)
threat_intel·CVSS 7.8
[HIGH] Tonto Team (Tonto Team, Earth Akhlut, BRONZE HUNTLEY)
# Threat Actor Profile: Tonto Team
ATT&CK ID: G0131
Also known as: Tonto Team, Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda
Suspected origin: China
## Overview
Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Te
Threat Intel
TA428
threat_intel·CVSS 8.8
[HIGH] TA428
# Threat Actor: TA428
## Description
Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-
Threat Intel
Threat Group-3390 (Threat Group-3390, Earth Smilodon, TG-3390)
threat_intel·CVSS 9.8
[CRITICAL] Threat Group-3390 (Threat Group-3390, Earth Smilodon, TG-3390)
# Threat Actor Profile: Threat Group-3390
ATT&CK ID: G0027
Also known as: Threat Group-3390, Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse, Linen Typhoon
Suspected origin: China
## Overview
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)
## Techniques (TTPs)
### Resource Development
- T1608.001 Upload Malware
Usage: Threat Group-3390 has hosted mal
arXiv
A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching
arxiv_fulltext·2024-10-29
A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching
A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching
Yi-Ting Huang, Ying-Ren Guo, Guo-Wei Wong, and Meng Chang Chen
## Abstract
As Advanced Persistent Threats (APTs) grow increasingly sophisticated, the demand for effective detection methods has intensified. This study addresses the challenge of identifying APT campaign attacks through system event logs. A cascading approach, name SFM, combines Technique hunting and APT campaign attribution. Our approach assumes that real-world system event logs contain a vast majority of normal events interspersed with few suspiciously malicious ones and that these logs are annotated with Techniques of MITRE ATT&CK framework for attack pattern recognition. Then, we attribute APT campaign attacks
http://www.securityfocus.com/bid/102370http://www.securitytracker.com/id/1040153https://0patch.blogspot.com/2018/01/bringing-abandoned-equation-editor-back.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798http://www.securityfocus.com/bid/102370http://www.securitytracker.com/id/1040153https://0patch.blogspot.com/2018/01/bringing-abandoned-equation-editor-back.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-0798
2018-01-10
Published
2021-11-03
Added to CISA KEV
Exploited in the wild