- Some unnoticed facts about cve-2013-3906
- 1. Embedded in cve-2013-3906 exploit are Excel Russian files.
- Means: fuzzing artifacts or intended decoy.
- 2. Embedded in cve-2013-3906 exploit Excel files are not required for triggering and exploitation of the vulnerability.
- Means: exploit acquired for hacking campaigns to be used 'as is', rather than produced in-lab.
- 3. All known samples of cve-2013-3906 from all hacking campaigns have same useless XLS embeddings inside.
- Means: one exploit seller, brainless tool usage.
- 4. First submission of cve-2013-3906 to VirusTotal was on 2013-07-07 (JoseMOlazagasti.docx, MY, NL, DK, other EU).
- Means: @fireeye research is missing at least one hacking group/campaign.
- 5. First appearance of cve-2013-3906 in the wild (2013-07-07) was mistaken by @avast_antivirus for cve-2012-0158.
- Means: shame.
- 6. First submission of cve-2013-3906 internals (tiff, ActiveX) to VirusTotal was on September (TW,IN,IS). Not by previously attacked EU. Not reported until November.
- (see Additional info section)
- Means: unqualified incident response or testing/analysis by 0day-interested parties.
- 7. In beginning of October, a few named and very single samples of cve-2013-3906 were submitted to VirusTotal (mostly US).
- 2013-10-01 21:01:52 Illegality_Supply details.docx
- 2013-10-07 18:27:25 Re-credit.docx_
- 2013-10-07 20:28:38 Swift Message $288,550 USD.docx
- Means: incident response of a campaign against one-shot targets or 0day exploit testing.
- The cve-2013-3906 exploit was produced most likely by a Russian developer around March 2013 (ref:EXIF) and sold to multiple parties, beginning from July, 2013. The exploit was used in 3 (at least) distinct hacking campaigns: #1 in July 2013 and against Europe, #2 & #3 in October 2013 and against Middle East and Asia. The exploit remained unnoticed for 2 months, and was detected shortly after beginning of the 2nd/3rd campaigns (possibly due to their connection with known malware Citadel). Some parties involved in campaigns ordering and production may reside in Taiwan, India, Israel and the United States.
- Previous research
Some unnoticed facts about cve-2013-3906
a guest Nov 11th, 2013 2,679 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
RAW Paste Data