CVE-2012-0158

Vulnerability Profile Updated 3 months ago

Download STIX

Preview STIX

CVE-2012-0158 is a significant vulnerability in the software design and implementation of Microsoft Office, specifically related to the parsing of Rich-text-format (.rtf) files. This flaw was first exploited in spear-phishing attacks where emails contained three different attachments, each exploiting this vulnerability. The filenames of these malicious documents were 使命公民運動我們的異象.doc, 新聞稿及公佈.doc, and (代發)[采訪通知]港大校友關注組遞信行動.doc. Upon opening, the payload delivered was a backdoor known as LOWBALL, identified by the MD5 hash d76261ba3b624933a6ebb5dd73758db4 time.exe. LOWBALL malware utilized the legitimate Dropbox cloud-storage service as its Command and Control (CnC) server. This sophisticated approach allowed the attackers to leverage trusted services to control compromised systems, making detection and mitigation more challenging. In addition to CVE-2012-0158, a subsequent attempt was made using another patched .rtf vulnerability, CVE-2015-1641, demonstrating the attackers' persistent attempts to exploit known vulnerabilities in widely used software. Furthermore, it was confirmed that an older flaw, the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158), was also being exploited. This particular vulnerability allows attackers to execute arbitrary code remotely, providing them with the ability to take control of an affected system. The exploitation of CVE-2012-0158 in multiple contexts underscores its critical nature and the importance of applying patches for known vulnerabilities promptly.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Windows

exploited

Remote Code ...

Backdoor

Rat

Payload

Exploit

Symantec

Exploit Kit

Phishing

Malware

Exploits

Dropbox

Microsoft

flaw

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
LOWBALL	Unspecified	2	LOWBALL is a sophisticated malware payload that was utilized by a China-based cyber threat group, often referred to as "admin@338". This advanced persistent threat (APT) group used LOWBALL in their operations targeting media organizations in Hong Kong and Taiwan. The malware's first stage allows the
BadPatch	Unspecified	1	BadPatch is a malicious software (malware) associated with the Gaza Hackers. This malware is designed to exploit and damage computers or devices, often infiltrating systems through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information,
Hightide	Unspecified	1	Hightide is a malware family discovered by FireEye, first observed on August 24, 2014, when it was used in a spear-phishing email sent to a Taiwanese government ministry. The Hightide backdoor was dropped via an exploit document with specific properties including MD5 hash of 6e59861931fa2796ee107dc2
Waterspout	Unspecified	1	Waterspout is a newly discovered malware, sharing traits with other malicious software such as RIPTIDE, HIGHTIDE, and THREEBYTE. It is an HTTP-based backdoor that communicates with its command and control (C2) server, infecting systems through phishing emails sent from valid but compromised accounts
RIPTIDE	Unspecified	1	Riptide is a form of malware, or malicious software, that was utilized by the cyber espionage group known as APT12 from October 2012 to May 2014. This proxy-aware backdoor communicates via HTTP with a hard-coded command and control (C2) server. The initial communication with the C2 server fetches an

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
APT2	Unspecified	1	APT2, suspected to be affiliated with China, is a threat actor known for its cyber operations targeting the military and aerospace sectors. The primary objective of APT2's activities is intellectual property theft, focusing on data and projects that give an organization a competitive edge within its
APT12	Unspecified	1	APT12, also known as Calc Team, is a cyber espionage group believed to be connected to the Chinese People's Liberation Army. The group primarily targets journalists, government entities, and the defense industrial base. Their preferred method of attack is phishing emails sent from legitimate but com
Spring Dragon	Unspecified	1	Spring Dragon, a threat actor known for its malicious activities, has been active for several years and has targeted organizations in various locations globally, including Vietnam (VN), Taiwan (TW), the Philippines (PH), and other areas. Its primary victims are defense subcontractors and government-
APT40	Unspecified	1	APT40, a Chinese cyber espionage group suspected to be linked to the People's Republic of China (PRC) Ministry of State Security, has been identified as a significant threat actor. The group typically targets countries strategically important to China's Belt and Road Initiative. Over the years, APT4

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2015-1641	Unspecified	1	None
CVE-2014-1761	Unspecified	1	None

Source Document References

Information about the CVE-2012-0158 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	7 months ago	Threat actors still exploiting old unpatched vulnerabilities, says Cisco \| IT World Canada News
CERT-EU	a year ago	Years-old Microsoft bugs are still hot targets for criminals
CERT-EU	a year ago	Qualys Top 20 Exploited Vulnerabilities \| Qualys Security Blog
MITRE	a year ago	China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets \| Mandiant
MITRE	a year ago	Endpoint Protection - Symantec Enterprise
MITRE	a year ago	The Dropping Elephant – aggressive cyber-espionage in the Asian region
MITRE	a year ago	The Naikon APT
MITRE	a year ago	Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
MITRE	a year ago	Aoqin Dragon \| Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
MITRE	a year ago	The Trail of BlackTech’s Cyber Espionage Campaigns
MITRE	a year ago	APT40: Examining a China-Nexus Espionage Actor \| Mandiant
MITRE	a year ago	BITTER: a targeted attack against Pakistan
MITRE	a year ago	The Spring Dragon APT
MITRE	a year ago	Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
MITRE	a year ago	Darwin’s Favorite APT Group \| Mandiant
MITRE	a year ago	ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
MITRE	a year ago	Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions \| Proofpoint US
MITRE	a year ago	Inception Framework: Alive and Well, and Hiding Behind Proxies
MITRE	a year ago	Cloud Atlas: RedOctober APT is back in style
MITRE	a year ago	Advanced Persistent Threats (APTs) \| Threat Actors & Groups