CVE-2012-0158

Vulnerability updated 15 days ago (2024-09-25T14:00:57.453Z)
Download STIX
Preview STIX
CVE-2012-0158 is a software vulnerability that was first exploited in 2012, resulting from a flaw in the design or implementation of Microsoft Windows Common Controls ActiveX Control. This vulnerability was primarily leveraged through parsing Rich-text-format (.rtf) files and allowed malicious actors to execute remote code. The vulnerability was later patched, but not before it was used in several notable cyberattacks. One of these attacks occurred in 2013 when Chinese political rights activists were targeted through a spear-phishing attack. The attackers exploited CVE-2012-0158 to drop a benign executable from an Office 2003 Service Pack 2 update, which was then manipulated to load a malicious DLL. This technique has been documented since at least 2013, demonstrating the long-term risks associated with such vulnerabilities. The LOWBALL malware also exploited this vulnerability. In a spear-phishing campaign, three attachments were sent via email, each exploiting CVE-2012-0158. The filenames were "使命公民運動 我們的異象.doc", "新聞稿及公佈.doc", and "(代發)[采訪通知]港大校友關注組遞信行動.doc". In all cases, the payload was the same: a backdoor known as LOWBALL, which uses Dropbox cloud-storage service for its Command-and-Control (CnC) server. These incidents highlight the persistent threat posed by software vulnerabilities, even after they have been identified and patched.
Description last updated: 2024-09-25T13:16:24.672Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Windows
Phishing
Exploit
exploited
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The LOWBALL Malware is associated with CVE-2012-0158. LOWBALL is a sophisticated malware payload that was utilized by a China-based cyber threat group, often referred to as "admin@338". This advanced persistent threat (APT) group used LOWBALL in their operations targeting media organizations in Hong Kong and Taiwan. The malware's first stage allows theUnspecified
2
Source Document References
Information about the CVE-2012-0158 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
15 days ago
CERT-EU
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago