CVE-2012-0158

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2012-0158 is a significant vulnerability in the software design and implementation of Microsoft Office, specifically related to the parsing of Rich-text-format (.rtf) files. This flaw was first exploited in spear-phishing attacks where emails contained three different attachments, each exploiting this vulnerability. The filenames of these malicious documents were 使命公民運動 我們的異象.doc, 新聞稿及公佈.doc, and (代發)[采訪通知]港大校友關注組遞信行動.doc. Upon opening, the payload delivered was a backdoor known as LOWBALL, identified by the MD5 hash d76261ba3b624933a6ebb5dd73758db4 time.exe. LOWBALL malware utilized the legitimate Dropbox cloud-storage service as its Command and Control (CnC) server. This sophisticated approach allowed the attackers to leverage trusted services to control compromised systems, making detection and mitigation more challenging. In addition to CVE-2012-0158, a subsequent attempt was made using another patched .rtf vulnerability, CVE-2015-1641, demonstrating the attackers' persistent attempts to exploit known vulnerabilities in widely used software. Furthermore, it was confirmed that an older flaw, the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158), was also being exploited. This particular vulnerability allows attackers to execute arbitrary code remotely, providing them with the ability to take control of an affected system. The exploitation of CVE-2012-0158 in multiple contexts underscores its critical nature and the importance of applying patches for known vulnerabilities promptly.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
flaw
exploited
Windows
Remote Code ...
Dropbox
Phishing
Malware
Backdoor
Rat
Payload
Exploit
Exploit Kit
Symantec
Microsoft
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LOWBALLUnspecified
1
LOWBALL is a sophisticated malware payload that was utilized by a China-based cyber threat group, often referred to as "admin@338". This advanced persistent threat (APT) group used LOWBALL in their operations targeting media organizations in Hong Kong and Taiwan. The malware's first stage allows the
BadPatchUnspecified
1
BadPatch is a malicious software (malware) associated with the Gaza Hackers. This malware is designed to exploit and damage computers or devices, often infiltrating systems through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information,
HightideUnspecified
1
Hightide is a malware family discovered by FireEye, first observed on August 24, 2014, when it was used in a spear-phishing email sent to a Taiwanese government ministry. The Hightide backdoor was dropped via an exploit document with specific properties including MD5 hash of 6e59861931fa2796ee107dc2
RIPTIDEUnspecified
1
Riptide is a form of malware, or malicious software, that was utilized by the cyber espionage group known as APT12 from October 2012 to May 2014. This proxy-aware backdoor communicates via HTTP with a hard-coded command and control (C2) server. The initial communication with the C2 server fetches an
WaterspoutUnspecified
1
Waterspout is a newly discovered malware, sharing traits with other malicious software such as RIPTIDE, HIGHTIDE, and THREEBYTE. It is an HTTP-based backdoor that communicates with its command and control (C2) server, infecting systems through phishing emails sent from valid but compromised accounts
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT2Unspecified
1
APT2, suspected to be affiliated with China, is a threat actor known for its cyber operations targeting the military and aerospace sectors. The primary objective of APT2's activities is intellectual property theft, focusing on data and projects that give an organization a competitive edge within its
APT12Unspecified
1
APT12, also known as Calc Team, is a cyber espionage group believed to be connected to the Chinese People's Liberation Army. The group primarily targets journalists, government entities, and the defense industrial base. Their preferred method of attack is phishing emails sent from legitimate but com
Spring DragonUnspecified
1
Spring Dragon, a threat actor known for its malicious activities, has been active for several years and has targeted organizations in various locations globally, including Vietnam (VN), Taiwan (TW), the Philippines (PH), and other areas. Its primary victims are defense subcontractors and government-
APT40Unspecified
1
APT40, also known as Red Ladon or IslandDreams, is a China-linked cyber espionage group that typically targets countries strategically important to China's Belt and Road Initiative. The group has been observed using at least 51 different code families, with its attack vectors often involving spear-p
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2015-1641Unspecified
1
None
CVE-2014-1761Unspecified
1
None
Source Document References
Information about the CVE-2012-0158 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
APT40: Examining a China-Nexus Espionage Actor | Mandiant
MITRE
a year ago
Darwin’s Favorite APT Group | Mandiant
MITRE
a year ago
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
CERT-EU
9 months ago
Years-old Microsoft bugs are still hot targets for criminals
MITRE
a year ago
ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
MITRE
a year ago
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
MITRE
a year ago
Inception Framework: Alive and Well, and Hiding Behind Proxies
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
MITRE
a year ago
The Trail of BlackTech’s Cyber Espionage Campaigns
MITRE
a year ago
The Dropping Elephant – aggressive cyber-espionage in the Asian region
MITRE
a year ago
Endpoint Protection - Symantec Enterprise
MITRE
a year ago
BadPatch
MITRE
a year ago
Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
MITRE
a year ago
Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media
MITRE
a year ago
BITTER: a targeted attack against Pakistan
CERT-EU
6 months ago
Threat actors still exploiting old unpatched vulnerabilities, says Cisco | IT World Canada News
MITRE
a year ago
China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets | Mandiant
CERT-EU
9 months ago
Qualys Top 20 Exploited Vulnerabilities | Qualys Security Blog
MITRE
a year ago
Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX | Proofpoint US
MITRE
a year ago
The Spring Dragon APT