Exploring CVE-2015-2545 and its users
06 May 2016
This report, available at TLP:GREEN to researchers and network defenders, gives an overview of different attacks using CVE-2015-2545. Specifically we look at the different ways attackers are triggering the vulnerability, and the possibility that the exploit is shared amongst various groups. Based on overlaps in the samples analysed, our findings show that there are several clusters of documents, with the majority of the document-based builders sharing similar constructs in terms of how the final payload is discovered and executed. We also found that more recently some attackers are triggering the vulnerability through the use of MHTML files with .doc extensions.
Back in November 2015, FireEye published a report titled ‘Two For One’ detailing two new zero days, one affecting Microsoft (MS) Word and the other affecting the Windows operating system. Our report focuses on the former, CVE 2015-2545.
The vulnerability stems from a flaw in the processing of Encapsulated PostScript (EPS) files and allows an attacker to execute arbitrary code. We have been tracking samples exploiting this vulnerability as well as tracking the associated malware, much of which has been already discussed in public reporting.
Figure 1: Examples of decoy documents used in conjunction with the exploit
The report summarises our findings based on samples collected in 2016, and explores similarities and differences in the shellcode between different documents exploiting this vulnerability.
To request your copy, e-mail [email protected] - note this is not for lead generation purposes, but is rather to avoid disclosing to adversaries how their attacks can be linked.
The samples analysed & their command & control addresses are given below:
Samples (initial MD5s):