Office exploit kits updates drop support for CVE-2012-0158. Two newer vulnerabilities targeting the Microsoft Office suite have become very popular in recent months, as Office exploit kit makers have updated their code and added support for the newer CVE-2015-1641 and CVE-2015-2545 exploits.
For more than four years, APT groups and cyber-crime gangs have been very attached to the CVE-2012-0158 Office exploit that used a weakness in how ActiveX controls were handled to infect the underlying system with malware.
Many infosec professionals were puzzled that cyber-criminals continued to use such an old exploit to distribute malware, especially after three or four years had passed since its discovery.
CVE-2012-0158 slowly losing in popularity
First signs that things started to change appeared during this spring. Two newer Office vulnerabilities have exploded in terms of usage, while the older CVE-2012-0158 has begun to disappear from malware and spam campaigns.
According to a recent report from Sophos Labs, the company’s expert, Gabor Szappanos, has tied the rise of these two new exploits with updates to several Office exploits kits, which have removed support for the older exploit, and added the newer CVE-2015-1641 and CVE-2015-2545 instead.
Office exploit kits are ready-made applications which automate the process of creating malformed Office files that can leverage security vulnerabilities to install malware on a device. They are just like regular exploit kits, but for creating malicious Word, Excel, and PowerPoint files.
Office exploit kits dropped CVE-2012-0158
Szappanos says that the three major players in the Office exploit kit market, AK-1, DL-2, and MWI have all received updates these past months.
AK-1 was updated to AK-2, and during the process, dropped CVE-2012-0158 and added CVE-2015-1641.
DL-2, the Office exploit kit used by the Fareit and Zbot malware gangs, has shifted to primarily using the CVE-2015-2545 vulnerability.
MWI, or the Microsoft Word Intruder kit, has dropped support for CVE-2012-0158 and replaced it with CVE-2015-1641.
Newer exploits guarantee a higher infection success rate
The reason behind this is simple. As the XP market has started to shrink, so did CVE-2012-0158 usage. The migration of these Office exploit kits to newer vulnerabilities makes perfect technical sense.
We already noted in a previous article the rise of the CVE-2015-2545 vulnerability among cyber-espionage APT groups. This vulnerability allows attackers to embed malicious EPS (Encapsulated Postscript) payloads as images inside Office files. The vulnerability affects Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1, and has started to become popular with cyber-crime gangs, not only APT groups.
On the other hand, CVE-2015-1641 was seen by security firms in a smaller numbers of high-profile infections specific to targeted APT attacks, but according to Sophos, the exploit has been the favorite of cyber-criminal groups, being found in large numbers of spam emails.
CVE-2015-1641 is easy to spot because it can only be executed from RTF documents. The exploit can be triggered from Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1.
The chart below, based on Sophos’ internal telemetry data, shows the CVE-2015-1641 exploit’s huge popularity.