A forum for reverse engineering, OS internals and malware analysis 

Forum for completed malware requests.
 #25444  by mikeinhouston
 Thu Mar 12, 2015 4:50 am
I am looking for a sample of the Word document (u121Du122Du132B 2007.doc) sent to Ethiopian Satellite Television Service (ESAT) in Dec 2014 (citizenlab.org has a sample)

Failing the Word document, a copy of the payload dropped by the document. md5 hashes below.

ESAT doc file md5: 91961aad912dc790943a1cb23b6e8297
ESAT payload dropped md5: f6a793a177447e3cab4108a707db65cd

CitizenLab thinks that this may be a new version of Hacking Team’s Remote Control System (RCS) spyware.

For more info see CitizenLab's (very nice) report here
https://citizenlab.org/2015/03/hacking- ... d-spyware/

Thanks!
 #25983  by patriq
 Mon Jun 01, 2015 3:52 pm
Not exact hashes you were looking for but maybe will help you?

from CitizenLab:
"The attached Word document (u121Du122Du132B 2007.doc) contains an exploit, which appears to be the “Tran Duy Linh” MSComctlLib.Toolbar.2 exploit"
link to: http://blog.malwaretracker.com/2013/06/ ... d-new.html


“Tran Duy Linh” MSComctlLib.Toolbar.2 exploit - they say its *not* exploit for CVE-2012-1856 but gets fixed by MS12-060 patch, same CVE.. umm ok.

Named this way because all samples observed "Last Saved By: Tran Duy Linh"

Attached are two samples that seem to fit, one old and one newer.

Good luck.
Attachments
(93.33 KiB) Downloaded 51 times