On February 1st 2018, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a in the in the MSCOMCTL.OCX library, . The malicious code can be triggered by a specially crafted DOC or RTF file for un-patched MS Office products.
of delivery document paymentorder.doc confirms presence of RTF exploit.
After opening the document in a vulnerable Microsoft Word application, a connection is established to “pgamix[.]com” to download a malicious executable payload, using shell code present in RTF file, which kicks off the following network events.
of final payload “babawire.jar” confirms that it’s Adwind, a Java based Remote Access Trojan (RAT). Adwind RAT is a multifunctional malware program and it is distributed through a single malware-as-a-service platform.
This file is a compressed stream containing 168 files. It imports multiple java packages required for execution of the Trojan.
Current RSA NetWitness detection populates following meta for the download sessions:
Although we didn't achieve a full detonation in our own sandbox, post-infection traffic from Malware-Traffic-Analysis.net populates following meta for the download sessions with Current RSA NetWitness detection:
More detailed information about CVE-2012-0158 can be found here: