Incident Response, Malware, TDR

Some samples in ‘Rotten Tomato’ campaign not effectively executed

Researchers at SophosLabs detected an advanced persistent threat (APT) malware campaign in July and August, called Rotten Tomato, and research published by one threat analyst provides additional details on the malware used in the attacks.

According to a blog post penned by Sophos' John Zorabedian, this campaign was named in part after the Tomato Garden campaign and also references some of the samples that “were not effectively executed” or, in other words, “rotten.”

The campaign, the post said, came from China and while the attacks were generated by several different groups, they “used the same zero-day Microsoft Word exploit." In Rotten Tomato, the groups somehow got hold of a document that exploited the vulnerability, left the exploiting document part and the shellcode intact, and only changed the appended encrypted executable at the end,” wrote Zorabedian.

Gabor Szappanos, principal threat researcher at SophosLabs Hungary, told in an email correspondence that “these malware authors are one of the most prolific APT groups, they are behind many targeted attacks, that are suspected to be sponsored by the Chinese government.” In a research paper published recently, Szappanos offered insights into the campaign, noting that researchers had observed “a lot of samples that exploit both CVE-2012-0158 and CVE-2014-1761, and usually either download or drop a Zbot variant.”

He wrote that one of the samples was SHA1: c3a7cb43ec13299b758cb8ca25eace71329939f7, containing an “encrypted Zbot variant3 at the beginning of the RTF” and wagered that the sample was likely used as a template by the different malware writing groups.

Szappanos, who has followed Plugx samples for the past two years, posited that the group deploying Plugx must have made the first attempt, which failed to execute properly. 

“I can only guess that they didn't understand the CVE-2014-1761 component, and thought that there was only one shellcode, in the CVE-2012-0158 segment…so they appended the encrypted Plugx executable, and replaced the first shellcode with their own,” Szappanos explained. 

The shellcode “contains the hardcode offset of the embedded executable and decrypts from there.” But the authors left the encrypted Zbot executable and the second vulnerability intact, which meant the sample exploited two vulnerabilities and contained two payloads. Since Word can only be executed once, that “creates a race condition” which means that the vulnerability that is triggered first runs its own payload.

“The attackers tried to craft documents that exploit two different vulnerabilities at the same time. The older one was a standard method from their repertoire. In addition to that, they wanted to add a new Word vulnerability, discovered in 2014,” Szappanos told “They tried to add it by taking examples from other malware authors, and integrate into their solutions. In this effort, they failed to understand completely how it works, and failed to make the necessary integration modifications.”

While Szappanos was surprised that the APT authors behind Plugx, who “seemed to be competent enough in the past,” weren't able to “come up with a working solution,” he noted that their efforts didn't fail completely. 

“The older exploit still worked, the documents were able to infect their targets after all,” he said.

Szappanos also noted that the line between malware and APTs is beginning to blur. 

“We have seen earlier this year, that common cybercriminals (the ones distributing Zeus and other banking credential stealing malware) got the idea from the APT actors of using Word exploits as distribution method,” he said. “This time the APT groups were taking the idea of using the new Word vulnerability in their attack.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.