Some samples in 'Rotten Tomato' campaign were not effectively executed.
Some samples in 'Rotten Tomato' campaign were not effectively executed.

Researchers at SophosLabs detected an advanced persistent threat (APT) malware campaign in July and August, called Rotten Tomato, and research published by one threat analyst provides additional details on the malware used in the attacks.

According to a blog post penned by Sophos' John Zorabedian, this campaign was named in part after the Tomato Garden campaign and also references some of the samples that “were not effectively executed” or, in other words, “rotten.”

The campaign, the post said, came from China and while the attacks were generated by several different groups, they “used the same zero-day Microsoft Word exploit." In Rotten Tomato, the groups somehow got hold of a document that exploited the vulnerability, left the exploiting document part and the shellcode intact, and only changed the appended encrypted executable at the end,” wrote Zorabedian.

Gabor Szappanos, principal threat researcher at SophosLabs Hungary, told in an email correspondence that “these malware authors are one of the most prolific APT groups, they are behind many targeted attacks, that are suspected to be sponsored by the Chinese government.” In a research paper published recently, Szappanos offered insights into the campaign, noting that researchers had observed “a lot of samples that exploit both CVE-2012-0158 and CVE-2014-1761, and usually either download or drop a Zbot variant.”

He wrote that one of the samples was SHA1: c3a7cb43ec13299b758cb8ca25eace71329939f7, containing an “encrypted Zbot variant3 at the beginning of the RTF” and wagered that the sample was likely used as a template by the different malware writing groups.

Szappanos, who has followed Plugx samples for the past two years, posited that the group deploying Plugx must have made the first attempt, which failed to execute properly. 

“I can only guess that they didn't understand the CVE-2014-1761 component, and thought that there was only one shellcode, in the CVE-2012-0158 segment…so they appended the encrypted Plugx executable, and replaced the first shellcode with their own,” Szappanos explained.