Some unnoticed facts about cve-2013-3906
1. Embedded in cve-2013-3906 exploit are Excel Russian files.
Means: fuzzing artifacts or intended decoy.
2. Embedded in cve-2013-3906 exploit Excel files are not required for triggering and exploitation of the vulnerability.
Means: exploit acquired for hacking campaigns to be used 'as is', rather than produced in-lab.
3. All known samples of cve-2013-3906 from all hacking campaigns have same useless XLS embeddings inside.
Means: one exploit seller, brainless tool usage.
4. First submission of cve-2013-3906 to VirusTotal was on 2013-07-07 (JoseMOlazagasti.docx, MY, NL, DK, other EU).
Means: @fireeye research is missing at least one hacking group/campaign.
5. First appearance of cve-2013-3906 in the wild (2013-07-07) was mistaken by @avast_antivirus for cve-2012-0158.
6. First submission of cve-2013-3906 internals (tiff, ActiveX) to VirusTotal was on September (TW,IN,IS). Not by previously attacked EU. Not reported until November.
(see Additional info section)
Means: unqualified incident response or testing/analysis by 0day-interested parties.
7. In beginning of October, a few named and very single samples of cve-2013-3906 were submitted to VirusTotal (mostly US).
2013-10-01 21:01:52 Illegality_Supply details.docx
2013-10-07 18:27:25 Re-credit.docx_
2013-10-07 20:28:38 Swift Message $288,550 USD.docx
Means: incident response of a campaign against one-shot targets or 0day exploit testing.
The cve-2013-3906 exploit was produced most likely by a Russian developer around March 2013 (ref:EXIF) and sold to multiple parties, beginning from July, 2013. The exploit was used in 3 (at least) distinct hacking campaigns: #1 in July 2013 and against Europe, #2 & #3 in October 2013 and against Middle East and Asia. The exploit remained unnoticed for 2 months, and was detected shortly after beginning of the 2nd/3rd campaigns (possibly due to their connection with known malware Citadel). Some parties involved in campaigns ordering and production may reside in Taiwan, India, Israel and the United States.
如果不是McAfee的Advanced Exploit Detection System有所动静加上之后的详细分析和确认，很可能各大厂商会继续忽略。从他们的博客来看，AEDS应该还没投入到产品中。