Specialists believe that cyber attackers used the toolkit, dubbed “HOMEKit” by Palo Alto Networks, to generate malicious Microsoft Word documents for various campaigns since 2013. Similar to the MNKit exploit generator, HOMEKit relies on the CVE-2012-0158 vulnerability in Office to deliver malware.

Palo Alto Networks observed in late June the most recent attack involving HOMEKit. Researchers found an email apparently coming from the United Nations Environment Programme (UNEP). The email carried a Word document and an Excel spreadsheet containing a global directory for residents of North Korea under UNEP.

While the Excel file turned out to be harmless, the Word document attempted to exploit CVE-2012-0158, which Microsoft patched in 2012, to deliver a new Trojan named “Cookle” by Palo Alto Networks.

Cookle, a newly discovered downloader, can collect information on the infected system, download and execute files. In order to avoid being detected, the threat waits 20 minutes before contacting its command and control (C&C) server. Attackers can also configure the malware to change its sleep interval between C&C communications.

The designers of HOMEKit aimed to exploit a vulnerability in the TreeView ActiveX control. If the exploitation of the flaw is successful, a shellcode executes and a decoy document opens. In the meantime, the system executes a payload (.dat file).

An analysis of the documents generated with HOMEKit showed that it can deliver various payloads used in the past years in cyber espionage campaigns. Two of them are:

  • PlugX; Chinese APTs and Surtr often use it, also seen in attacks targeting Tibetan organizations
  • Mirage, which in 2012 targeted energy, military, and other organizations worldwide.

Experts believe an intermediary might have made HOMEKit available to multiple threat groups.