{"id":36499,"date":"2014-07-15T11:26:22","date_gmt":"2014-07-15T18:26:22","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=36499"},"modified":"2024-02-20T00:15:17","modified_gmt":"2024-02-20T08:15:17","slug":"targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/","title":{"rendered":"Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities"},"content":{"rendered":"<p>Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts. Exploits that use patched vulnerabilities delivered via spear phishing email are one of the most successful combinations used by attackers to infiltrate targeted organizations and gain access to confidential information.<\/p>\n<p>During the last month, McAfee Labs researchers have uncovered targeted attacks carried out via spear phishing email against a French company. We have seen email sent to a large group of individuals in the organization. The attachments exploit the recently patched RTF vulnerability CVE-2014-1761 and the previously patched ActiveX control vulnerability CVE-2012-0158. Both of these vulnerabilities have been popular in several ongoing targeted attacks.<\/p>\n<p><a style=\"font-size: 14px; line-height: 1.5em;\" href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36502\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t1.png\" alt=\"t1\" width=\"458\" height=\"259\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t1.png 509w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t1-300x169.png 300w\" sizes=\"auto, (max-width: 458px) 100vw, 458px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a style=\"font-size: 14px; line-height: 1.5em;\" href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36503\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t2.png\" alt=\"t2\" width=\"486\" height=\"285\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t2.png 854w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t2-300x175.png 300w\" sizes=\"auto, (max-width: 486px) 100vw, 486px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>\\<\/p>\n<p>The preceding spear phishing emails come from attackers using the French Yahoo and Laposte email services and possibly impersonating employees of the targeted organization.<\/p>\n<h2><strong><span style=\"text-decoration: underline;\">RTF Vulnerability<\/span><br \/>\n<\/strong><\/h2>\n<p>These exploits target the recently discovered RTF zero-day vulnerability CVE-2014-1761. The flaw lies in the value of the \u201cListOverrideCount,\u201d which is set to 25.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36504\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t3.png\" alt=\"t3\" width=\"523\" height=\"98\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t3.png 646w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t3-300x56.png 300w\" sizes=\"auto, (max-width: 523px) 100vw, 523px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>However, according to Microsoft\u2019s RTF specifications this value should be either 1 or 9. This error eventually causes an out-of-bounds array overwrite that results in incorrect handling of the structure by Word and leads to the attacker\u2019s controlling an extended instruction pointer (EIP).<\/p>\n<h2><span style=\"text-decoration: underline;\"><b>Shellcode<\/b><\/span><\/h2>\n<p>McAfee Labs researchers discovered that all the bytes of the shellcode, the return oriented programming (ROP) chain, are directly controlled by the attacker and come straight from the RTF structure. Here is a high-level view of how the ROP chain is formed:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36505\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t4.png\" alt=\"t4\" width=\"502\" height=\"438\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t4.png 628w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t4-300x261.png 300w\" sizes=\"auto, (max-width: 502px) 100vw, 502px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Next we see a snapshot of the parsed RTF structure in memory leading to the control of the EIP:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36506\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t5.png\" alt=\"t5\" width=\"495\" height=\"103\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t5.png 688w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t5-300x62.png 300w\" sizes=\"auto, (max-width: 495px) 100vw, 495px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Successful execution of the shellcode opens the decoy document and drops the malware svohost.exe<b> <\/b>in the %TEMP%<b> <\/b>directory<b> <\/b>and<b> <\/b>then connects to the control server.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36507\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t6.png\" alt=\"t6\" width=\"382\" height=\"160\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t6.png 424w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t6-300x125.png 300w\" sizes=\"auto, (max-width: 382px) 100vw, 382px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>(McAfee Labs researchers Haifei Li and Xie Jun <a href=\"https:\/\/mcafee.com\/blogs\/others\/mcafee-labs\/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers\/\">have already blogged<\/a>\u00a0on the technical details of the vulnerability and the shellcode.)<\/p>\n<p>In this cycle of spear phishing attacks we\u2019ve also seen email targeting the same organization with attachments that exploit the two-year-old CVE -2012-0158 vulnerability. The malicious payload arrives in the innocuous-sounding article.doc.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36508\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t7.png\" alt=\"t7\" width=\"539\" height=\"328\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t7.png 899w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t7-300x182.png 300w\" sizes=\"auto, (max-width: 539px) 100vw, 539px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>The following API trace gives an idea of the sequence of activities once the exploit is launched on the system:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36509\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t8.png\" alt=\"t8\" width=\"571\" height=\"142\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t8.png 714w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t8-300x74.png 300w\" sizes=\"auto, (max-width: 571px) 100vw, 571px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"text-decoration: underline;\"><b>Payload Analysis<\/b><\/span><\/p>\n<p>Our analysis of the dropped binary reveals that it was specifically written to gather information about the network of the target organization as well as the configuration of the endpoint\u2014leading us to believe that this is a spear phishing reconnaissance. The payload seems to have been compiled on April 9:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36510\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t9.png\" alt=\"t9\" width=\"437\" height=\"160\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t9.png 486w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t9-300x109.png 300w\" sizes=\"auto, (max-width: 437px) 100vw, 437px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>The malware starts by retrieving the %Temp% path and prepares to log the communication with its control server in the file %Temp%explorer.exe.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t20.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-36524\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t20.png\" alt=\"t20\" width=\"541\" height=\"359\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t20.png 541w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t20-300x199.png 300w\" sizes=\"auto, (max-width: 541px) 100vw, 541px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Subsequently, the malware collecting following information:<\/p>\n<ul>\n<li>Hostname<\/li>\n<li>Username<\/li>\n<li>System type by resolving IsWOW64Process AP<\/li>\n<li>Current TCP and UDP connections and open ports\n<ul>\n<li>\u00a0\u00a0\u00a0 Organizational information from the registry key:<\/li>\n<li>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 HKLM\/Software\/Microsoft\/WindowsNT\/CurrentVersion,<\/li>\n<li>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Productname,<\/li>\n<li>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CSDVersion,<\/li>\n<li>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CurrentVersion,<\/li>\n<li>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CurrentBuildNumber,<\/li>\n<li>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RegisteredOrganization,<\/li>\n<li>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RegisteredOwner<\/li>\n<\/ul>\n<\/li>\n<li>Current running system services<\/li>\n<li>Installed software from the registry key:\n<ul>\n<li>\u00a0\u00a0\u00a0 HKLM\/Software\/Microsoft\/Windows\/CurrentVersion\/Uninstall<\/li>\n<\/ul>\n<\/li>\n<li>Information about network adapters, IP configuration, netcard numbers, IP mask, gateway, DHCP server, DHCP host, WINS server, and WINS host<\/li>\n<\/ul>\n<p>Here is a high-level snapshot of the malware\u2019s information gathering code:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36511\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t10.png\" alt=\"t10\" width=\"589\" height=\"445\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t10.png 654w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t10-300x226.png 300w\" sizes=\"auto, (max-width: 589px) 100vw, 589px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Encryption is primarily done using the SYSTEMTIME structure. It forms the repetitive 256-byte key using SYSTEMTIME information, shown below:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-36513\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t12.png\" alt=\"t12\" width=\"566\" height=\"374\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t12.png 566w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t12-300x198.png 300w\" sizes=\"auto, (max-width: 566px) 100vw, 566px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>The malware converts the key into 16 bytes to encrypt the information.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/attachment\/chintan-shah-redacted-t131\" rel=\"attachment wp-att-36629\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-36629\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Chintan-Shah-redacted-t131.png\" alt=\"Chintan Shah redacted t131\" width=\"881\" height=\"306\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Chintan-Shah-redacted-t131.png 881w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Chintan-Shah-redacted-t131-300x104.png 300w\" sizes=\"auto, (max-width: 881px) 100vw, 881px\" \/><\/a><\/p>\n<p>Once the buffer has been encrypted, it connects to the control server sophos.skypetm.com.tw.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t14.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-36515\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t14.png\" alt=\"t14\" width=\"381\" height=\"443\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t14.png 381w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t14-258x300.png 258w\" sizes=\"auto, (max-width: 381px) 100vw, 381px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t15.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36516\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t15.png\" alt=\"t15\" width=\"386\" height=\"147\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t15.png 689w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t15-300x114.png 300w\" sizes=\"auto, (max-width: 386px) 100vw, 386px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><strong><span style=\"text-decoration: underline;\">Command and Control Research<\/span><\/strong><\/h2>\n<p>During our analysis of this exploit, sophos.skypetm.com.tw resolved to the IP address 66.220.4.100. located in the Fremont, California. McAfee sensors first observed the outbound traffic to this domain on January 27, at which time it resolved to 198.100.113.27, located in Los Angeles.<\/p>\n<p>From our passive DNS data, we found following MD5 hashes connecting to the same domain resolving to 198.100.113.27.<\/p>\n<p>&nbsp;<\/p>\n<table border=\"0\" width=\"534\" cellspacing=\"0\" cellpadding=\"0\">\n<colgroup>\n<col width=\"238\" \/>\n<col width=\"138\" \/>\n<col width=\"158\" \/><\/colgroup>\n<tbody>\n<tr>\n<td width=\"238\" height=\"19\">4ab74387f7a02c115deea2110f961fd3<\/td>\n<td width=\"138\">January 27, 2014<\/td>\n<td width=\"158\">sophos.skypetm.com.tw<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">8dc8e02e06ca7c825d42d82ec19d8377<\/td>\n<td>January 28, 2014<\/td>\n<td>sophos.skypetm.com.tw<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">0331417d7fc3d075128da1353ae880d8<\/td>\n<td>March 30, 2014<\/td>\n<td>sophos.skypetm.com.tw<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">5e2360a8c4a0cce1ae22919d8bff49fd<\/td>\n<td>April 25, 2014<\/td>\n<td>sophos.skypetm.com.tw<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The whois record reveals that the skypetm.com.tw domain has been registered under the email ID longsa33@yahoo.com. This ID also registered the domain avstore.com.tw, which has been used as the control server.<\/p>\n<p><a style=\"font-size: 14px; line-height: 1.5em;\" href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t17.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-36518\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t17.png\" alt=\"t17\" width=\"591\" height=\"167\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t17.png 821w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t17-300x85.png 300w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>We have seen several other malware binaries communicating with the various subdomains of skypetm.com.tw and avstore.com.tw. All of them have been identified as \u201cPittyTiger\u201d malware, which appears in numerous CVE-2012-0158 exploits used in recent targeted attacks. The same payload was used in the \u201cTomato Garden\u201d APT campaign, uncovered in June 2013, against Tibetan and Chinese democracy activists.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t18.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-36519\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/t18.png\" alt=\"t18\" width=\"447\" height=\"154\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t18.png 447w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/t18-300x103.png 300w\" sizes=\"auto, (max-width: 447px) 100vw, 447px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<table border=\"0\" width=\"553\" cellspacing=\"0\" cellpadding=\"0\">\n<colgroup>\n<col width=\"238\" \/>\n<col width=\"183\" \/>\n<col width=\"132\" \/><\/colgroup>\n<tbody>\n<tr>\n<td rowspan=\"2\" width=\"238\" height=\"38\">65809985e57b9143a24ac57cccde8c77<\/td>\n<td width=\"183\">asdf.skypetm.com.tw<\/td>\n<td width=\"132\">113.10.240.54<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">vbnm.skypetm.com.tw<\/td>\n<td>122.10.39.52<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">c0656b66b9f4180e59e1fd2f9f1a85f2<\/td>\n<td>zeng.skypetm.com.tw<\/td>\n<td>113.10.221.126<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">b84342528942cec03f5f2976294613ba<\/td>\n<td>gmail.skypetm.com.tw<\/td>\n<td>122.208.59.188<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">d4f96dba1900d53f1d33ee66f7e5996d<\/td>\n<td>gmail.skypetm.com.tw<\/td>\n<td>122.208.59.188<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">b84342528942cec03f5f2976294613ba<\/td>\n<td>gmail.skypetm.com.tw:8080<\/td>\n<td>122.208.59.188<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">d4f96dba1900d53f1d33ee66f7e5996d<\/td>\n<td>gmail.skypetm.com.tw:8080<\/td>\n<td>122.208.59.188<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">2be9fc56017aab1827bd30c9b2e3fc27<\/td>\n<td>jamessmith.avstore.com.tw<\/td>\n<td>58.64.175.191<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">be18418cafdb9f86303f7e419a389cc9<\/td>\n<td>chanxe.avstore.com.tw<\/td>\n<td>122.10.48.189<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">65809985e57b9143a24ac57cccde8c77<\/td>\n<td>asdf.avstore.com.tw<\/td>\n<td>122.10.39.105<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">17bc87b13b0a26caa2eb9a0d2a23fc72<\/td>\n<td>bluer.avstore.com.tw<\/td>\n<td>58.64.185.200<\/td>\n<\/tr>\n<tr>\n<td height=\"19\">90f3973578ec9e2da4fb7f22da744e4c<\/td>\n<td>avast.avstore.com.tw<\/td>\n<td>198.100.121.15<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Additional domains related to this attack:<br \/>\n\u2022 63.251.83.36<br \/>\n\u2022 64.74.96.242<br \/>\n\u2022 69.251.142.1<br \/>\n\u2022 218.16.121.32<br \/>\n\u2022 61.145.112.78<br \/>\n\u2022 star.yamn.net<br \/>\n\u2022 216.52.184.230<br \/>\n\u2022 212.118.243.118<br \/>\n\u2022 bz.kimoo.com.tw<br \/>\n\u2022 mca.avstore.com.tw<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>McAfee Product Coverage<\/strong><\/span><\/p>\n<p>McAfee coverage for CVE 2014-1761 <a href=\"https:\/\/www.mcafee.com\/blogs\/others\/mcafee-labs\/product-coverage-mitigation-cve-2014-1761-microsoft-word\">is detailed here.<\/a>\u00a0McAfee Advance Threat Defense provides zero-day detection for CVE 2012-0158.<\/p>\n<p>As usual, exercise extreme caution when opening documents from unknown sources and use the latest versions of software.<\/p>\n<p>I would like to thank my colleague S. R. Venkatachalabathy for assistance in this research.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often&#8230;<\/p>\n","protected":false},"author":1088,"featured_media":102121,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[3923,338,18],"coauthors":[786],"class_list":["post-36499","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-email-and-web-security","tag-endpoint-protection","tag-network-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2014-07-15T18:26:22+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-20T08:15:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"768\" \/>\n\t<meta property=\"og:image:height\" content=\"432\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Chintan Shah\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chintan Shah\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/\"},\"author\":{\"name\":\"Chintan Shah\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569\"},\"headline\":\"Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities\",\"datePublished\":\"2014-07-15T18:26:22+00:00\",\"dateModified\":\"2024-02-20T08:15:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/\"},\"wordCount\":1123,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg\",\"keywords\":[\"email and web security\",\"endpoint protection\",\"network security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/\",\"name\":\"Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg\",\"datePublished\":\"2014-07-15T18:26:22+00:00\",\"dateModified\":\"2024-02-20T08:15:17+00:00\",\"description\":\"Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg\",\"width\":768,\"height\":432},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569\",\"name\":\"Chintan Shah\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/4bd41c8738b3a7e04f993101170b3377\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg\",\"caption\":\"Chintan Shah\"},\"description\":\"Chintan Shah is currently working as a Security Researcher with McAfee Intrusion Prevention System team and holds broad experience in the network security industry. He primarily focuses on Exploit and vulnerability research, building Threat Intelligence frameworks, Reverse engineering techniques and malware analysis. Chintan had researched and uncovered multiple targeted and espionage attacks in the past blogging about them. His interests lies in software fuzzing for vulnerability discovery, analyzing exploits, malwares and translating to product improvement.\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/chintan-shah\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities | McAfee Blog","description":"Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities | McAfee Blog","og_description":"Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2014-07-15T18:26:22+00:00","article_modified_time":"2024-02-20T08:15:17+00:00","og_image":[{"width":768,"height":432,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg","type":"image\/jpeg"}],"author":"Chintan Shah","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Chintan Shah","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/"},"author":{"name":"Chintan Shah","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569"},"headline":"Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities","datePublished":"2014-07-15T18:26:22+00:00","dateModified":"2024-02-20T08:15:17+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/"},"wordCount":1123,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg","keywords":["email and web security","endpoint protection","network security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/","name":"Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg","datePublished":"2014-07-15T18:26:22+00:00","dateModified":"2024-02-20T08:15:17+00:00","description":"Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432-1.jpg","width":768,"height":432},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569","name":"Chintan Shah","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/4bd41c8738b3a7e04f993101170b3377","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg","caption":"Chintan Shah"},"description":"Chintan Shah is currently working as a Security Researcher with McAfee Intrusion Prevention System team and holds broad experience in the network security industry. He primarily focuses on Exploit and vulnerability research, building Threat Intelligence frameworks, Reverse engineering techniques and malware analysis. Chintan had researched and uncovered multiple targeted and espionage attacks in the past blogging about them. His interests lies in software fuzzing for vulnerability discovery, analyzing exploits, malwares and translating to product improvement.","url":"https:\/\/www.mcafee.com\/blogs\/author\/chintan-shah\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/36499","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/1088"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=36499"}],"version-history":[{"count":1,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/36499\/revisions"}],"predecessor-version":[{"id":183235,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/36499\/revisions\/183235"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/102121"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=36499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=36499"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=36499"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=36499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}