Earlier today I accidently opened up Twitter and saw this tweet:
Despite the less than favorable numbers, our friend wasn’t detered and continued to pour elbow grease into the document. A few samples later and that old vulnerability was beginning to shine a bit with just 5 detections. The file was also sporting a new name relating to a project ran out of Kazakhstan; certainly a more fitting choice for a weaponized document potentially meant for spear phishing than one chosen by the Metasploit framework. A few last tweaks, an embedded VBS script called by a BAT file and a remote command and control hosted in the Netherlands finalized the document. A single upload a day later showed the working file detected by 2 lone anti-viruses.
While Virustotal results may not tell the full story, they do represent a single source of record and some level of capability from each anti-virus. Watching a vulnerability patched early last year go from 12 detections to 2 with a working payload is unsettling to say the least. If you are wondering where to focus your efforts, don’t worry about the unknowns you can’t control, try applying those patches left waiting in your repository.