malspam campaign using cve-2017-0199 targets...
TRANSCRIPT
© 2017 Quick Heal Technologies Limited
Malspam Campaign using CVE-2017-0199 Targets Manufacturing,
Pharmaceutical and other important Industries
This vulnerability (CVE-2017-0199) triggers due to the improper handling of HTA file while parsing a
crafted RTF file having an embedded OLE2 link object. Attackers use crafted RTF files with doc
extension to exploit the vulnerability. This RTF file contains an embedded OLE2link object as shown
in fig 2.
Fig 2. Embedded OLE2link object
This embedded OLE2 link object points to a remotely hosted HTA file as shown in fig 3.
Fig 3. Link to Remote HTA file
© 2017 Quick Heal Technologies Limited
RTF exploit analysis
The attack in this campaign starts with a spam email with the exploit RTF doc as an attachment. This RTF file has similar contents as shown in fig 2 and fig 3. Fig 4 shows a snapshot of the spam email.
Fig 4. Spam email
When MS Word opens the RTF attachment, the exploit code requests for the remotely hosted HTA file. Fig 5 shows the downloaded file after the request is made to the remote server.
Fig 5. Malicious, fake RTF File
After analyzing the initial bytes in the downloaded file, it seems that it is an RTF file but it’s not
© 2017 Quick Heal Technologies Limited
treated so by MS Word; there is an embedded script located below the fake RTF contents. This script gets executed by ‘mshta.exe’ that downloads the malware via PowerShell.
Payload analysis
After a successful exploitation, the malware payload gets downloaded using PowerShell. PowerShell copies this downloaded malware file to %APPDAT%\jacob.exe and executes it. In order to be persistent, it copies the ‘jacob.vbe’ file to the startup folder. This jacob.exe performs keylogging activities, monitors process activities and logs them into a file called logs.dat, located in
%AppData%\Roaming\remcos. All recorded logs are sent to a remote CnC server (212.7.208.88) by the malware. According to our analysis, this malware shares many similarities with the remcos RAT family. Fig 6 shows the malware’s keylogging activity.
Fig 6. Keylogging activity
Evading signature-based detections
In order to evade signature-based detection, malware actors are continuously evolving their exploits
through RTF obfuscation. There are multiple techniques for achieving this; a few of them are shown
below.
Obfuscation technique 1
URL moniker CLSID is obfuscated using control word ’\*’.
© 2017 Quick Heal Technologies Limited
Fig 7.
Obfuscation technique 2
Dummy tags are added to obfuscate URL moniker CLSID.
Fig 8.
Obfuscation technique 3
Tab control word is used to obfuscate the URL string.
© 2017 Quick Heal Technologies Limited
Fig 9.
Targeted organizations
Fig 10 represents the statistics of organizations targeted by the malicious campaign.
Fig 10
The manufacturing sector seems to be the most favored target followed by pharmaceuticals, exports, and hotels.
© 2017 Quick Heal Technologies Limited
Dominating all office exploits
After disclosure, the detection count of the exploit used in this campaign is growing day by day. This only shows that many malware actors are adopting and using this vulnerability. The below statistics shows the exploit’s growing usage.
Office exploit statistics for Q1 2017
Fig 11
Office exploit statistics for Q2 2017
Fig 12
As shown in fig 11, CVE-2012-0158 has the highest count. In fact, it has had the highest count for the
© 2017 Quick Heal Technologies Limited
last 3 years now. However, in Q2 (fig 12), CVE-2017-0199 had the highest detection count; it gained
popularity in a short time period.
Malware actors have found the most reliable and prominent way to deliver malware through the MS
Office vulnerability CVE-2017-0199. Attackers are easily creating exploits using readily available
POCs and delivering various malware. We recommend our users to apply the latest security updates
from Microsoft and keep their antivirus software up-to-date.
Indicators of compromise:
862172F84680456A0BA662F0FE3F56BF
4705476555FC8FCCB28DDAFFC65D2761
271AF4589D175F1725724D948A63E840
95.211.209.223
212.7.208.88