FortiGuard Labs recently discovered a new malicious PowerPoint file named ADVANCED DIPLOMATIC PROTOCOL AND ETIQUETTE SUMMIT.ppsx. Taking a look at the four slides of the PowerPoint Open XML Slide Show (PPSX) file, we can tell that it targets people from UN agencies, Foreign Ministries, International Organizations, and those who interact with international governments.

We will take a look on how opening this PowerPoint file could compromise your system.

Here’s an overview on how the attack works:

Figure 01: Flow of the attack process

CVE-2017-0199

This exploit targets a vulnerability identified as CVE-2017-0199, which was disclosed and patched last April 2017. It triggers a remote code execution in Microsoft Office or WordPad when parsing specially crafted files. Attackers who successfully exploit this flaw in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office can take control of the affected system. This vulnerability is well explained here by Wayne Low.

This is not the first time we have sees attackers leveraging this vulnerability. We saw it used on a previous malicious PowerPoint Slide Show file that delivered the REMCOS RAT malware. However, this attack should not be confused with PowerPoint file exploits that use mouse over actions that leverage the ppaction://protocol to launch a PowerShell command.

When the latest malicious PowerPoint Slide Show is opened, it triggers a script in ppt/slides/_rels/slide1.xml.rels. The exploit then downloads the remote code at its Target hxxp://www[.]narrowbabwe[.]net:3345/exp[.]doc, as shown below, and runs it using the PowerPoint Show animations feature. The crafted file also includes a lot of blank space after the Target, which could be used to avoid YARA detection. (YARA is a malware research and detection tool.)

Figure 02: PPSX file leveraging CVE-2017-0199

When we observe network traffic when this file is executed, we can see that the specially crafted file successfully exploits the flaw and downloads and executes the file exp.doc. This is not a doc file, but an XML file with JavaScript code.

Figure 03: Network traffic from the PPSX file

UAC Bypass and Privilege Escalation

When we extract the JavaScript from the XML file we can see that it will write a file in %Temp%Microsoft_Office_Patch_KB2817430.jse. The filename imitates that of the Microsoft Office patch to lower suspicion and try to show it’s a legitimate file, which obviously it is not.

Figure 04: Embedded JavaScript in the XML file

Not only does this sample use an exploit, it also includes an infamous technique to bypass Microsoft Windows’ UAC security and then execute itself with high privilege. Higher privilege equals more authority and allows more action to the system.

The UAC bypass technique includes hijacking the registry in HKCUsoftwareclassesmscfileshellopencommand and then executing eventvwr.exe. You can read more on this UAC bypass and privilege escalation technique here.

Figure 05: Added registry for UAC bypass

JavaScript Analysis

The dropped Microsoft_Office_Patch_KB2817430.jse malware that is executed with high privilege contains the following code. 

Figure 06: Dropped Microsoft_Office_Patch_KB2817430.jse file

In the above code, WMI ActiveScriptConsumers is used for persistence. A timer event is also created so the script runs every 12 seconds (12000 milliseconds). The script that runs it is encoded and stored as a comment inside its body.

Figure 07: Decoded script

Obtaining the C&C Server from a JPG File

After decoding the code in the comments, the script reads the following registry, and if they don’t exist it will create them.

HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentSeed0

HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentFeed0

Figure 08: Registry Feed0 and Seed0

The data written in the registry key Feed0 is hard coded from the Microsoft_Office_Patch_KB2817430.jse file. When decoded it has the following value hxxp://narrowbabwe[.]net/comsary/logo[.]jpg.

The script proceeds to connect to this URL; however in our analysis it is no longer responding. Trying a quick search in Google, we were able to retrieve the /logo.jpg file thanks to VirusTotal.

Figure 09: Tampered jpg file

Now that we have the /logo.jpg, we can proceed on analysing the sample. First we noticed there is a corrupted portion of the jpg file. This could mean that the attacker tampered with the original photo to hide some data. This is a very effective technique in hiding a message/data since jpg files are often assumed to be non-malicious.

Figure 10: Code to retrieve the hidden data

Checking the code we see that it gets the length of Response_Text or the end of file and subtracts it by 0x80h, which could be the start of the encoded data. The ‘if’ statement compares to a hard-coded marker in the jpg file that has values 9, 5, 2 and 7, as shown above. If this condition is not met it will return nothing.  But if the marker is found, it will get the substr from the offset i with a length of 44 characters, which will be the encoded URL.

Figure 11: Tampered Data

The encoded URL will be written in the registry /Seed0, and when decoded has a value of hxxp://www[.]narrowbabwe[.]net/comsary/index[.]php.

Figure 12: Seed0 Registry key

C&C Communication

Next, it tries to identify if it is being run in a virtual environment by getting the Network Adapter Configuration and searching to see if there is an occurrence of the string ‘Virtual’.

Figure 13: Check for virtual environment

Interestingly, the data that will be sent depends on whether or not the ‘Virtual’ string is found. Comparing the two, if the string is not found the gathered data will include &ipaddr and &macaddr from the infected machine.

Figure 14: Information gathered from machine

After collecting the needed information it encodes back the data and sends this by HTTP POST to hxxp://www[.]narrowbabwe[.]net/comsary/index[.]php.

Figure 15: HTTP POST to C&C

The format of the data being sent is shown below.

Figure 16: Encoded data to be sent

Unfortunately, the C&C was already down during our analysis, resulting in no response. However, we can still confirm from the code below that the response from the C&C contains arbitrary commands that are executed with eval() function. These commands can possibly be download functions to deliver the final payload, and the most commonly used malware for espionage are RATs (Remote Access Trojans).

Figure 17: Command and result execution

Once the execution of the commands from the C&C is done, it sends a notification back to the server using the following HTTP POST query string format:

Figure 18: Command result POST notification

Conclusion

Our analysis revealed that multiple techniques were implemented in this code in order to evade detection and remain effective. Such techniques leverage CVE-2017-0199, UAC bypass and escalation of privilege, multiple embedded encoded scripts, multiple stages of URL connection, and embedding the C&C in a jpg file. This shows how persistent criminals can be when crafting their malicious files.

A special thank you for additional analysis goes out to our teammates Tien Phan, Tony Loi, and Joie Salvio

Solution

1. Apply the patches released by Microsoft in April that covers the CVE-2017-0199 vulnerability.
2. FortiGuard Antivirus service detects this threat as MSOffice/Downloader!exploit.CVE20170199
3. FortiGuard Web Filtering service blocks all C&C and related URLs.
4. FortiSandbox rates the PPSX file as High Risk.

-= FortiGuard Lion Team =-

IOCs:

8e89ae80ea50110244f2293f14615a7699b1c5d2a70415a676aa4588117ad9a7 – PPSX

CC:

hxxp://www[.]narrowbabwe[.]net/comsary/logo[.]jpg

hxxp://www[.]narrowbabwe[.]net:3345/exp[.]doc

hxxp://www[.]narrowbabwe[.]net/comsary/index[.]php

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.