{"id":7788,"date":"2017-05-30T15:40:29","date_gmt":"2017-05-30T23:40:29","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/30\/news-1573\/"},"modified":"2017-05-30T15:40:29","modified_gmt":"2017-05-30T23:40:29","slug":"news-1573","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/05\/30\/news-1573\/","title":{"rendered":"Spear Phishing Fileless Attack with CVE-2017-0199"},"content":{"rendered":"

Credit to Author: Bahare Sabouri and He Xu| Date: Tue, 30 May 2017 16:21:54 -0700<\/strong><\/p>\n

\n

Introduction<\/h2>\n

CVE-2017-0199<\/a> is a remote code execution vulnerability that exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploits this vulnerability can take control of an affected system and then install programs, view, change, or delete data, or create new accounts with full user rights.<\/p>\n

Microsoft issued a patch for this vulnerability April, and most security vendors have published alarms for it. Unfortunately, attacks targeting this vulnerability are still widely being used in the wild.<\/p>\n

One of our FortiSandbox devices recently detected a suspicious RTF (Rich Text Format) file that it tagged as high risk. We here at FortiGuard Labs did some further investigation of the sample and found some interesting things. In this blog post, we will share what we found and attempt to reproduce the entire attack route.<\/p>\n

Attack Route<\/h2>\n

Stage 1<\/h3>\n

The high risk RTF file arrives in a spear phishing email as an attachment. When the victim opens the file with a vulnerable version of MS Word, the exploit is activated. Next, it proceeds to download a malicious HTA file from  “http:\/\/5{REMOVED}.161\/wstat\/?id=77778888&act=1<\/u><\/i>”, as seen in Figure 1.<\/p>\n

\"\"<\/p>\n

Figure 1: Exploit retrieves an HTA file from the remote server<\/p>\n

At the same time, the sample drops an embedded PE file in a temporary folder and names it “~WRF{C8E5B819-8668-4529-B7F9-2AB23E1F7F68}.tmp”. Figure 2 shows the embedded PE file.<\/p>\n

\"\"<\/p>\n

Figure 2: Embedded PE file in the RTF sample<\/p>\n

The downloaded HTA file is launched automatically. It executes the dropped PE file and performs some further attacks, according to its configuration. It is important to note that the HTA payload supports multi-vector attacks, as seen in Figure 3.<\/p>\n

\"\"<\/p>\n

Figure 3: HTA configuration code<\/p>\n

At the same time, it also collects system information according to its configuration, and sends the encoded data back to its C&C server (Figure 4.)<\/p>\n

\"\"<\/p>\n

     Figure 4: Uploading the victim system report to the server<\/p>\n

The sample we analyzed retrieved system information, anti-virus information, process list, and attack payload status (Figure 5.)<\/p>\n

\"\"<\/p>\n

Figure 5: Collected data<\/p>\n

Stage 2<\/h3>\n

There are many different attack approaches in HTA file, such as:<\/p>\n

\u25cf      Executing a remote executable file \/ DLL file \/ ScriptLet file<\/p>\n

\u25cf      Executing a local executable file \/ DLL file \/ ScriptLet file<\/p>\n

In this attack, the payload is pretty straightforward to execute the local executable file (embedded in the malware). But we also discovered two additional payloads: a remote executable file and a ScriptLet file (these two payloads weren’t involved in this current attack).<\/p>\n

The ScriptLet payload could be used to bypass Applocker to load a real attack payload (Figure 6.)<\/p>\n

\"\"<\/p>\n

Figure 6: ScriptLet payload (not used in this attack)<\/p>\n

In this scenario, the core payload file retrieves a DLL file using an HTTPS protocol received from the remote C&C server, https:\/\/176.{removed}.134\/MAUy<\/u>, which stores the file in memory and then jumps to the first byte to execute it (Figure 7.)<\/p>\n

\"\"<\/p>\n

Figure 7: Memory only DLL<\/p>\n

The full attack route is pretty simple, but quite efficient. Figure 8 shows the attack scenario:<\/p>\n

\"\"<\/p>\n

Figure 8: Attack Route<\/p>\n

Conclusion<\/h2>\n

This attack exposes vulnerable systems to significant risk. Failure to employ a patching protocol has been the root cause of a number of recent attacks. To fix the vulnerability discussed in the analysis, Fortinet recommends you install this Microsoft security update<\/a>.<\/p>\n

Spear phishing is always a dangerous attack vector that often carries recent vulnerability exploits. To stay safe, be cautious when opening any emails coming from an unknown source.<\/p>\n

Sample Information<\/h3>\n

RTF file:<\/strong><\/p>\n

MD5: d4ff8e87f66150e36e4f70c65f422524<\/p>\n

SHA256: 2a918030be965cd5f365eb28cd5a0bebec32d05c6a27333ade3beaf3c54d242c<\/p>\n

Fortinet Detection Name: W32\/Snojan.BMST!tr<\/p>\n

Dropped executable:<\/strong><\/p>\n

MD5: c4505c6a6b148c3d7b5f4d756f49dbdf<\/p>\n

SHA256: 39ac90410bd78f541eb42b1108d2264c7bd7a5feafe102cd7ac8f517c1bd3754<\/p>\n

Fortinet Detection Name: W32\/Snojan.BMST!tr<\/p>\n

HTA file:<\/strong><\/p>\n

MD5: 2c085826d56eb39570d0d76e34d52052<\/a><\/p>\n

SHA256: 326a01a5e2eeeeebe3dade94cf0f7298f259b72e93bd1739505e14df3e7ac21e<\/p>\n

Fortinet Detection Name: VBS\/Dlr.A!tr<\/p>\n<\/div
https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Bahare Sabouri and He Xu| Date: Tue, 30 May 2017 16:21:54 -0700<\/strong><\/p>\n

Introduction CVE-2017-0199 is a remote code execution vulnerability that exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploits this vulnerability can take control of an affected system and then install programs, view, change, or delete data, or create new accounts with full user rights. Microsoft issued a patch for this vulnerability April, and most security vendors have published alarms for it. Unfortunately, attacks targeting this vulnerability are still widely being used…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-7788","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7788","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7788"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7788\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7788"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}