{"id":1036,"date":"2017-11-17T20:15:19","date_gmt":"2017-11-17T20:15:19","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=1036"},"modified":"2017-11-17T20:15:19","modified_gmt":"2017-11-17T20:15:19","slug":"2017-11-17-maldoc-using-cve-2017-0199","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=1036","title":{"rendered":"2017-11-17 Maldoc Using CVE 2017-0199"},"content":{"rendered":"

This is a quick writeup on some maldocs that I was able to find in our email filters that used the CVE2017-0199 in them. The emails had the same attachments in them (from a hash perspective) which was a Word document and an Excel spreadsheet. The Word document had a hidden OLE object while the Excel spreadsheet had the hidden OLE object on the 3rd tab in the spreadsheet. Both these Office documents would reach out to a malicious domain and grab the HTA file which would then have code in it to go and doiwnload the actual malicious binary that would run on the system. FireEye has a great writeup on this which you can find here<\/a>. Didier Stevens also has a great, short walk-through of how this vulnerability works which you can watch here<\/a>.<\/p>\n

While I was able to get the infection chain to work correctly, the malicious binary downloaded from the HTA script did not run on my test VM so I am not sure if it is because it saw “something” on my system that prevented it from running, or something else. For all artifacts from this write-up\/investigation, please see my Github repo here<\/a>. <\/p>\n

\"\"<\/a><\/p>\n

IOCs:
\n=====
\n108.179.194.43 \/ kenion.com.mx (GET \/doro\/htamonrt.hta and GET \/doro\/bred.exe)<\/p>\n

Artifacts:
\n==========
\nFile name: BL.doc
\nFile size: 92KB
\nFile path: NA
\nMD5 hash: ab56fb59cfbd5460dd2c928c89a102df
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/17a83e6ddd42d341d54be007d0046f5a7475be1d95f79eeaf6f1f7a756521579\/analysis\/<\/a>
\nDetection ratio: 20 \/ 59
\nFirst Detected: 2017-11-16 04:04:51 UTC
\nPayload Security: NA<\/p>\n

File name: CI.xlsx
\nFile size: 8KB
\nFile path: NA
\nMD5 hash: 54102f24603257ffa316f82c01602c83
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/ed0e3fa3efa1955a666cf1c6e6915cf343ff6d45b7e46e3e2b89b714548b0545\/analysis\/<\/a>
\nDetection ratio: 4 \/ 59
\nFirst Detected: 2017-11-16 04:04:51 UTC
\nPayload Security: NA<\/p>\n

File name: htbred.hta
\nFile size: 2KB
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\Q9DOEXHZ
\nMD5 hash: dfca304c24ae50b929ef7d6f985b7db4
\nVirustotal: NA
\nPayload Security: NA
\nFile name: bred.exe
\nFile size: 686KB
\nFile path: C:\\Users\\%username%\\AppData
\nMD5 hash: f6523669b733ecd19eeb95397a9559e7
\nVirustotal: NA
\nPayload Security: NA<\/p>\n

Analysis:
\n=========
\nThe infection seems to be pretty straight-forward and relies on the user to enable the OLEobject to run which does all the heavy lifting. As you can see below, once you open the Word document or the Excel spreadsheet, it asks to update the document with the data from the linked files.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

In the Word document, if you click no, and then right click on the box in the Word document, and then “Object –> Links” you can see the link to the malicious HTA file that it is trying to grab, where in Excel, if you click no and then go to the third tab, you can see the call to the HTA file there.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Also note that just opening the document triggers the GET request to the HTA file as seen below as well. The user does not need to enable anything or update the links in the document\/spreadsheet.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Since I did not run Process Explorer when executing the malware to see how this malware executed exactly, we can assume that it worked in very much the same manner that FireEye discussed in their blog post mentioned above with the exception of downloading a “fake” Word document in the background. The HTA file that is grabbed is somewhat obfuscated, but once cleaned up, is a simple Powershell script that proceeded to download the malicious binary and execute it.<\/p>\n

\"\"<\/a><\/p>\n

So this is where it gets interesting. Based on what I saw the file looks to be a binary file, but it really is an AutoIT script. Looking at the file using the “file” command I saw that it is PE32 binary. Using hexdump I saw that the magic number for the file also matches up to a PE file (the 4d5a at the beginning).<\/p>\n

\r\nherbie.zimmerman [~\/Desktop\/Artifacts] : file bred.exe \r\nbred.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit\r\n------\r\nherbie.zimmerman [~\/Desktop\/Artifacts] : hexdump bred.exe \r\n0000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00<\/pre>\n
But when looking at the actual file details, it states something else.<\/p>\n
\"\"<\/a><\/p>\n
Since this looked like a AutoIt script compiled into an executable, I unzipped it to see if I could glean anything from it and as to why it would not run on my system. Unfortunately I was not able to gather anything from this exercise nor was I able to see anything when using Resource Hacker either. So unfortunately I am not able to figure out why this file did not run on my system.<\/p>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
This is a quick writeup on some maldocs that I was able to find in our email filters that used the CVE2017-0199 in them. The emails had the same attachments in them (from a hash perspective) which was a Word document and an Excel spreadsheet. The Word document had a hidden OLE object while the Excel spreadsheet had the hidden OLE object on the 3rd tab in the spreadsheet. Both these Office documents would reach out to a malicious domain and grab the HTA file which would then have code in it to go and doiwnload the actual malicious binary…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[18],"class_list":["post-1036","post","type-post","status-publish","format-standard","hentry","category-packet-analysis","tag-cve-2017-0199"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1036","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1036"}],"version-history":[{"count":1,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1036\/revisions"}],"predecessor-version":[{"id":1048,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1036\/revisions\/1048"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1036"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1036"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1036"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}