Overview
In May, Proofpoint observed multiple campaigns using a new version of Microsoft Word Intruder (MWI). MWI is a tool sold on underground markets for creating exploit-laden documents, generally used in targeted attacks. We previously reported about MWI when it added support for CVE-2016-4117 [2]. After the latest update, MWI is now using CVE-2017-0199 [4][5] to launch an HTML Application (HTA) used for both information collection and payload execution.
This activity targets organizations in the financial vertical including banks, banking software vendors, and ATM software and hardware vendors. The emails are sent to technology and security personnel working in departments including Fraud and Information Security.
The actor involved is believed to be the Cobalt group -- an actor known to target banks in Europe and Asia and previously documented by Group IB [1]. The malicious documents created with MWI for use in these activities delivered Metasploit Stager, Cobalt Strike, and previously undocumented malware we named Cyst Downloader.
Email Lures
While we observed numerous malicious attachments, we describe two here and list the rest in the IOC section.
- In the first campaign, the email (Figure 1) purported to be from FinCERT [8] with the subject “Памятка по информационной безопасности” (Information Security Notice) and contained a Microsoft Word attachment named “сводка1705.doc” (report1705) (Figure 3).
- Another email (Figure 2) purported to be from Security Support for PCI-DSS [3] at a major credit card company with the subject line “Безопасность” (security) and a Microsoft Word attachment (Figure 4) “Требования безопасности.doc” (Safety requirements).
Figure 1: Email used to deliver the MWI document (Body translated: “Good day, important to familiarize yourself!”)
Figure 2: Email used to deliver the MWI document (Body translated: “Please accept following advice and recommendations regarding necessary safety precautions”)
Figure 3: MWI document after the exploit is triggered; the lure displays unreadable characters
Figure 4: MWI document after the exploit is triggered; the lure describes the different ways to pay for a delinquent MTS (Russian mobile provider) bill
MWI Advertising Integration of CVE-2017-0199
Before we describe our MWI analysis, it is worth mentioning that on May 8, 2017, an advertisement for MWI on an underground site stated that this exploit document builder integrated CVE-2017-0199, and was recruiting customers for several available seats. The full version of the original Russian advertisement and its English translation follows:
Microsoft Office Word Exploits, universal .doc exploit-pack
имеется несколько мест на CVE-2017-0199 (OLE2LINK)
* билдер
* статистика
* запуск exe/dll (скриплеттов)
* запуск cmd/powershell
* поддержка, обновления, чистки
подробности: [REDACTED_EMAIL]
---
[*] MICROSOFT WORD INTRUDER 8 - the best APT-like *.doc exploit pack
CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158
Translation:
Microsoft Office Word Exploits, universal .doc exploit-pack
There are several spots available for the CVE-2017-0199 (OLE2LINK)
* Builder
* Statistics
* Running exe / dll (scriptlets)
* Starting cmd / powershell
* Support, updates, cleaning
Details: [REDACTED_EMAIL]
---
[*] MICROSOFT WORD INTRUDER 8 - the best APT-like * .doc exploit pack
CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158
MWI Analysis
When the document is opened, it drops the embedded payload into a temporary directory as is typical of RTFs with embedded objects[6]. Next, the CVE-2017-0199 exploit downloads and executes the HTA.
From our analysis, the purpose of the HTA is two-fold. It is used to download and/or execute the payload as well as collect information about the infected machine. Thus the advertisement description is accurate. In the example analyzed here, shown in Figure 5, the MWI HTA is configured to run an executable payload embedded in the document, which was previously saved into the temporary directory when the recipient opened the document. Note that the HTA could have alternatively been configured to download and run an executable, DLL, or a JScript/VBscript file. It is also configured to collect and report information about the system, such as installed antivirus applications, running processes, and whether execution of the payload was successful.
Figure 5: Configuration section of the MWI HTA
As mentioned above, depending on how MWI is configured, it has different ways of executing the payload. Figure 6 shows the code snippet used for executing EXE and DLL payloads. There is also functionality for executing JScript/VBScript (Figure 7) and cmd/Powershell. All three methods generate a section for the Command and Control (C&C) report letting the operator know if the execution was successful.
Figure 6: Portion of the HTA code responsible for running DLLs and Executables
Figure 7: Portion of the HTA code responsible for executing VBScript/Jscript
The information collection code is responsible for profiling the system. It collects network details, operating system information, installed antivirus products, and running processes (see list below). This collected information is encoded with base64 and sent it to its C&C server.
- UserName
- ComputerName
- UserDomain
- OS Version
- OS SerialNumber
- WindowsDirectory
- CodeSet
- CountryCode
- OSLanguage
- CurrentTimeZone
- Locale
- DefaultProxy
- Antivirus displayName
- Antivirus instanceGuid
- Antivirus pathToSignedProductExe
- Antivirus pathToSignedReportingExe
- Antivirus productState
- Antivirus Timestamp
- Running process ProcessId
- Running process Name
- Running process ExecutablePath
Figure 8: Section of the HTA responsible for collecting information about the system
Figure 9: Section of the HTA responsible for sending collected data
Figure 10: Function in the HTA used to send collected data
Malware Payload: Metasploit Stager
The payload installed most frequently by MWI was the Metasploit stager, which in turn downloaded Cobalt Strike. The Metasploit stager [7] is used to stage additional malware and we often see it in penetration testing as well as real attacks.
Malware Payload: Cyst Downloader and Plugin
However, in at least in one case we observed an MWI document install a previously unknown malware (SHA256: af17a3b5bf4c78283b2ee338ac6d457b9f3e7b7187c7e9d8651452b78574b3d3). We are calling it the Cyst Downloader. The functionality of this loader is limited. It can create a mutex such as “syst<10 digits>” and communicate with the the C&C server to receive a DLL plugin. The URI path pattern of the C&C beacon contains a folder (random alphanumeric name) followed by a file (random alphanumeric name) with a .jpg, .php, .gif, or .png extension. The downloaded DLL is encrypted with a hardcoded "\x28\xBF\x0A\xBE\x5B\x6E\x70\x03" RC4 key and base64 encoded. The server sends the DLL in HTML comments in a fake 404 response.
Figure 11: Cyst Downloader communicating with the C&C and receiving a payload plugin
The DLL plugin is loaded in memory by the loader and does not access the disk. This plugin has the internal name “test.dll”, which may indicate it is still in development. This plugin has only one export named “Execute”, which is hardcoded into the Cyst loader. The plugin enumerates URLs stored in the browser history, with support for Internet Explorer, Chrome, Firefox, and Opera:
- IE: parse history using the IUrlHistoryStg2::EnumUrls method
- Chrome: parse history using a SQL query : “SELECT url, (last_visit_time/1000000-11644473600) FROM urls”
- Firefox: parse history using a SQL query : “SELECT url, (last_visit_date/1000000) FROM moz_places”
- Opera: parse history using a SQL query : “SELECT url, (last_visit_time/1000000-11644473600) FROM urls”
These methods of browser history parsing are well-known and have been used for a long time by malware authors. The visited URLs retrieved are stored in malware memory using this format :
"browser: (IE|Chrome|Firefox|Opera)\r\n” + “url: %s” + " | time: %d\r\n"
Figure 12: Example of visited URLs (recovered from browser history) stored in memory
This data is then RC4 encrypted and sent to the same C&C. The attacker is likely parsing the data on the server side and searching for a set of selected domains relevant to their attack, making it an efficient filter for interesting targets.
Conclusion
Microsoft Word Intruder is a powerful tool for creating exploit documents that can be used in a variety of malicious campaigns. In this case, not only was it used to install known malware and customizable scripts and executables, but also installed a previously undocumented malware called Cyst Downloader. While exploit documents are less commonly used in attacks as malicious attachments and hosted files than macro documents, the availability of often unpatched vulnerabilities like CVE-2017-0199 make it attractive to threat actors. We will continue to monitor MWI development and campaigns by Cobalt and other actors using associated exploit documents.
Acknowledgements
Special thanks to our colleague Andrew Komarov (InfoArmor Inc.) for his help in this study.
References
[1] http://www.group-ib.com/cobalt.html
[3] https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
[4] https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts
[7] https://blog.cobaltstrike.com/2013/06/28/staged-payloads-what-pen-testers-should-know/
[8] https://www.scmagazine.com/fincert-to-help-russian-banks-respond-to-cyber-attacks/article/535448/
Indicators of Compromise (IOCs)
|
IOC |
IOC Type |
Description |
|
e559c65b51a874b9ebf4faacd830223428e507a865788c2f32a820b952ccf0b4 |
SHA256 |
MWI Document |
|
2a918030be965cd5f365eb28cd5a0bebec32d05c6a27333ade3beaf3c54d242c |
SHA256 |
MWI Document |
|
e0f6073aee370d5e1e29da20208ffa10e1b30f4cf7860bb1a9dde67a83dee332 |
SHA256 |
MWI Document |
|
61afc2bf91283ccc478406a4c1277a0c8549584716d8b3a89d36f9bcdc45c4fe |
SHA256 |
MWI Document |
|
af17a3b5bf4c78283b2ee338ac6d457b9f3e7b7187c7e9d8651452b78574b3d3
|
SHA256 |
MWI Document |
|
326a01a5e2eeeeebe3dade94cf0f7298f259b72e93bd1739505e14df3e7ac21e |
SHA256 |
MWI HTA |
|
hxxp://37.1.207[.]202/wstat/ |
URL |
MWI C&C |
|
hxxp://5.45.66[.]161/wstat/ |
URL |
MWI C&C |
|
39ac90410bd78f541eb42b1108d2264c7bd7a5feafe102cd7ac8f517c1bd3754 |
SHA256 |
Metasploit Stager |
|
hxxps://176.9.99[.]134/MAUy |
URL |
Cobalt Strike Download |
|
hxxps://176.9.99[.]134/kQ6j |
URL |
Cobalt Strike Download |
|
hxxps://52.15.209[.]133/Els8 |
URL |
Cobalt Strike Download |
|
138d3f20da09e9f5aa5a367b8ff89d349fe20a63682df2379a7a6f78f31eb53d |
SHA256 |
Cobalt Strike |
|
176.9.99[.]134 |
IP |
Cobalt Strike C&C |
|
52.15.209[.]133 |
IP |
Cobalt Strike C&C |
|
922e3bccd3eb151ee46afb203f9618ae007b99a758ca95caf5324d650a496426 |
SHA256 |
Cyst Downloader |
|
96.44.188[.]57 |
IP |
Cyst Downloader C&C |
|
24973014fa8174ffff190ae7967a65307a23d42386683dc672babd9c6cf1e5ee |
SHA256 |
Cyst Plugin (browser history checker) |
ET and ETPRO Suricata/Snort Coverage
2024306 ET TROJAN MWI Maldoc Load Payload
2024197 ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in RTF 0-day )
2024307 ET TROJAN MWI Maldoc Posting Host Data
2814013 ETPRO TROJAN Meterpreter or Other Reverse Shell SSL Cert
2023629 ET INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike
2826544 ETPRO TROJAN Cyst Downloader Fake 404