Our Phishing Defense Center identified and responded to attacks leveraging a relatively new Microsoft Office vulnerability during the past few weeks. Last week, the PDC observed threat actors exploiting CVE 2017-0199 to deliver the Smoke Loader malware downloader which in turn was used to deliver the Zeus Panda botnet malware. These emails claim to deliver an invoice for an “outstanding balance” and trick the recipient to opening the attached file. In one instance, we have also seen the malicious attachment being delivered via URL.
The subject lines of the emails followed a pattern of alphanumeric characters and the phrase “Invoice Past Due” Example below.
An example of the phishing email used in these attacks is shown below.
The following URL was also identified in one example delivering a malicious document.
hxxp://3tco.com[.]vn/index.html.php?id=<base64 email address>
The files delivered by these emails is an RTF document containing an OLE object used to exploit the CVE-2017-0199 vulnerability. Once opened, the exploit is used to run code that facilitates the download of a file from a remote host. The downloaded file is a Microsoft Office Word document disguised with the .xls extension containing embedded malicious code. Once the file download is complete it is automatically loaded into the original RTF document. A vulnerability in this loading process is used to affect how the contents of the downloaded file are interpreted and to execute the malicious code inside. Once this embedded code is executed it downloads a malicious executable and a decoy “accounts payable documentation report”. This benign document is displayed to disguise the threat actors’ activities and then the executable is run. The downloaded executable is a sample of the Smoke Loader malware downloader.
Upon execution, this Smoke Loader sample obtains a copy of the Zeus Panda banking trojan. Once run on the machine, this malware application performs extensive checks to determine whether it is running in a virtualized or analysis environment before contacting its command and control hosts. Once contact has been established, these hosts will provide update instructions and configuration data used to guide the financial crimes and botnet Trojan’s activity on infected machines.
The following section details how the CVE-2017-0199 vulnerability is exploited and it’s IOCs
This vulnerability takes advantage of Microsoft Office’s and WordPad’s handling of OLE embedded link objects in RTF files. Exploitation abuses certain control words in the rich text file format to update an object link which allows for a malicious file to be downloaded. The downloaded file is typically another RTF file containing embedded malicious script which is executed when Microsoft attempts to load it as an OLE object.
The following document files were identified as leveraging an exploit for CVE-2017-0199.
The following URLs were used to provide a malicious payload for execution by this document.
A commonly used malware downloader, the Smoke Loader malware operates using a set of command and control hosts to provide instructions to the malware for downloading additional payloads. While the locations of these command and control hosts are hardcoded into the Smoke Loader binary, the payload locations are not. The payload locations are instead obtained from the Smoke Loader command and control in response to the malware’s HTTP requests. The following Smoke Loader files were used in this campaign.
After completing its initial check-in with command and control infrastructure, this Smoke Loader instance obtained its payload set from the following locations.
The following file set was identified as used in this campaign to infect machines with malware featuring extensive anti-analysis functionality including the ability to detect multiple forms of virtualization and physical device restoration utilities.
The following payload locations were used by Zeus Panda to obtain it’s payloads.
The command and control hosts below were used to support this malware. These command and control hosts are used to log records of new infections as well as to provide configuration data that is used by the malware to conduct extensive credential-stealing operations. Credentials are primary stolen via web injects that are customized for customers of each financial institution listed in the configuration document.
Finally, we the executable below was identified within an infected environment at the completion of the infection process.
PhishMe® cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that contain subject lines as described above. PhishMe Simulator™ customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails. A simulation template will be available by end of day.
Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe Threat Alerts today.