Every day we receive numerous phishing emails and others among them that, although they don’t directly attempt to steal user information, do contain malicious attachment. These types of emails are what we usually call malspam (malware spam), which could be defined as the indiscriminate sending of emails with malicious attachments and whose objective is to compromise the user’s computer. Once the PC is compromised, in some cases, it can become part of a botnet, a network of computers that, without the knowledge of their users, perform actions that are managed from a remote central server operated by the botnet manager. These actions range from sending more malspam to the contacts of the compromised users, to carrying out DDoS attacks on remote targets.

In the case we are going to analyse, the user received a suspicious email with an attached document that behaved strangely when it was opened, making connections to the Internet, something that is unusual in an office document.  The attached document downloaded a script and executed it in the system. In turn, this script downloaded an executable file with malicious content.

Illustration 1. Infection process

In the case we’re studying, the infection was composed of 3 phases:

  • Phase 1: Reception of the attachment that exploited Office’s vulnerability and executed the download of a script.
  • Phase 2: Execution of the script and download of the binary.
  • Phase 3: Execution of the binary and compromised system.

In this post, we will try to analyse the different phases of the system being compromised and will identify the methods used in each one of them.

Phase 1: Attached document

The user receives an email in their inbox with an attachment that pretends to be a Microsoft Word document. These emails often come from user accounts that have been previously compromised, and from which multiple emails have been sent to their contacts’ email addresses.

Attached document

The received attachment has a .DOC extension, but really if we perform a more detailed analysis, we can see that it is an .RTF document and that inside it contains a Microsoft Office document that will open with Microsoft Word.

Illustration 2. Document header. rtf

This .DOC document contains code created specifically to exploit a vulnerability in the Microsoft Office equation editor Microsoft Equation 3.0  (CVE-2017-11882) that will be used to execute a series of commands that execute the download of the second phase of the infection.

This vulnerability is a stack buffer overflow in the management of one of the MTEF-type (MathType Equation Format) records used by the Microsoft Office equation editor.  Overwriting is done with a string of characters that includes the command to be executed and the memory address (0x00430c12). This address refers to an instruction within this same application that points to the WinExec function of Kernel32.dll. The jump to said instruction will use as a parameter the stack record that has been overwritten and that now contains the command with the URL of the malicious file to execute, in our case http://urlz[.]fr/7lh3.

Illustration 3. Exploit used

Once the exploit is executed, we see the HTTP connection towards the outside, requesting the URL and following the redirection, then downloading the script followed by the binary.

Illustration 4. File download

Phase 2: Script downloaded

When the vulnerability is exploited, an .HTA file is downloaded from an external website and executed using the mshta.exe utility.

.HTA files (HTML Applications) are applications that can use the same functionalities and technologies as Internet Explorer, but without a graphic interface; they allow all HTML capabilities to be used (HTML, CSS, JavaScript, VBScript, etc.) plus capabilities specific to this type of file, and by default they are considered “reliable” applications, so they can also execute actions that Internet Explorer would not be allowed to do.

The attackers use mshta.exe to launch the execution of the .HTA file, which in this case includes VBScript code.

Illustration 5. Execution of mshta.exe

Obfuscation

As we can see, the document’s code contains parts that are obfuscated, that is, the commands necessary to carry out the actions that will lead to the system being compromised are encoded in an apparently unintelligible way.  These methods are usually used in order to avoid the automatic detection of these types of scripts.

Illustration 6. .hta application

It is common for the authors of these types of documents to use different obfuscation techniques and, although in this case it is a simple obfuscation, at other times they use very elaborate methods.

When we deobfuscate the script code, we can see that it uses PowerShell to execute several commands that download a binary from an external website.

Illustration 7. Deobfuscated script

Phase 3: File.exe execution

The downloaded binary is an executable file for Windows compressed with UPX. This type of compression is often used in different types of malware.

In this case, after looking for the binary hash in VirusTotal, we see that it had already been analysed and that according to the antivirus detections, it is a Trojan, specifically Loda (Nymeria) written in AutoIT.

Illustration 8. Detections in VirusTotal

This Trojan collects information from the computer and performs the functions of keylogger (saves all keystrokes that the user makes on the computer) and RAT (Remote Access Trojan) that allows the functions of the user’s computer to be remotely controlled.

Fichero MD5
doc1.doc cf9d88a716cc931db94b650612a0bdf4
file.hta 671c479ae6a98d3efaca44550c27113b
file.exe 82214f040a63e295ca1cef509e9af4db

 

References:

Analysis
VirusTotal
http://blog.morphisec.com/microsoft-equation-editor-backdoor
Exploiting CVE-2017-11882
MITRE-ATT&CK attack technique mshta
Malpedia: Loda family

Tools:

Hexyl  
DidierStevensSuite