Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions

June 01, 2017
Matthew Mesa, Axel F, Pierre T, Travis Green

Overview

In May, Proofpoint observed multiple campaigns using a new version of Microsoft Word Intruder (MWI). MWI is a tool sold on underground markets for creating exploit-laden documents, generally used in targeted attacks. We previously reported about MWI when it added support for CVE-2016-4117 [2]. After the latest update, MWI is now using CVE-2017-0199 [4][5] to launch an HTML Application (HTA) used for both information collection and payload execution.

This activity targets organizations in the financial vertical including banks, banking software vendors, and ATM software and hardware vendors. The emails are sent to technology and security personnel working in departments including Fraud and Information Security.

The actor involved is believed to be the Cobalt group -- an actor known to target banks in Europe and Asia and previously documented by Group IB [1]. The malicious documents created with MWI for use in these activities delivered Metasploit Stager, Cobalt Strike, and previously undocumented malware we named Cyst Downloader.

Email Lures

While we observed numerous malicious attachments, we describe two here and list the rest in the IOC section.

  • In the first campaign, the email (Figure 1) purported to be from FinCERT [8] with the subject “Памятка по информационной безопасности” (Information Security Notice) and contained a Microsoft Word attachment named “сводка1705.doc” (report1705) (Figure 3).
  • Another email (Figure 2) purported to be from Security Support for PCI-DSS [3] at a major credit card company with the subject line “Безопасность” (security) and a Microsoft Word attachment (Figure 4) “Требования безопасности.doc” (Safety requirements).

Microsoft Word Intruder Figure 1

Figure 1: Email used to deliver the MWI document (Body translated: “Good day, important to familiarize yourself!”)

Microsoft Word Intruder Figure 2

Figure 2: Email used to deliver the MWI document (Body translated: “Please accept following advice and recommendations regarding necessary safety precautions”)

Microsoft Word Intruder Figure 3

Figure 3: MWI document after the exploit is triggered; the lure displays unreadable characters

Microsoft Word Intruder Figure 4

Figure 4: MWI document after the exploit is triggered; the lure describes the different ways to pay for a delinquent MTS (Russian mobile provider) bill

MWI Advertising Integration of CVE-2017-0199

Before we describe our MWI analysis, it is worth mentioning that on May 8, 2017, an advertisement for MWI on an underground site stated that this exploit document builder integrated CVE-2017-0199, and was recruiting customers for several available seats. The full version of the original Russian advertisement and its English translation follows:

Microsoft Office Word Exploits, universal .doc exploit-pack
имеется несколько мест на CVE-2017-0199 (OLE2LINK)
* билдер
* статистика
* запуск exe/dll (скриплеттов)
* запуск cmd/powershell
* поддержка, обновления, чистки
подробности: [REDACTED_EMAIL]
---
[*] MICROSOFT WORD INTRUDER 8 - the best APT-like *.doc exploit pack
CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158

Translation:

Microsoft Office Word Exploits, universal .doc exploit-pack
There are several spots available for the CVE-2017-0199 (OLE2LINK)
* Builder
* Statistics
* Running exe / dll (scriptlets)
* Starting cmd / powershell
* Support, updates, cleaning
Details: [REDACTED_EMAIL]
---
[*] MICROSOFT WORD INTRUDER 8 - the best APT-like * .doc exploit pack
CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158

MWI Analysis

When the document is opened, it drops the embedded payload into a temporary directory as is typical of RTFs with embedded objects[6]. Next, the CVE-2017-0199 exploit downloads and executes the HTA.

From our analysis, the purpose of the HTA is two-fold. It is used to download and/or execute the payload as well as collect information about the infected machine. Thus the advertisement description is accurate. In the example analyzed here, shown in Figure 5, the MWI HTA is configured to run an executable payload embedded in the document, which was previously saved into the temporary directory when the recipient opened the document. Note that the HTA could have alternatively been configured to download and run an executable, DLL, or a JScript/VBscript file. It is also configured to collect and report information about the system, such as installed antivirus applications, running processes, and whether execution of the payload was successful.

Microsoft Word Intruder Figure 5

Figure 5: Configuration section of the MWI HTA

As mentioned above, depending on how MWI is configured, it has different ways of executing the payload. Figure 6 shows the code snippet used for executing EXE and DLL payloads. There is also functionality for executing JScript/VBScript (Figure 7) and cmd/Powershell. All three methods generate a section for the Command and Control (C&C) report letting the operator know if the execution was successful.

Microsoft Word Intruder Figure 6

Figure 6: Portion of the HTA code responsible for running DLLs and Executables

Microsoft Word Intruder Figure 7

Figure 7: Portion of the HTA code responsible for executing VBScript/Jscript

The information collection code is responsible for profiling the system. It collects network details, operating system information, installed antivirus products, and running processes (see list below). This collected information is encoded with base64 and sent it to its C&C server.

  • UserName
  • ComputerName
  • UserDomain
  • OS Version
  • OS SerialNumber
  • WindowsDirectory
  • CodeSet
  • CountryCode
  • OSLanguage
  • CurrentTimeZone
  • Locale
  • DefaultProxy
  • Antivirus displayName
  • Antivirus instanceGuid
  • Antivirus pathToSignedProductExe
  • Antivirus pathToSignedReportingExe
  • Antivirus productState
  • Antivirus Timestamp
  • Running process ProcessId
  • Running process Name
  • Running process ExecutablePath

Microsoft Word Intruder Figure 8

Figure 8: Section of the HTA responsible for collecting information about the system

Microsoft Word Intruder Figure 9

Figure 9: Section of the HTA responsible for sending collected data

Microsoft Word Intruder Figure 10

Figure 10: Function in the HTA used to send collected data

Malware Payload: Metasploit Stager

The payload installed most frequently by MWI was the Metasploit stager, which in turn downloaded Cobalt Strike. The Metasploit stager [7] is used to stage additional malware and we often see it in penetration testing as well as real attacks.

Malware Payload: Cyst Downloader and Plugin

However, in at least in one case we observed an MWI document install a previously unknown malware (SHA256: af17a3b5bf4c78283b2ee338ac6d457b9f3e7b7187c7e9d8651452b78574b3d3). We are calling it the Cyst Downloader. The functionality of this loader is limited. It can create a mutex such as “syst<10 digits>” and communicate with the the C&C server to receive a DLL plugin. The URI path pattern of the C&C beacon contains a folder (random alphanumeric name) followed by a file (random alphanumeric name) with a .jpg, .php, .gif, or .png extension. The downloaded DLL is encrypted with a hardcoded "\x28\xBF\x0A\xBE\x5B\x6E\x70\x03" RC4  key and base64 encoded. The server sends the DLL in HTML comments in a fake 404 response.

Microsoft Word Intruder Figure 11

Figure 11: Cyst Downloader communicating with the C&C and receiving a payload plugin

The DLL plugin is loaded in memory by the loader and does not access the disk. This plugin has the internal name “test.dll”, which may indicate it is still in development. This plugin has only one export named “Execute”, which is hardcoded into the Cyst loader. The plugin enumerates URLs stored in the browser history, with support for Internet Explorer, Chrome, Firefox, and Opera:

  • IE: parse history using the IUrlHistoryStg2::EnumUrls method
  • Chrome: parse history using a SQL query : “SELECT url, (last_visit_time/1000000-11644473600) FROM urls”
  • Firefox: parse history using a SQL query : “SELECT url, (last_visit_date/1000000) FROM moz_places”
  • Opera: parse history using a SQL query : “SELECT url, (last_visit_time/1000000-11644473600) FROM urls”

These methods of browser history parsing are well-known and have been used for a long time by malware authors. The visited URLs retrieved are stored in malware memory using this format :

"browser: (IE|Chrome|Firefox|Opera)\r\n” + “url: %s” + " | time: %d\r\n"

Microsoft Word Intruder Figure 12

Figure 12: Example of visited URLs (recovered from browser history) stored in memory

This data is then RC4 encrypted and sent to the same C&C. The attacker is likely parsing the data on the server side and searching for a set of selected domains relevant to their attack, making it an efficient filter for interesting targets.

Conclusion

Microsoft Word Intruder is a powerful tool for creating exploit documents that can be used in a variety of malicious campaigns. In this case, not only was it used to install known malware and customizable scripts and executables, but also installed a previously undocumented malware called Cyst Downloader. While exploit documents are less commonly used in attacks as malicious attachments and hosted files than macro documents, the availability of often unpatched vulnerabilities like CVE-2017-0199 make it attractive to threat actors. We will continue to monitor MWI development and campaigns by Cobalt and other actors using associated exploit documents.

Acknowledgements

Special thanks to our colleague Andrew Komarov (InfoArmor Inc.) for his help in this study.

References

[1] http://www.group-ib.com/cobalt.html

[2] https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-8-adds-support-for-flash-vulnerability

[3] https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

[4] https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts

[5] https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day

[6] https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques

[7] https://blog.cobaltstrike.com/2013/06/28/staged-payloads-what-pen-testers-should-know/

[8] https://www.scmagazine.com/fincert-to-help-russian-banks-respond-to-cyber-attacks/article/535448/

Indicators of Compromise (IOCs)

IOC

IOC Type

Description

e559c65b51a874b9ebf4faacd830223428e507a865788c2f32a820b952ccf0b4

SHA256

MWI Document

2a918030be965cd5f365eb28cd5a0bebec32d05c6a27333ade3beaf3c54d242c

SHA256

MWI Document

e0f6073aee370d5e1e29da20208ffa10e1b30f4cf7860bb1a9dde67a83dee332

SHA256

MWI Document

61afc2bf91283ccc478406a4c1277a0c8549584716d8b3a89d36f9bcdc45c4fe

SHA256

MWI Document

af17a3b5bf4c78283b2ee338ac6d457b9f3e7b7187c7e9d8651452b78574b3d3

 

SHA256

MWI Document

326a01a5e2eeeeebe3dade94cf0f7298f259b72e93bd1739505e14df3e7ac21e

SHA256

MWI HTA

hxxp://37.1.207[.]202/wstat/

URL

MWI C&C

hxxp://5.45.66[.]161/wstat/

URL

MWI C&C

39ac90410bd78f541eb42b1108d2264c7bd7a5feafe102cd7ac8f517c1bd3754

SHA256

Metasploit Stager

hxxps://176.9.99[.]134/MAUy

URL

Cobalt Strike Download

hxxps://176.9.99[.]134/kQ6j

URL

Cobalt Strike Download

hxxps://52.15.209[.]133/Els8

URL

Cobalt Strike Download

138d3f20da09e9f5aa5a367b8ff89d349fe20a63682df2379a7a6f78f31eb53d

SHA256

Cobalt Strike

176.9.99[.]134

IP

Cobalt Strike C&C

52.15.209[.]133

IP

Cobalt Strike C&C

922e3bccd3eb151ee46afb203f9618ae007b99a758ca95caf5324d650a496426

SHA256

Cyst Downloader

96.44.188[.]57

IP

Cyst Downloader C&C

24973014fa8174ffff190ae7967a65307a23d42386683dc672babd9c6cf1e5ee

SHA256

Cyst Plugin (browser history checker)

ET and ETPRO Suricata/Snort Coverage

2024306          ET TROJAN MWI Maldoc Load Payload

2024197          ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in RTF 0-day )

2024307          ET TROJAN MWI Maldoc Posting Host Data

2814013          ETPRO TROJAN Meterpreter or Other Reverse Shell SSL Cert

2023629          ET INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike

2826544          ETPRO TROJAN Cyst Downloader Fake 404