On September 6th, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a remote code execution (RCE) Vulnerability in the Windows API, CVE-2017-0199 . This document has been spotted in-the-wild travelling as an email attachment with different names; one of which is “Remittance details.doc” (VirusTotal analysis).
Opening the document in a vulnerable Microsoft Word application led to the following network events:
Once the download is complete, the binary is executed and post-infection traffic started.
Current RSA NetWitness detection populates following meta for the download sessions:
For communication with the C2 domain, the following meta was populated for those sessions in NetWitness Packets:
Pivoting off the registration information of the C2 domain "reedling.com[.]ng", FirstWatch found a group of domains registered using the same e-mail address (see appendix).
Some of those domains are associated with different malware samples (see appendix). The post-infection network behavior of one of them (SHA256:e078e842c1006c972a65dcb71cf6ae5b38ba5074ea19f999f9879e8ec73a65f2) is similar to the one under our investigation. VirusTotal analysis results for that sample suggest it is a Zbot variant.
More information about Zbot variants and their detection using RSA NetWitness Suite:
- You Can Install the FirstWatch ZBot Feed
- The Kargen Zbot and How to Detect It
- It's Raining Zbot! New Variant Turns to Cloud for Strength
You can also check FirstWatch recent threat advisory on the recent uptick in malspam attempting to exploit CVE-2017-0199,
Malspam and CVE-2017-0199