On September 12th FireEye security researchers disclosed information about CVE-2017-8759, a SOAP WSDL parser code injection vulnerability [1]. Microsoft already released patch to address the vulnerability in affected products [2]. It didn't take a lot of time to start seeing a significant increase in the number of malicious files trying to exploit the vulnerability. A day or two after the disclosure there was a handful of samples submitted to VirusTotal. A week later more than a hundred samples were submitted. It indicates that exploiting the vulnerability is shifting from targeted attacks to mass distribution.
In this blog post we will discuss the host and network behavior of one of those samples and see how the activities look in RSA NetWitness Packets and NetWitness Endpoint.
The delivery document under investigation is spreading as Quote.doc. Upon opening the RTF in Microsoft Word, an HTTP request was noticed:
For this session, NetWitness Packets registered the following meta under Service Analysis suggesting suspicious network traffic:
The WSDL parser handles the SOAP response. The following events took place on the infected host:
- A .cs source code file (Logo.cs in this case) was generated in C:\Windows\System32\com\SOAPAssembly
- csc.exe compiled the generated source code into a DLL file (http100googlegtv4com0pppp0office4png.dll in this case).
- Microsoft Word loaded the generated DLL file,
- An HTTP request was sent (to the same server) to retrieve a script.
- mshta.exe was called to run the downloaded script.
The next screenshot shows the machine scandata on NetWitness Endpoint:
Here is an event reconstruction of the second payload delivery:
The screenshot below shows the files created in C:\Windows\System32\com\SOAPAssembly
Here is a better look at the content of the newly created source code file Logo.cs:
When the second payload ran, it issued an HTTP request to a direct IP address in order to download an obfuscated powershell script:
When powershell.exe ran, it dropped an executable on the victim machine:
The dropped executable is a LaZagne variant. LaZagne is a publicly available open source application to retrieve passwords stored on a local computer. VirusTotal analysis results can be found here. Here is the report from hybrid-analysis.com. On NetWitness Endpoint the following module IIOC were generated:
- In root of AppDataRoaming directory
- Unsigned writes executable
- Unsigned writes executable to users directory
- Unsigned writes executable to AppDataLocal directory
- Self delete
- In AppData directory
Following the execution of LaZagne.exe, you can notice a newly created process AZAaPaAA.exe which is also a LaZagne variant according to VirusTotal analysis results. Analysis report from hybrid-analysis.com is available here. NetWitness Endpoint generated even more IIOC for this module:
- In root of Program directory
- In root of AppDataRoaming directory
- In hidden directory
- Unsigned opens OS process
- Unsigned writes executable
- Unsigned writes executable to Windows directory
- Unsigned writes executable to users directory
- Unsigned writes executable to AppDataLocal directory
- Self delete
- Unsigned copy itself
- Runs powershell with long arguments
- In AppData directory
- In ProgramData directory
- Unsigned opens process
- Runs command shell
- Runs powershell
A quick look at the embedded strings of those binaries confirm what kind of data they are targeting:
Finally, below is a recap of the HTTP traffic in NetWitness Packets:
Delivery document (SHA256):
- 640b9b789efe66bca20812af4f4e017bb7524ee8a6a4ec5e153a73af9bd0a007
LaZagne binaries (SHA256):
- 3f6e8dea07b6e87182b3068868746e5054123a7c86e04d775292af7ffd1ce9b4
- 9485a1630d9283d7efee3828fca32d72cfcb3fb1e91015a9753df09a21f14da2
References:
Hi Ahmed Sonbol,
Thank you for creating this blog post. I have a customer from APJ who is requesting for details and evidence that Netwitness Endpoint can detect this threat. Good article to read as it contains screenshots as well.
regards,
Renelee "AP" Manio