Ahmed Sonbol

Malspam delivers MoonWind 9-20-2017

Blog Post created by Ahmed Sonbol Employee on Sep 22, 2017

CVE-2017-8759 remains popular this week in malspam world with more malicious documents trying to exploit non patched systems to deliver their payload [1][2]. This time the payload is a MoonWind variant. MoonWind is a Remote Access Trojan. It was first uncovered by security researchers at PaloAlto Networks Unit 42 in their blog post about targeted attacks against organizations in Thailand [3].


In this threat advisory we will go over the network and host behavior in RSA NetWitness Packets and Endpoint.


Upon opening the malicious readme.rtf in Microsoft Word, there was the request for the SOAP payload:




Next comes the request to download the HTA script:




The script is executed and a binary is downloaded:





The binary is executed and it downloads a dropper:




For the downloader process (httpx.exe), NetWitness Endpoint has more information about its strings, its tracking data, its path and its network connectivity:






NetWitness Endpoint generates the following IIOC for httpx.exe:

  • Direct IP request from unsigned module
  • Direct IP request from unsigned process
  • Unsigned writes executable
  • Renames file to executable
  • Unsigned writes executable to Windows directory
  • Compiled in last month
  • In temporary directory
  • Process accesses network


The dropper (invo.exe) drops a MoonWind variant (svcohos.exe) to the infected machine. It runs a batch file to delete itself:


The new process (svcohos.exe) copies itself to a new location, gains persistency on the system and starts to communicate with its command and control server:





NetWitness Endpoint generates the following IIOC for svcohos.exe:

  • Autorun unsigned hidden
  • Autorun unsigned uncommon registry startup method
  • Autorun unsigned only executable in directory
  • Suspicious AutoStart profile #1
  • Unsigned copyitself autorun
  • In hidden directory
  • Unsigned writes executable
  • Unsigned opens phiscal drive
  • Unsigned writes executable and create process on same file
  • Modifies run key
  • Unsigned copy itself
  • Autorun
  • Network access
  • In temporary directory
  • In ProgramData directory
  • In uncommon directory
  • DNS traffic from process
  • Process access network
  • Runs command shell


However, the infected system failed to establish a connection with the C2 server. Here is a recap of the network traffic:



and here is another look at the process tree:



readme.rtf (SHA256):

  • 0d5ec16b1affc1d85b335291aa9b89d1679865d913ccd5aa5f6093a6a4797d51


httpx.exe (SHA256):

  • 72bf1b9136654fd34f469065c086d91634c10ea612e56da6b64a04317f697802


svcohos.exe (SHA256):

  • 2175007a69be40a99f78fc565ec5ccda0d681a3c47b4bcb835c6682d72f7f6b0




  1. FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY « Threat Research Blog | FireEye Inc 
  2. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759 
  3. https://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organ…