Rajas Save

Malspam Delivers Revenge RAT October-2017

Blog Post created by Rajas Save Employee on Oct 26, 2017

On October 18th 2017, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a Buffer Overflow Vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library, CVE-2012-0158. The malicious code can be triggered by a specially crafted DOC or RTF file for un-patched MS Office products.

VirusTotal Analysis of delivered document confirms presence of RTF exploit.

 

After opening the document in a vulnerable Microsoft Word application, a connection is established to  “http://careers[.]fwo[.]com[.]pk/” to download a malicious executable payload, using shell code present in RTF file,  which kicks off the following network events.

 

VirusTotal Analysis of final payload “printer.exe” confirms that it’s a Revenge, a Remote Access Trojan (RAT).

 

Once the download is complete, the binary is executed and post-infection traffic started. Request contains information in Base64 encoded form about infected m/c such as IP, domain and username, operating system, processor version and speed and language.

 

Breaking down request to each staring reveals specific pattern and information:

  • Information
  • Revenge-RAT R3Vlc3Q Guest
  • Revenge-RAT XzQ0RkVDOTA4 _44FEC908
  • Revenge-RAT 10.10.10.166 System IP
  • Revenge-RAT Q0FGRVdFU1QgLyBqYW1lcw CAFEWEST / james
  • Revenge-RAT No 6
  • Revenge-RAT TWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwgIDMy Microsoft Windows 7 Professional  32
  • Revenge-RAT SW50ZWwoUikgWGVvbihSKSBDUFUgICAgICAgICAgIFg1NjkwICBAIDMuNDdHSHo Intel(R) Xeon(R) CPU           X5690  @ 3.47GHz
  • Revenge-RAT 1073274880
  • Revenge-RAT Ti9B N/A
  • Revenge-RAT Ti9B N/A
  • Revenge-RAT 3339
  • Revenge-RAT UHJvZ3JhbSBNYW5hZ2Vy Program Manager
  • Revenge-RAT ZW4tVVM en-US
  • Revenge-RAT False

 

Current RSA NetWitness detection populates following meta for the download sessions:

 

Current RSA NetWitness detection populates following meta for Post Infection traffic:

 

More detailed information about CVE-2012-0158 can be found here:

Triaging Malicious Microsoft Office documents CVE-2012-0158 

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

Outcomes