Last month, security researchers at Embedi disclosed a new vulnerability in Microsoft Office suite. CVE-2017-11882 resides in the Microsoft Equation editor; a tool that lets users insert and edit mathematical equations inside office documents . If exploited, the vulnerability allows the attacker to run arbitrary code in the context of the current user. Microsoft issued a patch to address the vulnerability in the affected products . It didn't take a lot of time to start seeing malspam campaigns trying to leverage CVE-2017-11882 to deliver their final payload as discussed in this blog post by Fortinet.
One of those delivery documents is PI-5460-DPC.doc. In this threat advisory we will go over the host and network behavior using NetWitness Packets and NetWitness Endpoint.
Upon opening the document in a vulnerable Microsoft Word, the vulnerability is exploited and an instance of the vulnerable Equation tool (eqnedt32.exe) is created by svchost.exe:
eqnedt32.exe calls mshta.exe to execute the downloaded script:
When mshta.exe runs, it calls cmd.exe to write a script (A6p.vbs) to the infected machine. wscript.exe runs the newly created script which has the instructions to download the final payload:
The downloaded binary is executed and it starts to communicate with its command and control server:
Here is a recap of the network activity:
And here is a recap of the host activity:
Thanks to Kent Backman and Justin Lamarre for contributing to this threat advisory.