Last month, security researchers at Embedi disclosed a new vulnerability in Microsoft Office suite. CVE-2017-11882 resides in the Microsoft Equation editor; a tool that lets users insert and edit mathematical equations inside office documents [1]. If exploited, the vulnerability allows the attacker to run arbitrary code in the context of the current user. Microsoft issued a patch to address the vulnerability in the affected products [2][3]. It didn't take a lot of time to start seeing malspam campaigns trying to leverage CVE-2017-11882 to deliver their final payload as discussed in this blog post by Fortinet.
One of those delivery documents is PI-5460-DPC.doc. In this threat advisory we will go over the host and network behavior using NetWitness Packets and NetWitness Endpoint.
Upon opening the document in a vulnerable Microsoft Word, the vulnerability is exploited and an instance of the vulnerable Equation tool (eqnedt32.exe) is created by svchost.exe:
That is followed by a GET request to retrieve a javascript script:
eqnedt32.exe calls mshta.exe to execute the downloaded script:
When mshta.exe runs, it calls cmd.exe to write a script (A6p.vbs) to the infected machine. wscript.exe runs the newly created script which has the instructions to download the final payload:
The downloaded binary is executed and it starts to communicate with its command and control server:
The post infection traffic is characteristic of dyzap malware (also known as Lokibot). RSA FirstWatch blogged twice about its activity here and here.
Here is a recap of the network activity:
And here is a recap of the host activity:
Thanks to Kent Backman and Justin Lamarre for contributing to this threat advisory.
PI-5460-DPC.doc (SHA256):
fafa.exe (SHA256):
References:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.