On September 12th FireEye security researchers disclosed information about CVE-2017-8759, a SOAP WSDL parser code injection vulnerability [1]. Microsoft already released patch to address the vulnerability in affected products [2]. It didn't take a lot of time to start seeing a significant increase in the number of malicious files trying to exploit the vulnerability. A day or two after the disclosure there was a handful of samples submitted to VirusTotal. A week later more than a hundred samples were submitted. It indicates that exploiting the vulnerability is shifting from targeted attacks to mass distribution.
In this blog post we will discuss the host and network behavior of one of those samples and see how the activities look in RSA NetWitness Packets and NetWitness Endpoint.
The delivery document under investigation is spreading as Quote.doc. Upon opening the RTF in Microsoft Word, an HTTP request was noticed:
For this session, NetWitness Packets registered the following meta under Service Analysis suggesting suspicious network traffic:
The WSDL parser handles the SOAP response. The following events took place on the infected host:
The next screenshot shows the machine scandata on NetWitness Endpoint:
Here is an event reconstruction of the second payload delivery:
The screenshot below shows the files created in C:\Windows\System32\com\SOAPAssembly
Here is a better look at the content of the newly created source code file Logo.cs:
When the second payload ran, it issued an HTTP request to a direct IP address in order to download an obfuscated powershell script:
When powershell.exe ran, it dropped an executable on the victim machine:
The dropped executable is a LaZagne variant. LaZagne is a publicly available open source application to retrieve passwords stored on a local computer. VirusTotal analysis results can be found here. Here is the report from hybrid-analysis.com. On NetWitness Endpoint the following module IIOC were generated:
Following the execution of LaZagne.exe, you can notice a newly created process AZAaPaAA.exe which is also a LaZagne variant according to VirusTotal analysis results. Analysis report from hybrid-analysis.com is available here. NetWitness Endpoint generated even more IIOC for this module:
A quick look at the embedded strings of those binaries confirm what kind of data they are targeting:
Finally, below is a recap of the HTTP traffic in NetWitness Packets:
Delivery document (SHA256):
LaZagne binaries (SHA256):
References:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.