CVE-2017-0199: analysis Microsoft Office RTF vulnerability-vulnerability warning-the black bar safety net

FireEye recently detected using CVE-2017-0199 security vulnerabilities malicious Microsoft Office RTF document, be aware of CVE-2017-0199, but had not been disclosed vulnerability. When the user opens that contains the exploit Code of the document, the malicious code will download and execute the included PowerShell commands Visual Basic script. FireEye has found some by CVE-2017-0199 vulnerability to download and execute a variety of infamous malware families of the payload of Office documents.

FireEye and Microsoft share the vulnerability details, and through coordination, according to the Microsoft company published the corresponding patches of the time to select the vulnerability disclosure time, the specific circumstances of the readers can fromhereto find.

In the vulnerability of the patch before the release of the vulnerability the exploit code is able to bypass most security measures; however, FireEye e-mail and network product still detects the related malicious files. FireEye recommends that Microsoft Office users from Microsoft to download and install the appropriate patch](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199&gt; a). Attack scenarios
Attack of the specific ways as follows:
1. The attacker via e-mail to the target user sends containing OLE2 embedded and linked objects the Microsoft Word document
2. When a user opens a document, the winword. exe to a remote server an HTTP request, to request a malicious HTA file
3. The server returns the file with the embedded malicious script fake RTF file
4. Winword. exe through COM objects to find the application / hta file processing program, which causes the Microsoft HTA applications mshta.exe load and execute a malicious script
Based on our previous discovery of two documents, the malicious script will terminate winword. exe processes, download additional payload, and loaded the bait file. The reason you want to terminate the original winword. exe process, in order to cover up OLE2link to generate the user prompt. The prompt specifically shown in Figure 1.
! [](/Article/UploadPic/2017-4/201741353232703. png? www. myhack58. com)
Figure 1: The Visual Basic script to hide the user prompt
File 1–(MD5: 5ebfd13250dd0408e3de594e419f9e01)
For FireEye discovered the first malicious file, the attack process is divided into three stages. First, the embedded OLE2 link object will make winword. exe by following the URL to download the first phase of the malicious HTA files:
1
http[:]//46.102.152[.] 129/template.doc
Once downloaded, this malicious HTA files will be“application / hta”handler for processing. In Figure 2 the highlighted row shows the first download, followed by additional malicious payload.
! [](/Article/UploadPic/2017-4/201741353232404. png? www. myhack58. com)
Figure 2: The actual attack scenario
Once the download is complete, the template file will be stored in the user’s temporary Internet Files, and name it the [?] . hta, wherein the [?] At runtime will be determined.
Logic errors
Rwanda. exe program is responsible for processing the Content-Type to“application / hta”file, parse the file content and execute the script. Figure 3 shows the winword. exe is query“application / hta”handler of CLSID registry values.
! [](/Article/UploadPic/2017-4/201741353232777. png? www. myhack58. com)
Figure 3: Winword query the registry value
Winword. exe to the DCOMLaunch service request 这 将 导致 托管 DCOMLaunch 的 svchost.exe 进程 执行 mshta.exe the. After Rwanda. exe it will execute embedded in malicious HTA document in the script. Figure 4 shows the first stage download, after anti-aliasing processing after the VBScript.
! [](/Article/UploadPic/2017-4/201741353232909. png? www. myhack58. com)
Figure 4: The first file, i.e. the first stage of the VBScript
As shown in Figure 4 The script will perform the following malicious actions:
1. Use taskkill. exe to terminate winword. exe process, in order to hide the figure 1 shown in the prompt.
2. From the http [:]//www.modani [.] com/media/wysiwyg/ww. vbs download a VBScript file and save it to % appdata % \Microsoft\Windows\maintenance. vbs file
3. From the http [:]//www.modani [.] com/media/wysiwyg/questions. doc download the decoy file, and save it to % temp % \document. doc file
4. Clean up 15. 0 and 16. 0 version Word Word Resiliency keys so that Microsoft Word can be a normal restart
5. Perform malicious attacks the second stage of the VBScript is: % appdata % \Microsoft\Windows\maintenance. vbs
6. Open the decoy document in % temp % \ document.doc to hide the user’s malicious activities
Once executed, the previous download of the second phase of the VBScript（ww. vbs/maintenance. the vbs script will perform the following operations:
1. The embedded, after the obfuscation process to script write the % TMP % in/ eoobvfwiglhiliqougukgm.js
2. The execution of the script
After the obfuscation process of the eoobvfwiglhiliqougukgm. js script, at run time complete the following:
1. Try to deleted from the system yourself
2. Try to download http [:]//www.modani [.] com/media/wysiwyg/wood.exe up try 44 times, and save the file to % TMP % to\dcihprianeeyirdeuceulx.exe
3. Execution of the % TMP % to\ dcihprianeeyirdeuceulx.exe
Figure 5 shows us the events of the process execution chain.
! [](/Article/UploadPic/2017-4/201741353253664. png? www. myhack58. com)
Figure 5: The process of creating the event
Here, the malicious software of the final payload is LATENTBOT malicious software in the series of a newer version. As for the malicious software update details, please see document 2 for introduction.
! [](/Article/UploadPic/2017-4/201741353253277. png? www. myhack58. com)
Table 1: The first document file meta data
Payload LATENTBOT
With the first document associated with the payload is LATENTBOT malware series the updated version. LATENTBOT is a highly confused after the treatment of the BOT, since 2013 has been in the field rumor broadcast.
The newer version of the LATENTBOT for Windows XP x86 and Windows 7 operating system provides a variety of different injection mechanisms:
Attrib.exe 补丁 --LATENTBOT 将 调用 Attrib.exe, modify the memory of the relevant content, and insert a JMP instruction passes control to the mapped portion. In order to this part of the map to atrrib. exe address space, the need to use ZwMapViewOfSection () to.
Svchost code injected–Attrib. exe in suspended mode start svchost. exe process, create a memory space, and by calling ZwMapViewOfSection()to assign the code.
Control transmission-and then use SetThreadContext()to modify the main thread of the OEP, it will be in the remote process execution to trigger the code execution.
Browser injection-by means of NtMapVIewOfSection()will be the final payload injected into the default Web browser.
In Windows 7 or higher version of theoperating system, 该bot不会使用attrib.exe the. On the contrary, it will inject code into the svchost. exe, and then by means of NtMapViewOfSection (), through the malicious payload to launch the default browser.
Then, the variant will connect to the following command and control C2 server to:
! [](/Article/UploadPic/2017-4/201741353253405. png? www. myhack58. com)
In with the C2 Server successfully connected, the LATENTBOT will generate a beacon. Wherein a decryption of the beacon as shown below, the update version number is 5015: the
! [](/Article/UploadPic/2017-4/201741353253472. png? www. myhack58. com)
In our vulnerability analysis, the C2 server has been offline. The bot has a highly modular plug-in Architecture, and has been used for“Pony”action of theft.
As of 2017, 4 May 10, www.modani [.] com/media/wysiwyg/wood. exe hosted on the malicious software has been updated, and the C2 server has been moved to: 217.12.203 [.] The 100.
File ２-- (MD5: C10DABB05A38EDD8A9A0DDDA1C9AF10E)FireEye discovered the second malicious files including two malicious attack phase. The first step is through the following URL to download the first phase of the malicious HTA files:

http[:]//95.141.38[.] 110/mo/dnr/tmp/template.doc
The file is downloaded to the user’s temporary Internet Files directory, the name of the [?] . hta, wherein the [?] Is in runtime was determined. Once the download is complete, the winword. the exe will use the Rwanda. exe to parse the file. Rwanda. exe in the file to find the label to be related to the analytical work, and execute the script. Figure 6 shows the through anti-aliasing post-processing script.
! [](/Article/UploadPic/2017-4/201741353253508. png? www. myhack58. com)
Figure 6: The second file, the first stage of the VBScript
Figure 6 shows the following malicious actions:
1. Use taskkill. exe to terminate winword. exe process, and to hide the shown in Figure 1 of the tips
2. From the http[:]//95.141.38 [.] 110/mo/dnr/copy. jpg download the executable file, save it to’ % appdata % \Microsoft\Windows\Start Menu\Programs\Startup\winword. exe file
3. From the http[:]//95.141.38 [.] 110/mo/dnr/docu. doc to download the document, save it to % temp % \document. doc file
4. Clean up Word 15. 0 and 16. 0 version of the Word Resiliency key to make the Microsoft Word normal to restart
5. In the“ % appdata % \Microsoft\Windows\Start Menu\Programs\Startup\winword.exe”in the execution of the malicious payload
6. Open the decoy document in % temp % \ document.doc to hide the user’s malicious activities
Check the malicious payload found, which is Microsoft called WingBird injector of a variant, with FinFisher similar characteristics. This malware after a thorough confusion of the process, and provides a variety of anti-analysis measures, including a customized virtual machine in order to increase the analysis time required. “Artem”published blog post describes WingBird the payload of the driver. This blog The author of the brief matches the sample injector of protection technology.
! [](/Article/UploadPic/2017-4/201741353254646. png? www. myhack58. com)
Table 2: The second file metadata
Summary
We found a number for CVE-2017-0199 security vulnerabilities, this is the Microsoft Word of a vulnerability that allows an attacker to execute malicious Visual Basic script. CVE-2017-0199 vulnerability is a logic error caused by, and can bypass most security defenses. In the execution of a malicious script, the attacker can download and execute a malicious payload, while display to the user the bait file. These two files are able to execute the malicious payload, which contains a LATENTBOT, another contains WingBird/FinFisher is. In fact, this malicious file containing only a pointer to attacker-controlled Server link, which fully shows the FireEye MVX engine in detecting multi-stage attacks of absolute advantage. In the vulnerability patch is released before, we have observed exploitation of the vulnerability attack campaigns. We recommend that Microsoft Office users as soon as the installation of the corresponding vulnerabilitypatch.