TAU Threat Intelligence Notification: NanoCore – Old Malware, New Tricks!

In analyzing the stream of raw emails seen in the wild, TAU discovered a campaign of what first appeared to be a fairly standard spear-phishing attack. The email contained a Word document which carried an exploit for CVE-2017-11882, a vulnerability that allows for Microsoft Office documents to run arbitrary code. This exploit is nothing new, and Microsoft released a patch for this back in late 2017. This particular CVE exploits a memory corruption issue in the Equation Editor, found in certain versions of Microsoft Office. Successful exploitation of this vulnerability can lead to remote code execution on a vulnerable system. Nevertheless, we continued on with the investigation by pivoting on this particular Microsoft Word document, to then discover ten recent similar Word documents submitted to VirusTotal a total of 17 times within a four-day period in February. Out of the seventeen submissions, the majority were submitted from Italy, Czech Republic, Germany, Ukraine, United Kingdom and Austria. There were two that were submitted from the U.S, and one that was submitted from the United Arab Emirates.

Behavioral Summary

While this attack is based upon a malicious Word document, we can see the attack behavior take place using legitimate Windows applications such as the Office Equation Editor, an application used to generate complex mathematical equations. Equation Editor has a well-known vulnerability that is used in this instance to reach out to multiple online sites to download additional payloads. This behavior is tracked, as shown in the process tree below. The overall characteristics of the attack are also notable based upon the various TTPs used, also shown below in the alert summary.

__

Details

When the email attachment is opened, the Equation Editor process (Eqnedt32.exe) spawns undersvchost.exesignifying the successful execution of the exploit embedded in the Word document. It then immediately calls out to a remote web addresshxxp://sunrypero.cf and downloads a JPG file called1126rjduu76.jpg. (At the time this sample was detonated, this domain name was live. The domain had been registered with Freenom and used the top-level domain “.cf”, which was originally created for use by the Central African Republic). Despite hosting a Word document and 2 JPG graphic files at the sunrypero.cf domain, the JPG files were in fact found to be PE files.

__

Once the particular JPG file is downloaded, it is saved into the users %temp% folder as “tryui.exe”. The icon for this file is shown below.

__

Oddly, the actor(s) didn’t include any error handling in their code, so if a HTTP request cannot be established, then the error message box (shown below) is displayed shortly after the Word document is opened.

__

A quick glance at the tryui.exe file returned the following string which pertains to the software known as AutoHotKey, version 1.1.23.00.

__

Taken from their website, “AutoHotkey is a free, open-source scripting language for Windows that allows users to easily create small to complex scripts for all kinds of tasks such as: form fillers, auto-clicking, macros, etc”.

Malware that exploits AutoHotKey isn’t a new concept, and a quick search returned a tool written by Amit Serper called ahk-dumper. This tool essentially dumps out the script from the RDATA section of the PE file. When run against the tryui.exe file it presented 143 lines of code (thank you Amit!). The code can be broken down into the following pieces:

1. Uses RegExReplace to hide the string “CallWindowProc” used by “User32.dll”
2. Uses RegExReplace to hide the string showing a hard-coded path for the Microsoft Regasm utility at“C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe”
3. Uses “InternetGetConnectedState” used by “wininet.dll” to obtain a network connection, otherwise sleep for 1 second and retry
4. Create a COM object using “WinHttpRequest.5.1” in order to get the payload found at either hxxps://share.dmca.gripe/bNdw3tI5XtihAdic.jpg or hxxps://paste.ee/r/KyH5C
5. Copy downloaded file(s) into the user’s %Temp% folder
6. Create file shortcut in Startup folder, and set file attributes to System, Hidden, ReadOnly

The last part is the base64 decoding routine, which uses a combination of the RegexReplace and Flip functions as shown below. The flip function simply reverses the order of the given string. The ltrim and rtrim trims characters either from the beginning (left) or end (right) of the string.

Part of the base64 routine is shown below.

In other words, when the tryui.exe file runs, it downloads a base64 encoded string from hxxps://paste.ee/r/KyH5C address (which is a site that offers similar features to PasteBin), as well as another site which was temporarily used to host a second JPG file at hxxps://share.dmca.gripe/bNdw3tI5XtihAdic.jpg. Using the two separate base64 encoded strings, it compiles a binary which is then used to install and register the C2 and keylogger component.

As long as the Regasm.exe tool is found in the hard coded path shown above, the tryui.exe will invoke regasm and use it to merge the two base64 encoded strings in order to form a separate executable file. It places what appears to be a legitimate Regasm binary disguised as natmon.exe into the locations listed below for persistence. Comparing similar files suggests that this has been used to avoid detection.

Key

|

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Monitor\

—|—

Name

|

NAT Monitor

Value

|

C:\Program Files (x86)\NAT Monitor\natmon.exe

The final part of the attack turns out to be the delivery of the NanoCore trojan which includes keylogger, which originally communicated back to it’s C2 located in the Netherlands over an unencrypted channel over TCP port 2960. Shortly after testing this particular sample, the bad actor(s) soon updated their C2 to use SSL over TCP port 443 in order to hide the data sent to and from the C2 server.

Side note:

As the path for Regasm.exe is hard coded within the AutoHotKey script, if Regasm.exe is not present in the same path, the malware will not run any further. However, copying a newer version of .NET’s Regasm.exe from a more recent folder path e.g. “C:\Windows\Microsoft.NET\Framework*v4.x*”, permitstryui.exe to launch Regasm and register an application.

While none of the above techniques are necessarily new, it is interesting to see how AutoHotKey continues to grow in popularity amongst malware authors, and how malicious scripts embedded within the legitimate AutoHotKey compiled binary are becoming more sophisticated in order to attempt to fly under the radar of modern day detection and prevention security products.

If you are a Carbon Black customer and looking for more information on how CB products defend against this attack, click here.

Remediation:

MITRE ATT&CK TIDs

TID

|

Tactic

|

Description

—|—|—

T1204

|

Execution

|

User execution via opening of email attachment

T1027

|

Defense Evasion

|

Obfuscated files or information

T1121

|

Defense Evasion, Execution

|

Proxying of code execution through Regasm

T1203

| Execution | Exploitation for Client Execution

T1036

|

Defense Evasion

|

Masquerading

T1060

| Persistence | Registry Run Keys / Startup Folder

T1121

| Defense Evasion, Execution | Regsvcs/Regasm

Indicators of Compromise (IOCs)

Indicator

|

Type

|

Context

—|—|—

88334ec58de64e4a174dbf8b7027f916

cfea6ae1730a9dd580e2d5b633f1785357d50af8e07768081b3f50139144259b

|

MD5

SHA256

|

Quotation_Sheet_#RFQ190207.doc Word Document

20bc6c4211538b4eb7a756cfafeb0c39

3c32a519c6ea39670cb610a190cdcf3acd9a7e00b11d93d05d7395a2de0bb1ff

|

MD5

SHA256

|

Tryui.exe

780492fd6099b8e29fb10b454a1d7b13

391276372a25e0c0b5a4650d6454dbea85cc2e941970a2ccd7a42323b7e82141

|

MD5

SHA256

|

Nanocore

hxxp://sunrypero.cf

|

URL

|

C2

hxxps://paste.ee/r/KyH5C

|

URL

|

C2

hxxps://share.dmca.gripe

|

URL

|

C2

185.244.30.106

|

IP

|

C2

The post TAU Threat Intelligence Notification: NanoCore - Old Malware, New Tricks! appeared first on Carbon Black.