7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
In early March, we discovered a cyberattack that used an exploit for CVE-2018-20250, an old WinRAR vulnerability disclosed just several weeks prior, and targeted organizations in the satellite and communications industry. A complex attack chain incorporating multiple code execution techniques attempted to run a fileless PowerShell backdoor that could allow an adversary to take full control of compromised machines.
The WinRAR vulnerability was discovered by Check Point researchers, who demonstrated in a February 20 blog post that a specially crafted ACE file (a type of compressed file) could allow remote code execution. Attackers quickly took advantage of the vulnerability in attacks, including a targeted attack that 360 Total Security researchers discovered just two days after disclosure. The exploit has since been observed in multiple malware attacks.
The use of ACE files is not uncommon in malware campaigns. A combination of machine learning, advanced heuristics, behavior-based detections, and detonation enables Office 365 Advanced Threat Protection (ATP) to regularly detect and block a variety of threats that are packed in ACE files, including common malware like Fareit, Agent Tesla, NanoCore, LokiBot and some ransomware families.
The same capabilities in Office 365 ATP detected malicious ACE files carrying the CVE-2018-20250 exploit. We spotted one of these ACE files in the sophisticated targeted attack that we describe in this blog and that stood out because of unusual, interesting techniques. Notably, the attack used techniques that are similar to campaigns carried out by the activity group known as MuddyWater, as observed by other security vendors like Trend Micro.
Figure 1. Attack chain that delivered the CVE-2018-20250 exploit
A spear-phishing email purporting to be from the Ministry of Foreign Affairs (MFA) of the Islamic Republic of Afghanistan was sent to very specific targets and asked for “resources, telecommunication services and satellite maps”. The email came with a Word document attachment.
Figure 2. Spear phishing email containing lure Word Document
When opened, the document asks the recipient to download another document from a now-inactive OneDrive link. While the URL was down during our analysis, we still reported the case to the OneDrive team.
The use of a document with just a link—no malicious macro or embedded object—was likely meant to evade conventional email security protection. This didn’t work against Office 365 ATP, which has the capability to scan emails and Office documents for URLs and analyze links for malicious behavior.
Figure 3. Word document lure containing OneDrive link
Clicking the link downloads an archive file containing a second Word document, which has malicious macro. Microsoft Word opens the document with security warning. Enabling the macro starts a series of malicious actions that leads to the download of the malware payload.
Figure 4. Downloaded document with malicious macro
Interestingly, the document has a “Next Page” button. Clicking that button displays a fake message signifying that a certain DLL file is missing, and that the computer needs to restart. This is a social engineering technique that ensures the computer is restarted, which is needed for the payload to run. (More on this later.)
Figure 5. Fake message instructing user to restart the computer
Meanwhile, with the macro enabled, the malicious code performs the following in the background:
The second-stage PowerShell script collects system information, generates unique computer ID, and sends these to remote location. It acts as a backdoor and can accept commands, including:
The PowerShell script’s ability to accept commands and download programs provided a way for a remote attacker to deliver the malicious ACE file containing CVE-2018-20250 exploit. When triggered, the exploit then drops the payload dropbox.exe.
The next sections discuss in detail the key components of this attack chain.
The highly obfuscated malicious macro code used in this attack has a unique way of running malicious code by chaining several programs. It first extracts an encoded data taken from UserForm.TextBox, before decoding and saving it as C:\Windows\Temp\id.png. This file contains an encoded PowerShell command that is executed later by the first-stage PowerShell script.
Figure 6. Obfuscated macro code
The malicious macro code then creates an Excel.Application object to write the VBScript code.
Figure 7. VBScript code created by the malicious macro
It then runs wscript.exe to launch the PowerShell script at runtime. The PowerShell script itself does not touch the disc, making it a fileless component of the attack chain. Living-off-the-land, the technique of using resources that are already available on the system (e.g., wscript.exe) to run malicious code directly in memory, is another way that this attack tries to evade detection.
The first-stage PowerShell script contains multiple layers of obfuscation. When run, it decodes the file id.png to produce another PowerShell script that’s responsible for the rest of the actions.
Figure 8. Obfuscated first-stage PowerShell code
Figure 9. De-obfuscated first-stage PowerShell script
The decrypted PowerShell script is also highly obfuscated. Fully de-obfuscating the malicious script requires over 40 layers of script blocks.
The second-stage PowerShell script collects system information, such as operating system, OS architecture, username, domain name, disk information, enabled-only IP addresses, and gateway IP address. It computes the MD5 hash of collected system information. The computed hash is used as the BotID (some researchers also refer to this as SYSID).
It then concatenates the hash and system information in a string that looks like the following:
<BotID><OS>|Disk information<IP Address List><OS Architecture><Hostname><Domain><Username>**<Gateway IP>
For example:
6e6bdbd3d8b102305f016b06e995a384Microsoft Windows 10 Enterprise|C:\WINDOWS|\Device\Harddisk0\Partition3192[.]168[.]61[.]1-192[.]168[.]32[.]1-157[.]59[.]24[.]11364-bit<Hostname><Domain><Username>**131[.]107[.]160[.]113
It then encodes each character of the collected system information in decimal value by applying simple custom algorithm with hardcoded key (public key): 959,713. The result is formatted as XML-like data:
{“data”:"665 545 145 145 222 545 222 145 73 367 665 438 438 438 598 616 145 518 616 566 438 [REDACTED] 616 73 145 145 665 518 365 438 316 665 513 513 432 261 181 344}
It sends the encoded data to a hardcoded remote command-and-control (C&C), likely to check and register the infected computer: hxxp://162[.]223[.]89[.]53/oa/.
It continuously waits until the remote attacker sends back “done”. Then, it sends an HTTP request to the same C&C address passing the BotID, likely to wait for command: hxxp://162[.]223[.]89[.]53/oc/api/?t=<BOTID>.
It can accept command to download and execute command and sends back the output, encoded in Base64 format, to the remote C2 server using HTTP POST: hxxp://162[.]223[.]89[.]53/or/?t=<BOTID>.
In their analysis of the CVE-2018-20250 vulnerability, Check Point researchers found that when parsing ACE files, WinRAR used an old DLL named unacev2.dll that was vulnerable to directory traversal.
Malicious ACE files that carry the CVE-2018-20250 exploit can be spotted through:
Figure 10. ACE file with CVE-2018-20250 exploit
The ACE file contains three JPEG files that may look related to the email and Word document lures. When the user attempts to extract any of them, the exploit triggers and drops the payload, dropbox.exe, to the Startup folder.
Figure 11. Contents of the malicious ACE file
Going back to the fake error message about a missing DLL and asking the user to restart the computer: The CVE-2018-20250 vulnerability only allows file write to specified folder but has no capability to run the file immediately. Since the payload was dropped in the Startup folder, it is launched when the computer restarts.
The payload dropbox.exe performs the same actions as the malicious macro component, which helps ensure that the PowerShell backdoor is running. The PowerShell backdoor could allow a remote attacker to take full control of the compromised machine and make it a launchpad for more malicious actions. Exposing and stopping the attacks at the early stages is critical in preventing additional, typically more damaging impact of undetected malware implants.
The targeted attack we discussed in this blog and other attacks that use the CVE-2018-20250 exploit show how quickly attackers can take advantage of known vulnerabilities. Attackers are always in search of new vectors to reach more victims. In this attack, they also used some sophisticated code injection techniques. Protections against cyberattacks should be advanced, real-time, and comprehensive.
The URL detonation capabilities in Office 365 ATP was instrumental in detecting and blocking the malicious behaviors across the multiple stages of this sophisticated attack, protecting customers from potentially damaging outcomes. URL detonation, coupled with heuristics, behavior-based detections, and machine learning, allow Office 365 ATP to protect customers not only from targeted attacks, but also well-crafted spear phishing attacks—in real time.
These advanced defenses from Office 365 ATP are shared with other services in Microsoft Threat Protection, which provides seamless, integrated, and comprehensive protection against multiple attack vectors. Through signal-sharing, Microsoft threat Protection orchestrates threat remediation.
For endpoints that are not protected by Office 365 ATP, Microsoft Defender ATP detects the attacker techniques used in this targeted attack. Microsoft Defender ATP is a unified endpoint protection platform for attack surface reduction, next generation protection, endpoint detection & response (EDR), auto investigation & remediation, as well as recently announced managed threat hunting and threat & vulnerability management.
Microsoft Defender ATP uses machine learning, behavior monitoring, and heuristics to detect sophisticated threats. Its industry-leading optics, integration with Office 365 ATP and other Microsoft Threat Protection services, and use of AMSI give it unique capabilities to detect attacker techniques, including the exploit, obfuscation, detection evasion, and fileless techniques observed in this attack.
The attacks that immediately exploited the WinRAR vulnerability demonstrate the importance of threat & vulnerability management in reducing organizational risk. Even if your organization was not affected by this attack against specific organizations in the satellite and communications industry, there are other malware campaigns that used the exploits.
Microsoft Defender ATP’s threat & vulnerability management capability uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities. As a component of a unified endpoint protection platform, threat & hunting vulnerability management in Microsoft Defender ATP provides these unique benefits:
Figure 12. Sample Threat & Vulnerability Management dashboard showing WinRAR vulnerabilities on managed endpoints
The complex attack chain that incorporated sophisticated techniques observed in this targeted attack highlights the benefits of a comprehensive protection enriched by telemetry collected across the entire attack chain. Microsoft Threat Protection continues to evolve to provide integrated threat protection solution for the modern workplace.
Rex Plantado
Office 365 ATP Research Team
Files (SHA-256):
URLs:
The post Analysis of a targeted attack exploiting the WinRAR CVE-2018-20250 vulnerability appeared first on [Microsoft Security.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%