Spread banking Trojan the Office 0day vulnerabilities-vulnerability warning-the black bar safety net

Micro-step online Threat Intelligence briefing

Number: TB-2017-0003

Report confidence: 90

TAG: Microsoft, Office, 0day, vulnerabilities, phishing mails, Dridex

TLP: yellow (only accept the report of the Organization for internal use)

Date: 2017-04-11

Update

Micro-step online to GMT 4 May 11, to the relevant customer to issue the Early Warning Report.

GMT 4 on 12 November, Microsoft released the vulnerability of Emergency Repair patches, vulnerability number CVE-2017-0199。 In view of the vulnerability is widely present in the Office all the versions, and currently have been used in real attacks, therefore we recommend that the Office of the user updated as soon as possibleoperating system, using the latest Microsoft patches to patch the vulnerability.

Micro-step online expect, CVE-2017-0199 as a Office popular vulnerability new favorite, will be in the next few years is more and more gang for the real attack. Ordinary users, business users as well as enterprise information security managers need to remain highly vigilant.

Summary

Recently, foreign security vendors McAfee and FireEye published an article that found one of the Office zero-day exploit being used in the real attack, and the vulnerability applies to Office all versions, the hazard is extremely high, but did not further disclosure related to the attack samples.

Micro-step online success monitoring found a number of using the vulnerability to attack of the sample. Sample after successful execution, it will download the banking Trojan Dridex steals user’s online banking login credentials and other information. Using the micro-step online hunting system found more of the same type Dridex Trojan, explained there are already groups using the zero-day vulnerability to spread banking Trojan Dridex is. Other findings are:

From the sample were extracted from the 25 of the IOC and with Article 2 of Yara rules that can be used within the network loss of the notch detection, the specific IOC please refer to the Appendix.

From the sample associated with the C&C addresses the analysis found that the attackers, mainly through phishing emails to spread the banking Trojan Dridex, the Trojan will steal the user’s online banking account and other information, and further may cause financial losses.

Attack samples through the mail attachment sent to the target user, and therefore recommended that the user of the unidentified sources of the messages remain on high alert.

Micro-step online Threat Intelligence platform also has support attack detection, such as the need to micro-step online help testing, please contact us [email protected].

Details

2017 4 December 7, 8, McAfee and FireEye, two security companies were to publish the article, saying that in some phishing emails in the Annex to the detected malicious Microsoft Office documents, these documents with embedded OLE objects, once this is open it will be downloaded from a remote server disguised as a normal RTF file malicious. HTA file and execute, so as to further download more malicious software, the user does not need to open the macro function and do more operations. Analysts believe that these malicious documents using an Office of 0Day vulnerabilities, the vulnerability could affect all Windows operating system above all the Office versions, including Windows 10 running on the latest Office 2016, and the degree of harm is extremely high. Currently found in the earliest attacks may occur in 2017, 1 In late May.

Micro-step online capture a number of use of the vulnerabilities of the sample, further analysis found that the correlation attack sample vulnerability is triggered, it will download the banking Trojan Dridex, the typical sample implementation process is as follows:

The user receives containing the malicious attachments of phishing emails.

Open there Office 0Day vulnerabilities Annex to the document.

Word process from the attacker-controlled website btt5sxcx90.com download disguise. HTA file template.doc and start.

template. doc after the execution will continue from the btt5sxcx90. com to download an executable program 7500.exe and a harmless Word document sample.doc start 7500. exe and open the contents of the blank sample. doc deluded victims.

7500. exe is a product called Dridex banking Trojan, can further steal the user’s Bank authentication information.

Micro-step online will continue to to the events related to the attack of the sample for further analysis, for behind the attacks gangs carry out traceability analysis, and timely and be related to the progress and found the synchronization to the customer.

Detection measures

Recommendations direct the deployment of micro-step online Threat Intelligence platform to detect, or use the Appendix of the IOC conjunction with the log detection:

Such as, through the firewall to check with the IP 185.44.105.92 connection, or through the DNS logs to check the Appendix in the domain name of the request logging.

Recommendations for action

The use of micro-step online provides the threat intelligence, or the Threat Intelligence platform is detected, timely response.

The strengthening of internal staff security awareness training, do not open or download mailbox any suspicious Word document.

Recommended to open the windows Automatic Updates, timely updates office patch.

Appendix

C&C

http://btt5sxcx90.com/template.doc
http://www.btt5sxcx90.com/template.doc
http://rottastics36w.net/template.doc
185.44.105.92
64.79.205.100
185.25.184.214
Trojan file SHA256

c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629
7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c
dedb1b4fd183a8ae55e9e03511930f410ac15ba40071518b5fe0b5dd6f366543
1598c156bbd6bf0753e5cf4e82e9fd415dc926f881e3c4f71b1f5fc0e32912c0
9728edb2ad0649d58de9f76130639cc61c68e02c2ff3fdf2f49d6f9356d6d1a1
9e3a35351d466b874c29a54b426b012aa46af719153fedfdc583c10eefd12f67
4637f33e25203729709d11dba6ecf79c084b92a7da28c1c48c78f30370820f7d
c077af50c8913d7564025940e2bddb4a45a9573717ece82a0394e98ca079108e
815a09b8806a615c8971231df76ad50c90086dc125afafba17192db22cba836e
0a076911cf3fdf13f7c9ac78f8721c76d6185a8c6ee311c72080cbdffe762501
e90590b6efdaebfe2a1af8491b3b07676797b3622194446ca03ef2fb5cfaf7af
095a3894fcc07bd0742fa0c0ed3743befb61f5861e9320f73b95fb3024cffe0b
c077af50c8913d7564025940e2bddb4a45a9573717ece82a0394e98ca079108e
0cfdb3ef99de18a48291ad6a900026b788e40045cf2ab84f84297a1a5df06623
1f33c5b09a045c0dd829c4a40671e383dac6426fa620a7793c374b39bf2f5e97
1072e9f512abaafc1f510b31bcf56fd668f9f7cf558984052720aa85d311bca7
3f163107a9008e7e501b44ccffd1d332a14d49b8ac6fe41bb814b080dc81e824
c077af50c8913d7564025940e2bddb4a45a9573717ece82a0394e98ca079108e
1420f7bab3272ec4afb8694f8e2a0d762123d42e16470674f5a828d672f25659
Yara rules

rule hta_0day {
meta:
description = “hta0day”
author = “Threatbook Labs”
date = “2017-04-11”
hash1 = “dedb1b4fd183a8ae55e9e03511930f410ac15ba40071518b5fe0b5dd6f366543”

[1] [2] next