The Word Vulnerability, CVE-2017-0199 dissect that Microsoft patch that you installed? - Vulnerability warning-the black bar safety net

! [](/Article/UploadPic/2017-4/20174144138236. png? www. myhack58. com)
Foreword
Recently, FireEye detects a use of the vulnerability, CVE-2017-0199 malicious OfficeRTF document–earlier this week FreeBuf also reported the vulnerability, without the need to enable Word macros, open a malicious RFT document can be infected with a malicious program. When the user opens the embedded exploit code in malicious documents, this vulnerability will allow the attacker on the target device to download and execute a contains PowerShell commands Visual Basic script, while FireEye discovered this malicious Office documents is the use of vulnerabilities CVE-2017-0199 to the infected device to download and execute a malicious Payload that.
Currently, FireEye has been the vulnerability details reported to Microsoft, and is based on the Microsoft patch release time to coordinate vulnerability disclosure of related matters. 【Vulnerability announcements] from the recent some of the Safety Agency’s analysis, the vulnerability has been the attacker to attack, FreeBuf Security Alert is reported that the vulnerability has been applied to the Dridex banking Trojan the deployment; the conflict in Ukraine a network of espionage, the vulnerability can also be exploited by attackers to.
In the vulnerability patch is released before this vulnerability can bypass most protection mechanisms, but the FireEye email and web-based products successfully detected such malicious document. FireEye recommends that the majority of Office users as soon as possible to install Microsoft provided the patch [the patch announcement button.
Attack scenarios
Attack the entire process is as follows:
1. The attacker to target the user to send an embedded OLE2 file object links to the Word document.
2. When a user opens a document, the winword. exe to the remote server to send an HTTP request, and get a malicious HTA file.
3. The server returns this file is a forgery of the RTF file, which is embedded a malicious script.
4. Winword. exe will pass a COM object to query the HTA file processor, and this Act will make the Microsoft HTA applications mshta.exe load and execute a malicious script.
At FireEye found two malicious document, which is embedded in the malicious script will first terminate the winword. exe process, and then download the additional Payload, and finally load the malicious code. The original winword. exe processes will be terminated, a malicious VB script will be hidden as shown below the users pop-UPS: the
! [](/Article/UploadPic/2017-4/20174144138383. png? www. myhack58. com)
File 1-（MD5:5ebfd13250dd0408e3de594e419f9e01）
FireEye identified the first malicious document has three main operation phases. First, one embedded in the document OLE2 link object will make winword. exe access the following URL address and download the first stage required to the malicious HTA files:
http[:]//46.102.152[.] 129/template.doc
After the download is complete, the“application/hta”processor for a malicious HTA file for processing. The lower figure is selected in that row displayed is the first malicious file download process, and then will download additional malicious Payload:

! [](/Article/UploadPic/2017-4/20174144138860. png? www. myhack58. com)
After the download is complete, the temporary file will be stored in the user’s temporary Internet folder, a file named template[?]. hta, wherein the[?] For the current runtime.
Logic vulnerabilities
Rwanda. exe is responsible for processing and parsing the Content-Type to“application/hta”content, and the execution of the script code. The following figure shows the winword. exe“application/hta”processor request CLSID registry key values.
! [](/Article/UploadPic/2017-4/20174144138308. png? www. myhack58. com)
Winword. exe to the DCOMLaunch service sends a request to the 并 通过 svchost.exe 进程 来 让 DCOMLaunch 执行 mshta.exe the. Next, Rwanda. exe will be responsible for the implementation embedded in malicious HTA in the document the script code. The following figure shows the first stage of the download the VB script code that has been where the confusion processing: the
! [](/Article/UploadPic/2017-4/20174144138592. png? www. myhack58. com)
The figure above shows the script code will execute the following malicious acts:
1. By taskkill. exe to terminate winword. exe process, and hide before the picture of the display the user pop-UPS.
2. From address http[:]//www.modani[.] com/media/wysiwyg/ww. vbs download a VBScript file, the Save path is%appdata%\Microsoft\Windows\maintenance. vbs.
3. From address http[:]//www.modani[.] com/media/wysiwyg/questions. doc download a phishing file, 保存路径为%temp%\document.doc the.
4. Let Microsoft Word restart.
5. Execution of VBScript files:%appdata%\Microsoft\Windows\maintenance. vbs
6. 打开 钓鱼 文件 %temp%\document.doc that hide malicious activities.
Among them, the malicious VBScript file will be responsible for performing the following two tasks:
1. To%TMP%/eoobvfwiglhiliqougukgm. js to write an embedded script through the confusion.
2. The execution of the script code.
Through the confusion of eoobvfwiglhiliqougukgm. js script responsible for performing the following three tasks:
1. Try to will yourself deleted from the system.
2. Try to download http[:]//www.modani[.] com/media/wysiwyg/wood.exe that 并 将 文件 保存 在 %TMP%\dcihprianeeyirdeuceulx.exe the.
3. 运行 %TMP%\dcihprianeeyirdeuceulx.exe
The following figure shows the process of the execution chain:
! [](/Article/UploadPic/2017-4/20174144138694. png? www. myhack58. com)
This malware Final the use of payload for LATENTBOT malware family of a new variant. The following figure shows the first document file meta data:
! [](/Article/UploadPic/2017-4/20174144138488. png? www. myhack58. com)

[1] [2] next