An attacker with Office vulnerability propagation FELIXROOT Backdoor-vulnerability warning-the black bar safety net

! [](/Article/UploadPic/2018-7/2018730152439956. png)
One, the attack event details
2017 9 months, in response to Ukrainian attacks, FireEye found FELIXROOT Backdoor this malicious payload, and feedback to our intelligence perception of the customers. The attack activities using some malicious Ukrainian banks document that contains a macro, used to download FELIXROOT load and its delivery to the targets.
Recently FireEye observed a new attack events to the same FELIXROOT the back door. In this attack campaign, the arms of the decoy document relates to the environmental protection seminars related to the topic, the use of the two known Microsoft Office Vulnerability CVE-2017-0199, and CVE-2017-11882, to the back door of the program released to the victim on the host and to be executed, the attack activities in a flow chart shown in Figure 1.
! [](/Article/UploadPic/2018-7/2018730152439369. png)
Figure 1. Attack flowchart
Malicious software by means of the Russian language of the document as shown in Figure 2 spread the document to a known Microsoft Office vulnerability the use of technology. In this attack campaign, we observed the attackers using the CVE-2017-0199, and CVE-2017-11882 vulnerability to spread malware. The use of a malicious document named“Seminar. rtf”, document use CVE-2017-0199 vulnerability from 193. 23. 181. 151 this at the address as shown in Figure 3 to download the second phase of the attack payload, the download of the document containing a CVE-2017-11882 exploit technology.
! [](/Article/UploadPic/2018-7/2018730152439619. png)
Figure 2. Bait document
! [](/Article/UploadPic/2018-7/2018730152440427. png)
Figure 3. Seminar. rtf document in the URL information is hexadecimal data,
Figure 4 shows that the first load you are trying to download the attack the second phase of the Seminar. rtf.
! [](/Article/UploadPic/2018-7/2018730152440714. png)
Figure 4. Download the second phase of the Seminar. rtf
Download the Seminar. the rtf document contains a binary file, by the Equation Editor the executable file to release to the%temp%directory. The file will be the executable file released to the%temp%directory, MD5: the 78734CD268E5C9AB4184E1BBE21A6EB9, which is used to download and execute FELIXROOT release components MD5: the 92F63B1227A6B37335495F9BCB939EA2 it.
The released executable file MD5: a 78734CD268E5C9AB4184E1BBE21A6EB9）PE（Portable Executable）coverage area contained in the compressed processing FELIXROOT release device components. When the file is executed it will create two files: point to the%system32%\rundll32. exe path of a LNK file and FELIXROOT loader Assembly. The LNK file will be moved to the startup directory. The LNK file contains used to perform FELIXROOT loader component command, as shown in Figure 5:
! [](/Article/UploadPic/2018-7/2018730152440327. png)
Figure 5. The LNK file contains the command
Built-in back door Assembly using a custom encryption algorithm for encryption. The file will be in memory to decrypt and execute, not related to the fall plate operation.

Second, the technical details
Successful exploitation of the vulnerability after the release of the controller Assembly will perform and release the loader Assembly. The loader Assembly by means of a RUNDLL32. EXE to perform. The back door Assembly will be loaded into memory, contains only one exported function.
The backdoor contains the string through custom encryption algorithm for encryption processing, the encryption algorithm is the XOR（XOR algorithm, using a 4 byte key. An ASCII string corresponding to the decryption logic as shown in Figure 6.
! [](/Article/UploadPic/2018-7/2018730152440455. png)
Figure 6. ASCII decryption process
Unicode string of the decryption logic as shown in Figure 7.
! [](/Article/UploadPic/2018-7/2018730152440458. png)
Figure 7. Unicode decryption process
Perform it up, the back door will create a new thread, then sleep for 10 minutes, then confirm whether its own by RUNDLL32. EXE using the#1 parameter start, if conditions are met, the backdoor will be in the implementation of command and control C2 network communication operation prior to the initial collection of system information. In order to collect the system information, the back door through the ROOTCIMV2 namespace to connect to Windows Management Instrumentation（WMI）。
The whole operation process is shown in Figure 8:
! [](/Article/UploadPic/2018-7/2018730152440779. png)
Figure 8. The back door component of the initial implementation process
From the ROOTCIMV2 and RootSecurityCenter2 namespace reference classes as shown in Table 1:
WMI namespace
Win32_OperatingSystem
Win32_ComputerSystem
AntiSpywareProduct
AntiVirusProduct
FirewallProduct
Win32_UserAccount
Win32_NetworkAdapter
Win32_Process
Table 1. Referenced class
WMI and the registry
To use the WMI query statement as shown below:
SELECT Caption FROM Win32_TimeZone
SELECT CSNAME, Caption, the value of the csdversion, Locale, RegisteredUser FROM Win32_OperatingSystem
SELECT Manufacturer, Model, SystemType, DomainRole, Domain, UserName FROM Win32_ComputerSystem
The back door will read the registry key value information, the collection administrator permissions to enhance the information and agent information.
1, The query SOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem path ConsentPromptBehaviorAdmin and PromptOnSecureDesktop table entry value;
2, The query SoftwareMicrosoftWindowsCurrentVersioninternet Settings in the path of ProxyEnable, Proxy:(NO), Proxy and ProxyServer entries value.
FELIXROOT the back door functions as shown in Table 2. Each command in a separate thread of execution.

[1] [2] [3] next