CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

FireEye recently detected malicious Microsoft Office RTF documents
that leverage CVE-2017-0199, a previously undisclosed vulnerability.
This vulnerability allows a malicious actor to download and execute a
Visual Basic script containing PowerShell commands when a user opens a
document containing an embedded exploit. FireEye has observed Office
documents exploiting CVE-2017-0199 that download and execute malware
payloads from different well-known malware families.

FireEye shared the details of the vulnerability with Microsoft and
has been coordinating public disclosure timed with the release of a
patch by Microsoft to address the vulnerability, which can be found here.

The vulnerability bypassed most mitigations prior to patch
availability; however, FireEye email and network products detected the
malicious documents. FireEye recommends that Microsoft Office users
apply the patch
from Microsoft
.

Attack Scenario

The attack occurs in the following manner:

  1. A threat actor emails a Microsoft Word document to a targeted
    user with an embedded OLE2 embedded link object
  2. When the
    user opens the document, winword.exe issues a HTTP request to a
    remote server to retrieve a malicious HTA file
  3. The file
    returned by the server is a fake RTF file with an embedded malicious
    script
  4. Winword.exe looks up the file handler for
    application/hta through a COM object, which causes the Microsoft HTA
    application (mshta.exe) to load and execute the malicious
    script

In the two documents that FireEye observed prior to the initial
blog
acknowledging these attacks, malicious scripts terminated the
winword.exe processes, downloaded additional payloads, and loaded
decoy documents. The original winword.exe process was terminated to
conceal a user prompt generated by the OLE2link. Figure 1 shows this prompt.

Figure 1: User prompt hidden by the Visual Basic script

Document 1 – (MD5: 5ebfd13250dd0408e3de594e419f9e01)

The first malicious document identified by FireEye had three stages.
An embedded OLE2 link object causes winword.exe to reach out to the
following URL to download the stage one malicious HTA file:

http[:]//46.102.152[.]129/template.doc

Once downloaded, the malicious HTA file is processed by the
“application/hta” handler.  The highlighted line in Figure 2 shows the
first download occurring, followed by the additional malicious payloads.

Figure 2: Live attack scenario

Once downloaded, the template file was stored in the user’s
temporary internet files with the name template[?].hta, where [?] is
determined at run time.

The Logic Bug

Mshta.exe is responsible for handling the Content-Type
“application/hta,” parsing the content, and executing the script.
Figure 3 shows winword.exe querying registry value of CLSID for the
“application/hta” handler.

Figure 3: Winword query registry value

Winword.exe makes a request to the DCOMLaunch service, which in turn
causes the svchost.exe process hosting DCOMLaunch to execute
mshta.exe. Mshta.exe then executes the script embedded in the
malicious HTA document. Figure 4 shows the deobfuscated VBScript from
the first stage download.

Figure 4: First document, stage one VBScript

The script shown in Figure 4 performs the following malicious actions:

  1. Terminates the winword.exe process with taskkill.exe to hide
    the prompt shown in Figure 1.
  2. Downloads a VBScript file
    from http[:]//www.modani[.]com/media/wysiwyg/ww.vbs and saving it to
    %appdata%\Microsoft\Windows\maintenance.vbs
  3. Downloads a decoy
    document from http[:]//www.modani[.]com/media/wysiwyg/questions.doc
    and saving it to %temp%\document.doc
  4. Cleans up the Word
    Resiliency keys for Word versions 15.0 and 16.0 so that Microsoft
    Word will restart normally
  5. Executes the malicious stage two
    VBScript: %appdata%\Microsoft\Windows\maintenance.vbs
  6. Opens
    the decoy document, %temp%\document.doc, to hide the malicious
    activity from the user

Once executed, the downloaded stage two VBScript
(ww.vbs/maintenance.vbs) performs the following actions:

  1. Writes an embedded obfuscated script to
    %TMP%/eoobvfwiglhiliqougukgm.js
  2. Executes the script

The obfuscated eoobvfwiglhiliqougukgm.js script performs the
following actions when executed:

  1. Attempts to delete itself from the system
  2. Attempts to
    download http[:]//www.modani[.]com/media/wysiwyg/wood.exe (at most
    44 times), and save the file to
    %TMP%\dcihprianeeyirdeuceulx.exe
  3. Executes
    %TMP%\dcihprianeeyirdeuceulx.exe

Figure 5 shows the process execution chain of events.

Figure 5: Process creation events

The final payload utilized in this malware is a newer variant of the
LATENTBOT malware family. Additional details of the updates to this
malware follow the Document 2 walkthrough.

MD5

Size

Name

Description

5ebfd13250dd0408e3de594e419f9e01

37,523

hire_form.doc

 

Malicious document

fb475f0d8c8e9bf1bc360211179d8a28

27,429

template.doc/template[?].hta

Malicious HTA file

984658e34e634d56423797858a711846

5,704

ww.vbs/maintenance.vbs

Stage two VBScript

73bf8647920eacc7cc377b3602a7ee7a

13,386

questions.doc/document.doc

Decoy document

11fb87888bbb4dcea4891ab856ac1c52

5,292

eoobvfwiglhiliqougukgm.js

Malicious script

a1faa23a3ef8cef372f5f74aed82d2de

388,096

wood.exe/ dcihprianeeyirdeuceulx.exe

Final payload

15e51cdbd938545c9af47806984b1667

414,720

wood.exe/ dcihprianeeyirdeuceulx.exe

Updated final payload

Table 1: First document file metadata

The LATENTBOT Payload

The payload associated with the first document is an updated version
of the LATENTBOT
malware family
. LATENTBOT is a highly-obfuscated BOT that has
been in the wild since 2013.

The newer version of the LATENTBOT has different injection
mechanisms for Windows XP (x86) and Windows 7 operating systems:

  • Attrib.exe patching – The bot calls Attrib.exe, patches the
    entry in memory, and inserts a JMP instruction to transfer control
    to the mapped section. To map the section in the address space of
    atrrib.exe it uses ZwMapViewOfSection().
  • Svchost code Injection – Attrib.exe starts the svchost.exe
    process in suspended mode, creates space, and allocates code by
    calling ZwMapViewOfSection().
  • Control transfer – It then uses SetThreadContext() to modify
    the OEP of the primary thread, which will be executed in the remote
    process to trigger code execution.
  • Browser injection – A similar process is used to inject the
    final payload into the default web browser with the help of
    NtMapVIewOfSection().

In Windows 7 or later operating systems, the bot does not use
attrib.exe. Rather, it injects code into svchost.exe followed by
launching the default browser with malicious payload by leveraging NtMapViewOfSection().

This variant then connects to the following command and control (C2) server:

Upon successful communication with the C2 server, LATENTBOT
generates a beacon. One of the decrypted beacons are as follows with
an updated version number of 5015:

At the time of analysis, the C2 server was offline. The bot comes
with a highly modular plugin architecture and has been associated with
the “Pony” campaigns as an infostealer.

As of April 10, 2017, the malware hosted at
www.modani[.]com/media/wysiwyg/wood.exe has been updated and the C2
server has been moved to: 217.12.203[.]100.

Document 2 – (MD5: C10DABB05A38EDD8A9A0DDDA1C9AF10E)

The second malicious document identified by FireEye consisted of two
malicious stages. The initial stage reached out to the following URL
to download the stage one malicious HTA file:

http[:]//95.141.38[.]110/mo/dnr/tmp/template.doc

This file is downloaded into the user’s temporary internet files
directory with the name template[?].hta, where [?] is determined at
runtime. Once downloaded, winword.exe utilizes mshta.exe to parse the
file. mshta.exe parses through file finding <script>
</script> tags and executes the contained script. Figure 6 shows
the deobfuscated script.

Figure 6: Second document, first stage VBScript

Figure 6 shows the following malicious actions:

  1. Terminate the winword.exe process with taskkill.exe  to hide
    the prompt shown in Figure 1
  2. Download an executable from
    http[:]//95.141.38[.]110/mo/dnr/copy.jpg, saving it to
    ‘%appdata%\Microsoft\Windows\Start
    Menu\Programs\Startup\winword.exe’
  3. Download a document from
    http[:]//95.141.38[.]110/mo/dnr/docu.doc, saving it to
    %temp%\document.doc
  4. Clean up the Word Resiliency keys for
    Word versions 15.0 and 16.0, so that Microsoft Word will restart
    normally
  5. Execute the malicious payload at
    ‘%appdata%\Microsoft\Windows\Start
    Menu\Programs\Startup\winword.exe’
  6. Open the decoy document,
    %temp%\document.doc, to hide the malicious activity from the
    user

Examination of the malicious payload revealed that it is a variant
of the dropper for what Microsoft calls WingBird,
which has similar characteristics as FinFisher. The malware is heavily
obfuscated with several anti-analysis measures, including a custom VM
to slow analysis. A blog
post by "Artem"
covers a payload driver of WingBird.
The blog author briefly mentions the protection techniques of the
dropper, which match this sample.

MD5

Size

Name

Description

c10dabb05a38edd8a9a0ddda1c9af10e

70,269

СПУТНИК РАЗВЕДЧИКА.doc

 

Malicious document

9dec125f006f787a3f8ad464d480eed1

27,500

template.doc

Malicious HTA file

acde6fb59ed431000107c8e8ca1b7266

1,312,768

copy.jpg/winword.exe

Final payload

e01982913fbc22188b83f5f9fadc1c17

6,220,783

docu.doc/document.doc

Decoy document

Table 2: Second document metadata

Conclusion

FireEye observed CVE-2017-0199, a vulnerability in Microsoft Word
that allows an attacker to execute a malicious Visual Basic script.
The CVE-2017-0199 vulnerability is a logic bug and bypasses most
mitigations. Upon execution of the malicious script, it downloads and
executes malicious payloads, as well as displays decoy documents to
the user. The two documents achieve execution of their malicious
payloads, with one containing LATENTBOT and the other containing
WingBird/FinFisher. The malicious document contained only a link to
the attacker controlled server, showing the advantage of FireEye’s MVX
engine to detect multi-stage attacks. Further campaigns leveraging
this attack have been observed prior to patch availability, but are
not covered in this blog.

We recommend that Microsoft Office users apply the patch
as soon as possible.

Acknowledgement

Thank you to Michael Matonis, Dhanesh Kizhakkinan, Yogesh Londhe,
Swapnil Patil, Joshua Triplett, and Tyler Dean from FLARE Team,
FireEye Labs Team, and FireEye iSIGHT Intelligence for their
contributions to this blog. Thank you as well to everyone who worked
with us at the Microsoft Security Response Center (MSRC).

This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog