CVE-2017-0199: ne of the New Malware Abuses PowerPoint Slide Show

Da | Agosto 14, 2017

By Ronnie Giagone and Rubio Wu

CVE-2017-0199 was initially a zero-day distant code execution vulnerability that allowed attackers to use a flaw that exists inside the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to ship malware. It is usually exploited through the utilization of malicious Rich Text File (RTF) documenti, a method utilized by the DRIDEX banking trojan found earlier this year.

We at present noticed a mannequin new pattern (Detected by Trend Micro as TROJ_CVE20170199.JVU) exploiting CVE-2017-0199 using a mannequin new methodology that abuses PowerPoint Slide Show—the first time we now have seen this method used inside the wild before. As which will not be the predominant time that CVE-2017-0199 was exploited for an attack, we thought it becoming to examine this new assault methodology to current some perception into how this vulnerability is liable to be abused by fully different campaigns inside the future.

Technical Analysis

Figura 1 CVE-2017-0199 diagram

Figura 1: Infection move for TROJ_CVE20170199.JVU

The exploit arrives as a spear-phishing piece of email attachment, purportedly from a cable manufacturing provider, that drops a distant entry computer software as its remaining payload. This is smart as we now have noticed these assaults primarily focusing on corporations involved inside the electronics manufacturing industry. We take into account the focused assault includes the utilization of a sender tackle disguised as a reliable piece of email despatched by a enterprise partner.

The content material of the e-mail pattern seems to be like this:

Figura 2 spear-phishing piece of email CVE-2017-0199

Figura 2: Sample spear-phishing email

While the e-mail itself mentions one factor about an order request, the person who receives this piece of email will not be going to get your hands on enterprise paperwork attached, however reasonably a PPSX file that reveals the subsequent when clicked:

Figure three Screenshot of the PPSX file that abuses CVE-2017-0199

Figura 3: Screenshot of the PPSX file that abuses CVE-2017-0199

When the malicious PowerPoint Show is opened, it reveals the textual content material CVE-2017-8570, which is a distinct Microsoft Office vulnerability. Tuttavia, based mostly on our analysis, it truly exploits CVE-2017-0199 instead. This is a leftover mistake from the toolkit developer, which the sender did not decide to change.

The file triggers a script moniker in ppt/slides/_rels/slide1[.]xml[.]rels. The exploit runs the distant code at hxxp://192[.]166[.]218[.]230:3550/logo[.]doc, which is a VPN or internet hosting service that is abused by the attacker.

Figura 4 The payload hyperlink to distant malicious code

Figura 4: The payload hyperlink to distant malicious code embedded in ppt/slides/_rels/slide1.xml.rels.

If we run the sample, PowerPoint will initialize the script moniker and run the distant malicious payload through the PowerPoint Show animations feature.

Based on the screenshot below, we will see that after the flaw is effectively exploited, it is going to receive the file logo.doc (Detected by Trend Micro as JS_DLOADER.AUSYVT) from the internet.

Figura 5 downloading the logo.doc file

Figura 5: Successfully downloading the logo.doc file

Figura 6 ratman exe

Figura 6: The logo.doc will not be a doc file however an XML which will receive RATMAN.EXE

The logo.doc file is truly an XML file with JavaScript code that runs a PowerShell command to receive and execute the file usually referred to as RATMAN.EXE (Detected by Trend Micro as BKDR_RESCOMS.CA). The executable is truly a trojanized mannequin of the REMCOS distant entry computer software (RATTO) from the Command & Controllo (C&C) server: hxxp://192[.]166[.]218[.]230:3550/ratman[.]exe, which is positioned in Poland. Il 192[.]166[.]218[.]230 tackle is liable to be recognized to host fully different types of RATs. RATMAN.EXE then connects to the C&C server at 5[.]134[.]116[.]146:3550 for execution.

Examining Ratman.EXE aka REMCOS RAT

Originally, the REMCOS RAT is a reliable and customizable distant entry computer software that lets a person administration a system from wherever inside the world. Once REMCOS is executed, it is going to current the perpetrator the power to run distant instructions on the user’s system. The tool’s capabilities is liable to be seen inside the Control Panel screenshot below, giving us an idea of what it would do as quickly as it enters a user’s system. The tool’s capabilities are pretty comprehensive, and contains a receive & execute command, a keylogger, a display logger, and recorders for every webcam and microphone.

Figura 7 the REMCOS RAT Control Panel

Figura 7: Screenshot of the REMCOS RAT Control Panel

While the REMCOS builder typically solely contains compression using UPX and MPRESS, the trojanized pattern we acquired makes use of an unknown .NET protector, which incorporates a quantity of protections and obfuscations to make it tougher for researchers to reverse.

Figure eight The sample’s obfuscation code

Figura 8: The sample’s obfuscation code

After unpacking, the strings from the unpacked pattern reveal the mannequin of the REMCOS shopper it was constructed from.

Figura 9 Unpacked pattern strings

Figura 9: Unpacked pattern strings

REMCOS makes use of encrypted communication, collectively with a hardcoded password for its authentication and community visitors encryption. So to make sure that that RATMAN.EXE to converse with its client, the ports and passwords ought to be set accordingly.

Figura 10 Using the REMCOM RAT tool

Figura 10: Using the REMCOM RAT tool

Ultimately, the utilization of a mannequin new methodology of assault is a sensible consideration; since most detection strategies for CVE-2017-0199 focuses on the RTF methodology of attack, the utilization of a mannequin new vector—PPSX files—allows attackers to evade antivirus detection.

Di mitigazione e di Trend Micro Soluzioni

Cases like this spotlight the want for prospects to be cautious when opening information or clicking hyperlinks of their emails—even in the event that they arrive from seemingly reliable sources. Spear phishing makes an try is liable to be reasonably sophisticated, and as seen with this example, can trick most prospects into downloading malicious files. By implementing right mitigation methods in the direction of phishing attacks, prospects can forestall malware that make the most of emails from infecting them inside the predominant place.

Users additionally should on a daily basis patch their methods with the latest safety updates. Given that Microsoft already addressed this vulnerability again in April, prospects with up thus far patches are safe from these attacks.

In addition to implementing efficient mitigation techniques, the utilization of a multilayered decision reminiscent of Trend Micro™ Deep Discovery™ will assist current detection, l'analisi in profondità, and proactive response to today’s stealthy malware, and focused assaults in real-time. It presents a full protection tailored to shield organizations in the direction of focused assaults and superior threats through specialised engines, personalized sandboxing, and seamless correlation throughout all of the assault lifecycle.

Trend Micro™ Deep Security™ and Vulnerability Protection current virtual patching that protects endpoints from threats that abuses vulnerabilities. OfficeScan’s Vulnerability Protection defend endpoints from recognized and unknown vulnerability exploits even earlier than patches are deployed.

CVE-2017-0199: ne of the New Malware Abuses PowerPoint Slide Show

Si prega di controllare questo grande servizio al: o visitare GRATUITAMENTE i SERVIZI di menu

[Voti: 0    Media Voto: 0/5]

Lascia una Risposta

Il tuo indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *