Microsoft Office Zeroday used to attack Pakistani targets

November 6, 2013  |  Jaime Blasco

Earlier today Microsoft released a security advisory alerting about a new Microsoft Office vulnerability being exploited in the wild. The vulnerability affects Office 2003/2007 and Office 2010 only running on Windows XP/2003.

The vulnerability is related to the parsing of TIFF images and Microsoft released a FixIt that basically block the rendering of TIFF images on the system.

The exploit we have analyzed uses ROP gadgets and ActiveX controls to heap spray memory (instead of Flash).

If they exploit is successful it uses URLDownloadToFileA to download and execute a payload from a remote HTTP server:

The downloaded payload is a RAR file containing both a malicious payload and a lure Office document that is showed to the victim.

 

We have found different payloads talking to the the same C&C server that use different lure documents. Some of the lure documents are related to the Pakistan Intelligence service (Inter-Services Intelligence or ISI) and the Pakistani military.

 

 

This payload communicates with the C&C server using the HTTP protocol:

GET /logitech/rt.php?cn=XXXXX@Administrator&str=&file=no HTTP/1.1
User-Agent: WinInetGet/0.1

When we showed this traffic we realized it was familiar. In fact the same protocol was used by one of the Operation Hangover payloads. We can confirm that the downloader is based on the Deksila downloader not only because it generates similar HTTP traffic but also the way it retrieves information from the system and even the raw strings from both payloads:

The presence of the following files can be used to find infected systems by different versions of the downloader:

  • C:Documents and SettingsTempiconfall.log
  • C:Documents and SettingsHddLink.lnk    
  • C:Documents and SettingsUpdates.exe
  • C:Documents and Settingswincert.exe
  • C:Documents and Settingskayani.doc    
  • C:Documents and SettingsShanti.doc    
  • C:Documents and SettingsLocations.doc
  • C:Documents and SettingsISI.doc    
  • C:Documents and SettingsGoodLuck.doc    
  • C:cdata.txt

Based on the victim information we could retrieve from the C&C server we can confirm that most of IP addresses communicating with the C&C server are based on Pakistan.

When the infected system checkins on the C&C server a file is created with the following content:

User : [USERNAME]
IP : [IP_ADDRESS]
AV : [NAME_OF_ANTIVIRUS_SOLUTION]

The attackers are able to send other payloads to the infected systems (2nd stage) that are downloaded by the victims using HTTP requests. Based on the C&C information we collected this is the list of unique filenames that are being used to download 2nd stage payloads: 

  • alg.exe
  • connhost.exe
  • lgfxsrc.exe
  • lgfxsrv.exe
  • lgfxsrvc.exe
  • msctcd.exe
  • svchost.exe
  • taskmgr.exe
  • taskngr.exe
  • waulct.exe
  • wimhost.exe
  • winlog.exe
  • winlogon.exe
  • winnit.exe
  • winsoun.exe
  • winword.exe
  • wmpi.exe
  • wsqmocn.exe

And the list of unique md5s:

  • 0d51296e5c74a22339ec8b7e318f274a
  • 101852851d70dfc46c4d022ef077d586
  • 2ed6a6c349cae3842023d83c6b1ed1c5
  • 4e878b13459f652a99168aad2dce7c9a
  • 654f558cf824e98dde09b197dbdfd407
  • 6a57cda67939806359a03a86fd0eabc2
  • 8378abb63da7e678c76c09f44b43d02a
  • e75ad6c8484f524d93eaf249770be699
  • fd51dc5f1683c666a4925af8f1361d5d
  • fd75a23d8b3345e550c4a9bbc6dd2a0e

From all the payloads we retrieved from the C&C the following were already uploaed to Virustotal. You can notice the low Antivirus detection rate:

  • fd75a23d8b3345e550c4a9bbc6dd2a0e  1 / 47    
  • 6a57cda67939806359a03a86fd0eabc2  1 / 47    
  • 4e878b13459f652a99168aad2dce7c9a  1 / 47    
  • 2ed6a6c349cae3842023d83c6b1ed1c5  0 / 47    

Following is a description of the different payloads we found in the C&C with the purpose to help you to build IOCs (Indicators Of Compromise) and detect infected systems.

Main Downloader

  • Network traffic

    Perform HTTP GET requests, some examples are:

        /logitech/rt.php?cn=xx@&str=&file=no 

        /green/srt.php?cn=xx@&str=&file=no

        /funbox/rt.php?cn=@&str=&file=no

        /joy/rt.php?cn=@&str=&file=no

    You can look for the pattern “&str=&file=no” in your proxy logs to find infected systems.
     
  • Yara rule:
     

    rule Hangover2_Downloade {

      strings:

        $a = "WinInetGet/0.1" wide ascii

        $b = "Excep while up" wide ascii

        $c = "&file=" wide ascii

        $d = "&str=" wide ascii

        $e = "?cn=" wide ascii

      condition:

        all of them

    }

File stealer

It looks for the following file types on the infected system and exfiltrates them to the C&C server:

  • xls,xlsx
  • doc,docx
  • ppt,pptx
  • pdf
  • txt

 

  1. Network traffic

    Perform POST requests, some examples are:

    POST /crks.php HTTP/1.1 Content-Length: 44 Content-Type: application/x-www-form-urlencoded User-Agent: MyWebClient Host: xxx Connection: Keep-Alive 

    POST /drkl.php HTTP/1.1 Content-Length: 44 Content-Type: application/x-www-form-urlencoded User-Agent: MyWebClient Host: xxx Connection: Keep-Alive 

    POST /max.php HTTP/1.1 Content-Length: 49 Content-Type: application/x-www-form-urlencoded User-Agent: MyWebClient Host: xxx Connection: Keep-Alive 

    You can look for HTTP connections with the User-Agent MyWebClient

  2. Yara rule
     

    rule Hangover2_stealer

    {

      strings:

        $a = "MyWebClient" wide ascii

        $b = "Location: {[0-9]+}" wide ascii

        $c = "[%s]:[C-%s]:[A-%s]:[W-%s]:[S-%d]" wide ascii

     

      condition:

        all of them

    }

Remote shell backdoor

  1. Network traffic

    This payload is a remote shell backdoor that uses a binary protocol on port 5858. Example traffic:

    T VICTIM:1050 -> C&C:5858 [A]
      FHEPF                                                                                                                                                                                                 
    #
    T VICTIM:5858 -> C&C:1050 [AP]
      Pass                                                                                                                                                                                                   
    #
    T VICTIM:1050 -> C&C:5858 [AP]
      Authjanettedoe @ [MACHINE_NAME]#/[OPERATING_SYSTEM]#/[IP_ADDRESS]#/   

  2. Yara rule
     

    rule Hangover2_backdoor_shell

    {

      strings:

        $a = "Shell started at: " wide ascii

        $b = "Shell closed at: " wide ascii

        $c = "Shell is already closed!" wide ascii

        $d = "Shell is not Running!" wide ascii

     

      condition:

        all of them

    }

     

    You can also look for the creation of the following registry key:

    HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v WinLstart

 

Keylogger

This payload installs global keyboard hooks to capture keystrokes.

  1. Yara rule
     

    rule Hangover2_Keylogger

    {

      strings:

        $a = "iconfall" wide ascii

        $b = "/c ipconfig /all > "" wide ascii

        $c = "Global{CHKAJESKRB9-35NA7-94Y436G37KGT}" wide ascii

      condition:

        all of them

    }

 

Schneebly (Screenshot payload)

This payload performs screenshots and upload them to the C&C server.

  1. Network traffic

    Example traffic:

The Yara rules can be downloaded from our github repository.

Finally this is the list of IP addresses and domain names that are being used by the attackers to host C&C servers and malicious payloads:

  • krickmart.com
  • 37.0.125.77
  • 37.0.124.106
  • maptonote.com
  • myflatnet.com
  • lampur.com
  • appworldstores.com
  • similerwork.net
  • intertechsupport.net
  • lampur.com
  • twikstore.com

We will continue publishing more information about the Microsoft Office 0day and more IOC's as soon as we discover new data.

Share this with others

Get price Free trial