In the last days I have seen a few malspam emails with RTF files attached.
The content of the mails is fake Shipping order with a ZIP attachment, containing the malicious RTF file. An example of this file is https://virustotal.com/#/file/cc1cca6b713f6ab0ddb81639b64e52f12a9875ab1e08034d5722826aef4b3164/detection
This malicious RTF files exploits CVE-2017-0199.
PowerShell is used by this campaign, hence monitoring suspicious executed PowerShell commands would detect it. I wrote a bit about this approach here.
In this case, monitoring all HTTP/s connections opened by PowerShell would detect it
Or any PowerShell command with suspicious parameters, like for example with the following Splunk query:
Coming back to the initial RTF file, the PowerShell command executed is as follow:
Which basically acts a dropper for hxxps://www.iso9001-certificare.ro/a/Seal_Encrypted.exe. The malicious file is in VT.
However, the Use Cases mentioned above are generic Use Cases to detect suspicious Powershell commands, and I am interested in detecting this specific CVE-2017-0199 exploitation scenario.
During the attack phase Winword.exe retrieves a malicious HTA file from a remote server via HTTPs. With this in mind, we can create a search in Splunk to detect any ".hta" file stored as a temporal internet file in the user "AppData" directory and created by Winword.exe
For example, a query like this does the job:
The file retrieve in this case is hxxps://www.iso9001-certificare.ro/a/12.hta
I have uploaded a copy of the file here https://virustotal.com/#/file/e6bf9b7fbf30e2ba8bc2c6c0ee117f6cbb604b25fb0b4be24a3fb3e062987b3d/community
Another approach is to hunt for any PowerShell command process with Parent Process mshta.exe
aea9347409f465a5d9665f868c5258c6 - 12.hta
1db41de874e3539762ea7ea3b416de2d - Po-096.doc
ff61db305ab6f924451cdbe51c66ba1e - Po-096.zip
c1e4f507f85420ad116acf521dc241c6 - drgtgrt.exe