Sunday, August 27, 2017

Malspam campaign exploiting CVE-2017-0199: a hunting approach

In the last days I have seen a few malspam emails with RTF files attached.

The content of the mails is fake Shipping order with a ZIP attachment, containing the malicious RTF file.  An example of this file is

This malicious RTF files exploits CVE-2017-0199

PowerShell is used by this campaign, hence monitoring suspicious executed PowerShell commands would detect it. I wrote a bit about this approach here.

In this case, monitoring all HTTP/s connections opened by PowerShell would detect it

index=main powershell "tag::eventtype"=network 
| table _time  process DestinationHostname DestinationIp DestinationPort 

Or any PowerShell command with suspicious parameters, like for example with the following Splunk query:

index=main  Powershell  | regex CommandLine="(?i).*-en|-e|-encoded|
createobject|uploadfile.*" | table _time ParentCommandLine CommandLine 

Coming back to the initial RTF file,  the PowerShell command executed is as follow:

Which basically acts a dropper for hxxps:// The malicious file is in VT.             

However, the Use Cases mentioned above are generic Use Cases to detect suspicious Powershell commands, and I am interested in detecting this specific CVE-2017-0199 exploitation scenario.

During the attack phase Winword.exe retrieves a malicious HTA file from a remote server via HTTPs. With this in mind, we can create a search in Splunk to detect any ".hta" file stored  as a temporal internet file in the user "AppData" directory and created by Winword.exe

For example, a query like this does the job:

index=main EventDescription="File Created" Image="*Winword*" 
TargetFilename="*AppData*\.hta" | table Image TargetFilename

The file retrieve in this case is hxxps://

I have uploaded a copy of the file here

Another approach is to hunt for any PowerShell command process with Parent Process mshta.exe

index=main  ParentImage="*mshta.exe" CommandLine=*powershell* 
| table _time ParentCommandLine CommandLine 

aea9347409f465a5d9665f868c5258c6 - 12.hta
1db41de874e3539762ea7ea3b416de2d - Po-096.doc
ff61db305ab6f924451cdbe51c66ba1e -
c1e4f507f85420ad116acf521dc241c6 - drgtgrt.exe