Saturday, October 21, 2017

Hunting APT28 CVE-2017-11292 Flash Vulnerability

Proofpoint made public a couple of days ago that APT28 is using the last flash 0-day CVE-2017-11292 via some malicious weaponized DOC files; APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed

So far I have not seen this vulnerability abused by common malware but I guess is a matter of time that cyber criminals starts using it. 

At the moment in VT there are only 2 files with the tag CVE-2017-11292 . 

The second one is basically the Flash embedded into the first one.

In order to create a Use Case to detect it, first of all I check which processes are
spawned by Microsoft Word, but unfortunately there is no single processes spawned.
Although, I see there is some communication performed to a domain

This means that Microsoft Word is doing the connection to Internet, and I can hunt for that:

Seeing the amount of malware abusing Microsoft Word documents, it is  a must to closely monitor any anormal activity coming from Microsoft Office as I have discussed in this blog, like for example, commands spawned, connections done, etc.

The domain accessed in this case is  the domain reported in proofpoint blog post which has been registered a couple of days ago.

Again, this might be a good indicator.

if you can get a whitelist of domains which are most frequently accessed in your environment and combined with top Alexa 500, you might create a Use Case to monitor the registration date of the domains which might be a good indicator. I wrote a Use Case to detect this kind of behaviour in Exploit Kits some time ago; Hunting Exploit Kits Abusing Domain Generator Algorithm. There might be other ways to do it, via for example Passive DNS or similar, but in the end the the target is the same.

Coming back to the behaviour of this malicious DOC file, one of the things I see is that it loads some Image in order to open the flash embedded via an ActiveX in the document. 

It is possible to spot this behaviour while monitoring what Image are loaded by Microsoft Word

Monitoring all the Image Loaded by a process like Microsoft Office can generated lot of noise, that is why it is important to narrow with appropriate filters. 
Things like Flash, with historically many vulnerabilities being exploited, is something you might consider to monitor closely.

Now it is possible to combined two use cases: the connections established by Microsoft word and the Flash image loaded in order to create a more advance Use Case. This is done with one sub-search using the process_id.

I search for any MS Office process which loads flash and then performs a connections to Internet.

There might be other approaches, like monitoring registry keys related to Flash and office, and connections, but I find this process quite simple and working.

Again, it is important to keep a close eye in any Microsoft Office process and the connections established, as this might be good indicators :)