Monday, November 20, 2017

Hunting for Microsoft Equation Vulnerability - CVE-2017-11882

Since Microsoft released November patches last week where CVE-2017-11882 was addressed, I've been trying to get a sample in order to perform some checks for the vulnerability. Today thanks to Corsin Camichel I got the PoC

There is some information about this PoC in this blog post

At the moment the detection rate of the malicious files used in this analysis is really low.

Office doesn't spawn any unusual process while exploiting this vulnerability, hence a Use Case which monitors unusual processes spawned by Office will no detect the exploitation of this issue.

However, in this case, we need to pay attention to the the equation tool process "EQNEDT32.EXE". This process is the one who spawns other processes, hence monitoring those child process will detect any potential exploitation.
A basic Use case to detect is below.

Time for monitor your EQNEDT32.EXE processes :)

Sunday, November 19, 2017

Detecting Adwind malware weaponized in MS office documents

In a daily basis I see lot of Adwind malware trying to infect end users

Adwind is a multiplatform Remote Access Trojan (RAT) which has been in the wild for some time. In this Kasperky Blog post there is a good historical analysis.

In most of the cases Adwind is delivered as an attachment via email (as ZIP or JAR file), but it is not the only way.  I've dealt with incidents involving Adwind where the infection vector was a malicious link.

Other potential infection vector is via weaponized MS office documents. Some of this weaponized document have really low detection rate, like the one above, which it is only detected by 20% of the Antivirus at the moment of this writing and 8 AV (from of a total of 60) when the file was originally reported


The malicious payload, a JAR file, is included in the MS office Document as an OLE object.

This can be seen doing some manual analysis on the file:

A Simple Use Case to detect the malware is to monitor any process spawned by MS Office, in this case it is a Java Process

In terms of persistence, the malware can be detected easily, as it creates an entry in the registry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run " pointing to a java executable which it is allocated in the the AppData directory of the user:

This can be easily hunt with a remote PowerShell query, like the one below

Adwind malware kills massively processes relates to Antivirus and monitor tools, which can be also a good indicator for detection

To avoid those processes to be executed again the malware uses an interesting trick. It includes the processes in the registry key as 'debugger=svchost.exe' using the "Image File execution Option". This technique is described in this blog post

This can be spotted straight forward with a query, checking any registry imported from the AppData user folder, like the one above:

Another way is to monitor all the registry keys being set with debugger