Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

CVE-2017-11882 serving RAT and encrypted phishing campaign

image
MOHD SADIQUE
December 20, 2017 - 5 min read

Introduction

Malicious documents remain one of the most popular vectors for cybercriminals to deliver malware payloads on a user's system. While we continue to see many types of VBA macro-based malware, there has been an increasing trend in malicious documents using the DDE protocol for delivering malware executables, which we wrote about last month. Microsoft released a security update last week that should significantly reduce the number of DDE-based attacks:

"Microsoft has released an update for Microsoft Office that provides enhanced security as a defense-in-depth measure. The update disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word." - Microsoft Security Advisory

Zscaler ThreatLabZ has been tracking a new vector involving malicious RTF document files weaponized with the recently disclosed Microsoft memory corruption vulnerability, CVE-2017-11882. In this blog, we will review a recent campaign leveraging this exploit and also share insights on encrypted phishing campaigns.

Infection cycle

In our research into this new exploit, we encountered spam phishing emails containing a malicious document attachment that leads to a Remote Access Trojan (RAT) and an encrypted phishing page.

The complete workflow of this campaign is shown below:

Image

Fig 1: Workflow

The malware is received by the victim in a phishing email with a password-protected archive as the attachment.

An example of one such phishing email can be seen below:

Image

Fig 2: Phishing scam email

The attachment is a password-protected ZIP file, which prevents auto-analysis systems from extracting and analyzing malicious files.

After the extraction of the  ZIP file with the password given in the email, we are presented with an RTF document file. This RTF file exploits the CVE-2017-11882 vulnerability in Microsoft Office software to execute malicious code. Using this vulnerability, the attacker can install malware, access data, or create a new account with full access rights.

Once the document is opened, it shows a plain document to the user. However, in the background it downloads and executes a RAT; as it does, it shows the phishing email content to the user, which leads to a phishing site.

The malicious RTF document file is shown below.

Image

Fig 3: After HEX-to-ASCII conversion.

The RTF file contains the link to "note,"' which is an HTML application that is remotely executed by mshta.exe.

In the header section of note.hta, there is VBScript code that is executed when the file is loaded.

Image

Fig 4: Header section of note.hta

After decoding, the code looks like this.

Image

Fig 5: Decoded PowerShell code inside VBScript of note.hta

The VBScript in note.hta creates a hidden PowerShell process, which downloads malware named clear.exe, stores it in %TEMP% directory with the name clear.exe, and executes it.

Clear.exe is inherently a Python module that is converted from Python to EXE.

After the reverse engineering of clear.exe, we get the malicious Python script, which looks like a RAT client.

The RAT client connects with the Command & Control (C&C) server IP 197.200.145[.]178 on port 2016.

It has a couple of tasks that will be executed when the C&C server sends a command request.

Image

Fig 6: RAT commands (clear.exe)

RAT C&C commands supported:

  1. Kill – kill client connection

  2. Selfdestruct – kill client connection and remove traces of exploit

  3. Quit – close socket and connection

  4. Persistence – make RAT client persistent in system

  5. Scan – scan TCP ports

  6. Survey – run a system survey

  7. Cat <action> – output file on screen

  8. Execute <action> – execute a command

  9. Ls – list files in current directory

  10. Pwd – get working directory

  11. Unzip <action> – unzip a file

  12. Wget <action> – download a file from web

In addition to downloading this RAT executable, the malware will display a phishing email body pretending to come from the UK Government.

When note.hta is executed, it will display the following screen:

Image

Fig 7: note.hta on execution

The hyperlink shown in Fig 7 leads to a phishing site as shown below.

Image

Fig 8: Tax refund phishing site

The source code of this phishing site appears as follows:

Image

Fig 9: AES-encrypted phishing site

The source code of this phishing site is encrypted using AES-256. It decrypts itself when the page loads using the Aes.Ctr.decrypt function.

The aim of this encrypted site is to avoid detection by automated site crawlers, web security systems, IDS/IPS systems, and so on.

This phishing site asks for personal information, including credit card details, and sends it to the attacker.

Image

Fig 10: The phishing site steals the victim's personal information

Encrypted phishing campaigns

The AES-encrypted phishing campaign is an old tactic, with sites that are difficult to identify and difficult to catch by a crawler, which is why attackers are moving towards the encrypted phishing sites.

In the past few weeks, we've found many similar encrypted phishing sites that are designed to look like the homepages of a UK government agency, Apple, PayPal, Netflix, AOL, and others.

Image

Fig 11: Encrypted phishing sites hits during Nov-17 and Dec-17

Image

Fig 12: Phishing site posing as Netflix homepage

Image

Fig 13: Phishing site posing as Apple homepage

Image

Fig 14: Phishing site posing as AOL homepage

 

Zscaler protections:

CVE-2017-11882 :

Microsoft has provided the update for this memory corruption vulnerability.

Zscaler threatname – “Microsoft CVE-2017-11882”

Malicious HTML application (note.hta):

Zscaler threatname – “VBS.TrojanDownloader.Gen”

Remote Access Trojan (RAT):

Zscaler threatname – “Win32.Trojan.RAT”

Encrypted phishing websites:

Zscaler threatname – “Phishing.Encrypted.Gen”

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.