Recently, our analyst team had come across a suspicious email coming from a Russian sender with the following information:
- Subject: Блокировка интернет ресурса
- Sender: email@example.com
- Attached File: Wire problems.doc
The Microsoft Word (MD5: c2c753f440314d1ec88c1569aa845ac2) was indeed a Microsoft Office RTF when opened in a controlled system generate some network traffic without user interaction. After the first analysis we deduce it was the .NET vulnerability reported at 12th September 2017 (CVE-2017-8759) and patched the same day by Microsoft.
This vulnerability takes advantage of an input validation flaw in the WSDL SOAP validation parser for RTF documents. This vulnerability was likely deployed with a similar OLE object declaration:
This object specifies a malicious file as SOAP address, which the parser fails to validate due to the inclusion of new line characters (CRLF) on the string. This allows the execution of arbitrary code through System.Diagnostics.Process.Start. This declaration produce the following hexdump once the RTF is saved:
This means the RTF downloads and execute the remote file without further interaction from the user but to open the attached file. This text.xml was indeed another OLE object declaration containing a Powershell command encoded with base64:
Once the command is decoded it shows a Powershell script containing two shellcodes, x86 and x64 depending on the infected machine architecture. This shellcode just loads the library Wininet.dll via LoadLibraryA and resolve the following Windows API functions to handle a network request:
As a result, one HTTP GET request is generate to access a remote resource with the following User-Agent:
The downloaded file is a DLL (MD5: ed91fde671cf730e03a46ac1d56a872d) we identified as part of the pentesting tool called Cobalt Strike which is described by it author as a:
Cobalt Strike is software for Adversary Simulations and Red Team Operations. Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network.
The authors behind this attacks are still unknown but this blog will be updated with the remaining information once this investigation is completed.
- MD5s .doc:
- MD5s second payload: