Cybereason protects against malware utilizing the exploit CVE-2017-8759

Share and earn Cybytes
Facebook Twitter LinkedIn Email

POST BY: SARAH MALONEY; September 15, 2017

There’s been some buzz going on about the high-to-critical vulnerability CVE-2017-8759. Recorded Future is ranking it with a risk score of 99 out of 100. It’s a pretty big deal, so one of our researchers did some digging. We can confidently confirm to our customers that you are protected against malware utilizing the exploit CVE-2017-8759.

CVE-2017-8759 is a good illustration of the behavior-based detection of the malware payloads themselves as opposed to the specific vulnerability. The Cybereason platform protects against the malware itself, and is certain to detect most malicious payloads that could be used in conjunction with these exploits. In other words, while we may not necessarily catch the exploitation of a vulnerability in and of itself (such as a heap spray/buffer overflow technique), the purpose of such attacks is nearly always to download or execute malware on the compromised machine, an activity that the Cybereason platform will detect.

This specific CVE exploits a document parsing vulnerability allowing an attacker to create a specially crafted .doc file that will manipulate the document parser of MS Word into running malicious code. The way that this exploit is currently being used in the wild has been well illustrated by other vendors. CVE-2017-8759 has primarily been observed up to this point delivering the Finspy malware using a behavior pattern which the Cybereason platform catches.

Once this particular exploit has taken control of the Microsoft Word process (winword.exe) it launches an mshta.exe process to pull down the primary malware executable from a malicious website. In some cases, rather than using mshta.exe, it uses VBScript or PowerShell to download and execute the primary malware executable. The Cybereason platform consistently catches this type of execution pattern (Microsoft Word launching an isolated mshta, VBScript, or PowerShell interpreter) to connect to a malicious website and download executable code.

Our analysts do see mshta.exe fairly often, and our behavior rules surrounding its usage are highly sensitive. We are quick to trigger Malops™ for mshta.exe related behaviors, which could be considered just a suspicious event and not necessarily malicious, but since over the last year or so mshta.exe has become such a popular mechanism for malware persistence, our analysts want to investigate every occurrence.

As malware authors have migrated towards the fileless malware paradigm, many have discovered that Microsoft bundled into its operating system a browser-equivalent facility (mshta.exe) which is far more trusted than Internet Explorer. This facility allows attackers to deliver attacker-controlled code (VBScript, JScript, Javascript) to the victim, as well as a method of pulling malware out of the registry upon startup which allows their malware to survive reboots. This hunting technique looks for malicious invocations of the MSHTA binary which can be abused to run attacker-controlled code on the victim machine.

It’s important to note that mshta.exe itself is not a malicious program. It has many legitimate uses, parts of the Windows OS utilize mshta.exe, as does Amazon and HP software (Amazon toolbar and standard HP printer utility). The legitimate uses of mshta.exe are too numerous to begin to list here, but it should suffice to say that simply searching for usage of mshta.exe in your environment will yield far too many results (99% being false positive) to easily sort through. During our hunts we routinely sort through every use of mshta.exe in an environment to ensure it is benign. If there are any malicious uses of this program, we investigate and verify any use of this privileged and signed Microsoft process.

If you believe that your organization is being targeted by this specific exploit, please contact us or call +1-855-695-8200. We’ll happily help you investigate any active intrusion.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Cybereason
Cybereason is the leader in endpoint protection, offering endpoint detection and response, next-generation antivirus, managed monitoring and IR services. Founded by elite intelligence professionals born and bred in offense-first hunting, Cybereason gives enterprises the upper hand over cyber adversaries. The Cybereason platform is powered by a custom-built in-memory graph, the only truly automated hunting engine anywhere. It detects behavioral patterns across every endpoint and surfaces malicious operations in an exceptionally user-friendly interface. Cybereason is privately held and headquartered in Boston with offices in London, Tel Aviv, and Tokyo.
Promoted Content
Paying The Price of Destructive Cyber Attacks
The NotPetya attack, which paralyzed Ukrainian companies and spread around the world to cripple shipping ports, factories and offices, is now taking a toll on the revenues of several major U.S. and European organizations. The attack has cost companies an estimated $592.5 million in revenue (and counting).Download the white paper, to get a quick review of some of the companies with quarterly earnings that took a hit as a result of NotPetya.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?