Threat Actors Leverage CVE 2017-0199 to Deliver Zeus Panda via Smoke Loader

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

POSTED ON JUNE 22, 2017 BY EESAAN ATLURI IN MALWARE ANALYSIS, PHISHING, PHISHING DEFENSE CENTER

Our Phishing Defense Center identified and responded to attacks leveraging a relatively new Microsoft Office vulnerability during the past few weeks. Last week, the PDC observed threat actors exploiting CVE 2017-0199 to deliver the Smoke Loader malware downloader which in turn was used to deliver the Zeus Panda botnet malware. These emails claim to deliver an invoice for an “outstanding balance” and trick the recipient to opening the attached file. In one instance, we have also seen the malicious attachment being delivered via URL.

The subject lines of the emails followed a pattern of alphanumeric characters and the phrase “Invoice Past Due” Example below.

An example of the phishing email used in these attacks is shown below.

The following URL was also identified in one example delivering a malicious document.

hxxp://3tco.com[.]vn/index.html.php?id=<base64 email address>

The files delivered by these emails is an RTF document containing an OLE object used to exploit the CVE-2017-0199 vulnerability. Once opened, the exploit is used to run code that facilitates the download of a file from a remote host. The downloaded file is a Microsoft Office Word document disguised with the .xls extension containing embedded malicious code. Once the file download is complete it is automatically loaded into the original RTF document. A vulnerability in this loading process is used to affect how the contents of the downloaded file are interpreted and to execute the malicious code inside. Once this embedded code is executed it downloads a malicious executable and a decoy “accounts payable documentation report”. This benign document is displayed to disguise the threat actors’ activities and then the executable is run. The downloaded executable is a sample of the Smoke Loader malware downloader.

Upon execution, this Smoke Loader sample obtains a copy of the Zeus Panda banking trojan. Once run on the machine, this malware application performs extensive checks to determine whether it is running in a virtualized or analysis environment before contacting its command and control hosts. Once contact has been established, these hosts will provide update instructions and configuration data used to guide the financial crimes and botnet Trojan’s activity on infected machines.

The following section details how the CVE-2017-0199 vulnerability is exploited and it’s IOCs

This vulnerability takes advantage of Microsoft Office’s and WordPad’s handling of OLE embedded link objects in RTF files. Exploitation abuses certain control words in the rich text file format to update an object link which allows for a malicious file to be downloaded. The downloaded file is typically another RTF file containing embedded malicious script which is executed when Microsoft attempts to load it as an OLE object.

The following document files were identified as leveraging an exploit for CVE-2017-0199.

 

The following URLs were used to provide a malicious payload for execution by this document.

hxxp://2752E3751847.com/cr2mgmts.exe

hxxp://2752E3751847.com/offic0semgmts.doc

hxxp://2752E3751847.com/cr2mgmts.xls

hxxp://hncidhw.top/cr1_mgmts.xls

hxxp://hncidhw.top/offic0semgmts.doc

hxxp://hncidhw.top/cr1_mgmts.exe

Smoke Loader

A commonly used malware downloader, the Smoke Loader malware operates using a set of command and control hosts to provide instructions to the malware for downloading additional payloads. While the locations of these command and control hosts are hardcoded into the Smoke Loader binary, the payload locations are not. The payload locations are instead obtained from the Smoke Loader command and control in response to the malware’s HTTP requests. The following Smoke Loader files were used in this campaign.

 

After completing its initial check-in with command and control infrastructure, this Smoke Loader instance obtained its payload set from the following locations.

hxxps://reterbawax.top/feedweb/feed.php

hxxps://nyminalowe.info/feedweb/feed.php

hxxps://uppedutari.com/feedweb/feed.php

hxxps://irveneloni.info/feedweb/feed.php

hxxps://zelispecto.top/feedweb/feed.php

Zeus Panda

The following file set was identified as used in this campaign to infect machines with malware featuring extensive anti-analysis functionality including the ability to detect multiple forms of virtualization and physical device restoration utilities.

 

The following payload locations were used by Zeus Panda to obtain it’s payloads.

hxxps://bilinom.info/grabber.bin

hxxps://bilinom.info/backsocks.bin

hxxps://bilinom.info/webinjects_1new.dat

The command and control hosts below were used to support this malware. These command and control hosts are used to log records of new infections as well as to provide configuration data that is used by the malware to conduct extensive credential-stealing operations. Credentials are primary stolen via web injects that are customized for customers of each financial institution listed in the configuration document.

hxxps://bilinom.info/c0/

hxxps://bilinom.info/1ewzugudiciemvovyyrmo.dat

hxxps://bilinom.info/gsZHT/

Finally, we the executable below was identified within an infected environment at the completion of the infection process.

Recommendation:

PhishMe® cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that contain subject lines as described above. PhishMe Simulator™ customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails. A simulation template will be available by end of day.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe Threat Alerts today.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
106 Followers
About Cofense Inc.
Cofense, formerly PhishMe, is the leading provider of human-driven phishing defense solutions worldwide. We deliver a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines best-in class incident response technologies with timely attack intelligence sourced from employees. From driving awareness to security automation and orchestration, our solutions are designed to anticipate and disrupt the attack kill chain at delivery to quickly mitigate the impacts from spear phishing, ransomware, malware, and business email compromise. Today, this is all made real for thousands of global organizations. Learn more at www.cofense.com.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel