Cloud Werewolf targeted government employees with Microsoft Office documents, abusing CVE-2017-11882 and a VBScript/HTA payload to download additional components and persist on victims’ systems. The operation centers on remote document templates, web-hosted payloads, and C2 communications to evolve the intrusion. #CloudWerewolf #CVE-2017-11882 #rationalistic #triger-working #web-telegrama
Keypoints
- Cloud Werewolf targeted government employees using Word documents such as “Путевки на лечение 2024.doc” and other official-looking files.
- The attackers used remote document templates hosted on compromised or malicious domains to stage the infection.
- Exploitation of CVE-2017-11882 enabled shellcode execution after victims opened the documents.
- Decryption of the malicious payload uses a 2-byte XOR key, followed by loading an HTA file with a VBScript.
- The VBScript creates rationalistic.xml and multiple streams (e.g., rationalistic.hxn, rationalistic.vbs) to decrypt, launch, and persist the payload.
- Persistence is achieved by adding a Run key (defragsvc) in HKCU to auto-start wscript, and the malware fetches additional VBS files from a C2 server and exfiltrates data back via POST requests.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Delivered via Word documents targeted at government employees. “If the victim opened the attached file, a remote resource, for example https://triger-working[.]com/en/about-us/unshelling, was retrieved.”
- [T1218.005] HTML Application – HTA payload loaded from a remote server containing a Visual Basic script and opened. “Downloading an HTA file from a remote server containing a Visual Basic script, and opening it.”
- [T1203] Exploitation for Client Execution – Successful exploitation of the vulnerability and execution of shellcode. “Successful exploitation of the vulnerability and execution of shellcode led to the following actions.”
- [T1027] Obfuscated/Decoded Files or Information – Payload decrypted inside the shellcode using a 2-byte XOR key. “The malicious payload embedded in the shellcode is decrypted using an XOR operation with a 2-byte key.”
- [T1105] Ingress Tool Transfer – Remote loading of HTA/VBScript components; “The script downloads additional VBScript files from the command server.”
- [T1547.001] Run Keys/Startup Folder – Adds a Run registry entry to auto-start the VBScript. “Adding the file rationalistic.xml:rationalistic.vbs to autostart by creating a defragsvc entry in HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value ‘wscript /B [path]’
- [T1041] Exfiltration Over C2 Channel – Data exfiltration via POST requests to C2; “If the file rationalistic.tmp exists, it is sent to the controlling server using a POST request, and then cleared.”
Indicators of Compromise
- [Domain] triger-working[.]com – remote template source used to lure victims
- [Domain] web-telegrama[.]org – host for additional VBScript/files
- [URL] https://triger-working[.]com/en/about-us/unshelling – document template download
- [URL] https://web-telegrama[.]org/podcast/accademia-solferino/backtracker – additional VBScript delivery
- [File name] Путевки на лечение 2024.doc – lure document
- [File name] Приказ [redacted] № ВБ‑52фс.doc – lure document
- [File name] Инженерная записка.doc – lure document
- [File name] rationalistic.xml – container for data streams (rationalistic.hxn, rationalistic.vbs, rationalisticinit.vbs)
- [File name] rationalistic.xml:rationalistic.vbs – payload decrypt/launch component
- [Registry Key] HKCUSoftwareMicrosoftWindowsCurrentVersionRun – defragsvc autostart entry
- [File path] C:Users[user]AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.Word – referenced path for cleanup/update
- [CVE] CVE-2017-11882 – exploited vulnerability in Office to execute code