Fortinet FortiGuard Labs analyzes a spearphishing campaign against a South Asian telecommunications agency, weaponizing an RTF document with Royal Road to exploit CVE-2018-0798 and drop a DLL chain leading to PoisonIvy (PivNoxy/Chinoxy) backdoors. The report outlines the attackers’ techniques, potential threat actors, and long-running campaign history, including DLL hijacking, shellcode delivery, and fake update chains, with PoisonIvy identified as the suspected final payload. #PivNoxy #Chinoxy
Keypoints
- The attack begins with a spearphishing email that includes a Word document attachment designed to exploit a vulnerability in Microsoft Word (CVE-2018-0798).
- The weaponized document drops three files upon execution, including Cannondriver.exe (a signed Logitech binary), LBTServ.dll (unsign), and Microsoft.BT.
- The LBTServ.dll hijacks DLL loading via DLL Search Order Hijacking to load the embedded payload, a technique central to the Chinoxy/PivNoxy chain.
- The Cannondriver.exe loader eventually decrypts and loads additional payloads, and in the latest variant injects into svchost.exe and uses a dynamic DNS domain to reach the attacker’s C2.
- PoisonIvy (Pivy) RAT is identified as the potential final payload, enabling backdoor access and lateral movement within infected networks.
- FortiGuard traces the actor’s activity across years, noting a timeline that includes Chinoxy and PivNoxy variants and regional focus in South Asia and Mexico.
- Network IOCs include several dynamic DNS domains and a Googl1eupdate domain used for C2, with additional domains observed in related campaigns.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The attack started with a simple email that included a bare document as an attachment. […translated quote in English…]”
- [T1203] Exploitation for Client Execution – CVE-2018-0798 in Microsoft Word’s Equation Editor used to execute code in the background. […translated quote in English…]”
- [T1201.002] User Execution: Malicious File – Opening the decoy Word document triggers the malicious payload. […translated quote in English…]”
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – LBTServ.dll is used to hijack the legitimate DLL search order. […translated quote in English…]”
- [T1055.001] Process Injection: Dynamic-link Library Injection – Cannondriver.exe loads and injects into svchost.exe. […translated quote in English…]”
- [T1140] Deobfuscate/Decode Files or Information – The payload is decrypted after being loaded into memory. […translated quote in English…]”
- [T1027] Obfuscated/Encoded Files or Information – The configuration file contains a base64 string that decodes to the C2 server. […translated quote in English…]”
- [T1105] Ingress Tool Transfer – The malware uses a dynamic DNS channel to reach a C2 server hosting the payload. […translated quote in English…]”
- [T1041] Exfiltration Over C2 Channel – Data exfiltration occurs over the C2 channel. […translated quote in English…]”
Indicators of Compromise
- [File Name] Cannondriver.exe – dropped as part of the dropper chain; masquerades as Logitech’s Cannondriver.exe.
- [File Name] LBTServ.dll – DLL dropped by Cannondriver.exe; not digitally signed.
- [File Name] Microsoft.BT – additional dropped file observed in the dropper set.
- [File Hash] 719f25e1fea12c8dc573e7161458ce7a5b6683dee3a49bb21a3ec838d0b35dd3 – associated with Chinoxy variant dropper (older).
- [File Hash] 75f7b6197d648eaa8263d23c8f9aa9224038259d25df073803929d6582ea27b1 – associated with Chinoxy variant dropper (older).
- [Network] goog1eupdate[.]com – C2-related domain used by Chinoxy/PivNoxy family.
- [Network] mfaupdate[.]com – C2-related domain observed in related campaigns.
- [Network] instructor[.]giize[.]com – dynamic DNS C2 domain referenced by the campaign.
- [Network] beautygirl[.]dynamic-dns[.]net – dynamic DNS domain observed in related activity.
- [Network] frontbeauty[.]dynamic-dns[.]net – dynamic DNS domain observed in related activity.
- [IP] 58[.]64[.]184[.]201 – regional access observed to a related C2 domain.
Read more: https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis