FortiGuard Labs analyzed an Excel document that embeds a randomized payload and exploits CVE-2017-11882 to drop malware on Windows. The analysis traces how the document loads the embedded file, uses a vulnerability to execute code, downloads Formbook/Redline payloads, and applies persistence and process hollowing techniques to run on the victim’s device. #CVE-2017-11882 #Formbook #Redline #EQNEDT32 #lutanedukasi #DiscordCDN
Keypoints
- The captured Excel document is named “GAT412-IFF22.xlsx” and embeds a randomized file “xtgjls.4flk6W” loaded via an OLE object to trigger code execution.
- CVE-2017-11882 is exploited within EQNEDT32.EXE by processing specially crafted equation data, leading to a stack buffer overflow and arbitrary code execution.
- The embedded shellcode decrypts dynamic code, loads APIs, and downloads an executable from a remote URL using URLDownloadToFileW(), then starts it with WinExec().
- The downloaded payload is associated with Formbook or Redline, with multiple URLs and a Discord CDN hosted file observed in logs.
- Formbook’s downloader/loader extracts a BBOKK DLL from a bitmap resource, installs in memory, and uses a timer to fetch the Formbook payload for execution.
- Formbook persists by writing a Run key in the HKCU software registry and uses a local .url file to trigger startup execution.
MITRE Techniques
- [T1203] Exploitation for Client Execution – The vulnerability CVE-2017-11882 is exploited to execute malicious code inside EQNEDT32.EXE by processing crafted equation data. “CVE-2017-11882 is a vulnerability within “EQNEDT32.EXE” that can be exploited when processing specially crafted equation data (formulas data).”
- [T1105] Ingress Tool Transfer – The shellcode decrypts code and downloads an executable from a URL using URLDownloadToFileW. “The decrypted code dynamically loads some APIs, such as … URLDownloadToFileW(), … and then calls the API URLDownloadToFileW() to download an exe file from a URL.”
- [T1055.012] Process Hollowing – The Formbook payload is injected into a randomly chosen process through a hollowing attack: “The malware randomly picks one process from them to perform a process hollowing attack. It first needs to create the picked process in a suspended state. Next, it must inject the Formbook payload file into its memory and deploy it.”
- [T1027] Obfuscated/Compressed Files and Information – The attacker encrypted and transformed the payload multiple times to evade detection: “The attacker encrypted and transformed this file many times to protect its payload file from being blocked and detected.”
- [T1041] Exfiltration Over Web Services – The Formbook payload eventually exfiltrates data to a C2 using HTTP requests (example of HTTP GET with Base64-encoded data): “When Formbook needs to submit the stolen data to a C2 server, it encrypts the data and encodes it with a Base64 algorithm. Following is an example of the HTTP GET packet Formbook sent to its C2 server.”
- [T1071.001] Web Protocols – The C2 communications and payload delivery rely on HTTP-based traffic to remote hosts (C2 servers listed in the article).
Indicators of Compromise
- [URLs] context – hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/Cikncbxlojqanjsfotzhopechujkgkeeyz.exe, hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe, https[:]//cdn[.]discordapp[.]com/attachments/937614907917078588/1009001073970794576/Lsbjqoyofgkmqbuleooykdekgopmtglr
- [Domains] context – valeloaiza.com, nxmdta.quest, yennft.com, techwithnova.com, newssmart.xyz, devopstp.com, trophies3d.co.uk, helpagencia.online, fineclocksandsoaps.com, universerealtor.website, hyriver.com, xishangtao.com
- [Files] context – xtgjls.4flk6W, word.exe, foyoqjbsL.url
- [SHA-256] context – GAT412-IFF22.xlsx: D1EA94C241E00E8E59A7212F30A9117393F9E883D2B509E566505BC337C473E3, [Formbook, lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe]: C7B7CC6B73B04E2CD7D026A69D47139770ACE5A92457DA0F0C058EE438251B18
- [Files (Names)] context – GAT412-IFF22.xlsx, lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe