Threat Research

Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II | FortiGuard Labs

Securonix

FortiGuard Labs analyzed an Excel document delivering Redline malware via CVE-2017-11882. The loader uses in-memory techniques and persistence via Task Scheduler to exfiltrate sensitive data to a C2 server over HTTP using a WCF SOAP channel. Hashtags: #Redline #Formbook #CVE-2017-11882 #Lutanedukasi #DuckDNS

Keypoints

  • The document exploits CVE-2017-11882 to deliver and execute malware on Windows.
  • The Redline loader is obfuscated by SmartAssembly and can be deobfuscated with de4dot.
  • Redline uses process hollowing to load and run its payload in a suspended process.
  • Persistence is achieved via the Windows Task Scheduler (a task named Nafdfnasia running packtracer.exe).
  • Redline communicates with its C2 server using a WCF/SOAP channel over HTTP, with a defined set of remote methods (CheckConnect, GetArguments, GetUpdates, etc.).
  • The malware steals extensive data from browsers, email clients, wallets, and system info, and can capture screenshots before sending data to the C2 server.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – The embedded file … ‘exploits a particular vulnerability —CVE-2017-11882—to execute malicious code.’
  • [T1027] Obfuscated/Compressed Files or Information – The Redline loader ‘is obfuscated by a .NET Obfuscator called SmartAssembly 6.9.0.114.’
  • [T1055] Process Injection – It ‘dynamically loads a group of Windows APIs to process hollow the Redline payload file’ and uses CreateProcessAsUser, VirtualAllocEx, WriteProcessMemory, and related APIs to run the payload.
  • [T1053.005] Scheduled Task – Redline uses Windows Task Scheduler to persist, including the command that creates a scheduled task and runs packtracer.exe every minute.
  • [T1041] Exfiltration Over C2 Channel – Stolen data is ‘submitted to its C2 server’ via a channel secured in XML-SOAP.
  • [T1071.001] Web Protocols – The C2 channel uses HTTP as the transport for sending SOAP messages (‘HTTP as the transport for sending SOAP 1.1 messages’).
  • [T1555.003] Credentials from Web Browsers – Redline can collect credentials and data from numerous browsers (Chrome, Edge, Firefox, etc.).
  • [T1082] System Information Discovery – It collects system information such as OS version, processor, RAM, etc.
  • [T1113] Screen Capture – It can take a screenshot of the victim’s screen as part of data collection.
  • [T1005] Data from Local System – It collects files from Desktop and Documents folders with specific keywords (txt, doc, key, wallet, seed).

Indicators of Compromise

  • [URL] hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/almac.exe – used to deliver the Redline loader.
  • [Domain] sinmac[.]duckdns[.]org:2267 – C2 server address (HTTP/SOAP channel).
  • [File name] GAT412-IFF22.xlsx – sample Excel document referenced in the exploit chain.
  • [File name] almac.exe – Redline loader filename.
  • [SHA-256] D1EA94C241E00E8E59A7212F30A9117393F9E883D2B509E566505BC337C473E3 – sample hash.
  • [SHA-256] 9D621005649A185E07D44EC7906530B8269DF0A84587DEB3AAC8707C5DD88B8C – sample hash.

Read more: https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two