FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit. FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.
FireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch by Microsoft to address the vulnerability, which can be found here.
The vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network products detected the malicious documents. FireEye recommends that Microsoft Office users apply the patch from Microsoft .
Attack ScenarioThe attack occurs in the following manner:
A threat actor emails a Microsoft Word document to a targeted user with an embedded OLE2 embedded link object When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious HTA file The file returned by the server is a fake RTF file with an embedded malicious script Winword.exe looks up the file handler for application/hta through a COM object, which causes the Microsoft HTA application (mshta.exe) to load and execute the malicious scriptIn the two documents that FireEye observed prior to theinitial blog acknowledging these attacks, malicious scripts terminated the winword.exe processes, downloaded additional payloads, and loaded decoy documents. The original winword.exe process was terminated to conceal a user prompt generated by the OLE2link. Figure 1 shows this prompt.
Figure 1: User prompt hidden by the Visual Basic script
Document 1 - (MD5: 5ebfd13250dd0408e3de594e419f9e01)The first malicious document identified by FireEye had three stages. An embedded OLE2 link object causes winword.exe to reach out to the following URL to download the stage one malicious HTA file:
http[:]//46.102.152[.]129/template.docOnce downloaded, the malicious HTA file is processed by the “application/hta” handler. The highlighted line in Figure 2 shows the first download occurring, followed by the additional malicious payloads.
Figure 2: Live attack scenario
Once downloaded, the template file was stored in the user’s temporary internet files with the name template[?].hta, where [?] is determined at run time. The Logic BugMshta.exe is responsible for handling the Content-Type “application/hta,” parsing the content, and executing the script. Figure 3 shows winword.exe querying registry value of CLSID for the “application/hta” handler.
Figure 3: Winword query registry value
Winword.exe makes a request to the DCOMLaunch service, which in turn causes the svchost.exe process hosting DCOMLaunch to execute mshta.exe. Mshta.exe then executes the script embedded in the malicious HTA document. Figure 4 shows the deobfuscated VBScript from the first stage download.
Figure 4: First document, stage one VBScript
The script shown in Figure 4 performs the following malicious actions:
Terminates the winword.exe process with taskkill.exe to hide the prompt shown in Figure 1. Downloads a VBScript file from http[:]//www.modani[.]com/media/wysiwyg/ww.vbs and saving it to %appdata%\Microsoft\windows\maintenance.vbs Downloads a decoy document from http[:]//www.modani[.]com/media/wysiwyg/questions.doc and saving it to %temp%\document.doc Cleans up the Word Resiliency keys for Word versions 15.0 and 16.0 so that Microsoft Word will restart normally Executes the malicious stage two VBScript: %appdata%\Microsoft\Windows\maintenance.vbs Opens the decoy document, %temp%\document.doc, to hide the malicious activity from the userOnce executed, the downloaded stage two VBScript (ww.vbs/maintenance.vbs) performs the following actions:
Writes an embedded obfuscated script to %TMP%/eoobvfwiglhiliqougukgm.js Executes the scriptThe obfuscated eoobvfwiglhiliqougukgm.js script performs the following actions when executed:
Attempts to delete itself from the system Attempts to download http[:]//www.modani[.]com/media/wysiwyg/wood.exe (at most 44 times), and save the file to %TMP%\dcihprianeeyirdeuceulx.exe Executes %TMP%\dcihprianeeyirdeuceulx.exeFigure 5 shows the process execution chain of events.
Figure 5: Process creation events
The final payload utilized in this malware is a newer variant of the LATENTBOT malware family. Additional details of the updates to this malware follow the Document 2 walkthrough.
MD5
Size
Name
Description
5ebfd13250dd0408e3de594e419f9e01
37,523
hire_form.doc
Malicious document
fb475f0d8c8e9bf1bc360211179d8a28
27,429
template.doc/template[?].htaMalicious HTA file
984658e34e634d56423797858a711846
5,704
ww.vbs/maintenance.vbs
Stage two VBScript
73bf8647920eacc7cc377b3602a7ee7a
13,386
questions.doc/document.doc
Decoy document
11fb87888bbb4dcea4891ab856ac1c52
5,292
eoobvfwiglhiliqougukgm.js
Malicious script
a1faa23a3ef8cef372f5f74aed82d2de388,096
wood.exe/ dcihprianeeyirdeuceulx.exe
Final payload
15e51cdbd938545c9af47806984b1667
414,720
wood.exe/ dcihprianeeyirdeuceulx.exe
Updated final payload
Table 1: First document file metadata
The LATENTBOT Payload The payload