Word add-in persistence found in the wild

Word add-in persistence found in the wild

@Blu3_team
@Malwareparty
20180106

@Malwareparty found another interesting sample using the %temp% known file location for embedded packages but this one works differently.
The sample uses CVE-2017-11882 for the exploit and you can see the decoded portion of the command.
















Functionally the setup.zip is present in the %temp% location but it is also copied to "%APPDATA%\Microsoft\word\startup\w.wll". We don't understand if this is part of the exploit functionality or the packager functionality yet. The sample does not run when viewing the document so we looked at the Word startup location and WLL files and found that they are for Word add-in functionality. A quick test verified that the w.wll file executes at the next start of the Word application which provides a great method of persistence that we have not seen before. From there the malware executes conventionally dropping two executables and beacons over port 443 using a binary protocol.


C2:    83.166.242.122 TCP Port 443
C2:    109.237.110.10  Port 81

Beacon:


00000000 85 d6 62 80 cb a4 00 00 00 94 03 00 00 ff 39 41 ..b..... ......9A
00000010 00 87 a5 0a 63 9f 59 d1 61 9b 59 21 03 2d 79 cb ....c.Y. a.Y!.-y.
00000020 61 5c 15 42 03 ec a9 4f 66 b7 5c 69 62 d7 5a 89 a\.B...O f.\ib.Z.
00000030 64 b7 3f f3 14 e7 3b 59 12 7e 95 2d 20 34 a9 20 d.?...;Y .~.- 4.
00000040 24 ff 7f 71 c1 77 29 a1 60 9f 01 f1 c2 dd e2 ca $..q.w). `.......
00000050 c1 6a 18 49 08 dc 20 35 81 9e db 0d 33 04 dc c0 .j.I.. 5 ....3...
00000060 38 6d 18 c5 c1 f4 51 ce 2f ef b7 25 a0 6a 47 70 8m....Q. /..%.jGp
00000070 78 bc c8 01 bb fd 0e 71 64 2f 5a 71 02 9d 3a 61 x......q d/Zq..:a
00000080 36 9b 09 47 d2 d9 79 ff 31 79 03 42 06 cc 19 47 6..G..y. 1y.B...G
00000090 c9 a5 0b f9 30 47 08 d9 03 b6 2e 21 7a 42 07 00 ....0G.. ...!zB..
000000A0 c8 8f 14 3e ...>




Persistence Word add-in
"%APPDATA%\Microsoft\word\startup\w.wll"

Dropped
C:\ProgramData\NetWork\servicenet.exe
C:\ProgramData\NetWork\servernet.exe

Document
"Fw_ Invitation letter of FW review meeting.rtf"
sha256    81c733c0bae854e280d0d3c2e7ff1fdcd0f1eef2a653286a641437dcea21f409

filename:    z.wll installer
sha256 00295b469b1001a7fcab35fa326f90ee9652855a35c4bed0dc438ae5dbe1a81f

filename:    servicenet.exe
sha256    0addb6ce9263e533f7f654aedaebe33909ea7dc5632ea792a0fa43af0f8ba7c1

filename: servernet.exe
sha256    378239e9216bfd5004f017486628dcc774b0fa6466f5d9ec4e3673415cb199c8


Additional Information

Thanks to @James_inthe_box for additional analysis and insight
https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/   William Knowles
https://twitter.com/MalwareParty/status/943861021260861440 @Malwareparty CVE-2017-11882 as a dropper
https://app.any.run/tasks/bff7d18f-bf23-4863-9781-d99e1ded9cac  @James_inthe_box
https://twitter.com/buffaloverflow/status/947099475281051650  @Buffaloverflow (exploit generator)
https://twitter.com/buffaloverflow/status/943966785791053825  @Buffaloverflow packager.dll information
https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/


Comments

Popular posts from this blog

Operation Desert Eagle

Operation JOKAA(RR)