Threat Actors Leverage CVE 2017-0199 to Deliver Zeus Panda via Smoke Loader

Our Phishing Defense Center identified and responded to attacks leveraging a relatively new Microsoft Office vulnerability during the past few weeks. Last week, the PDC observed threat actors exploiting CVE 2017-0199 to deliver the Smoke Loader malware downloader which in turn was used to deliver the Zeus Panda botnet malware. These emails claim to deliver an invoice for an “outstanding balance” and trick the recipient to opening the attached file. In one instance, we have also seen the malicious attachment being delivered via URL.

The subject lines of the emails followed a pattern of alphanumeric characters and the phrase “Invoice Past Due” Example below.

An example of the phishing email used in these attacks is shown below.

The following URL was also identified in one example delivering a malicious document.

hxxp://3tco.com[.]vn/index.html.php?id=<base64 email  address>

The files delivered by these emails is an RTF document containing an OLE object used to exploit the CVE-2017-0199 vulnerability. Once opened, the exploit is used to run code that facilitates the download of a file from a remote host. The downloaded file is a Microsoft Office Word document disguised with the .xls extension containing embedded malicious code. Once the file download is complete it is automatically loaded into the original RTF document. A vulnerability in this loading process is used to affect how the contents of the downloaded file are interpreted and to execute the malicious code inside. Once this embedded code is executed it downloads a malicious executable and a decoy “accounts payable documentation report”. This benign  document is displayed to disguise the threat actors’ activities and then the executable is run. The downloaded executable is a sample of the Smoke Loader malware downloader.

Upon execution, this Smoke Loader sample obtains a copy of the Zeus Panda banking trojan. Once run on the machine, this malware application performs extensive checks to determine whether it is running in a virtualized or analysis environment before contacting its command and control hosts. Once contact has been established, these hosts will provide update instructions and configuration data used to guide the financial crimes and botnet Trojan’s activity on infected machines.

The following section details how the CVE-2017-0199 vulnerability is exploited and it’s IOCs

This vulnerability takes advantage of Microsoft Office’s and WordPad’s handling of OLE embedded link objects in RTF files. Exploitation abuses certain control words in the rich text file format to update an object link which allows for a malicious file to be downloaded. The downloaded file is typically another RTF file containing embedded malicious script which is executed when Microsoft attempts to load it as an OLE object.

The following document files were identified as leveraging an exploit for CVE-2017-0199.

Filename MD5
J36IZBES.doc 31bee5a70606aba18c0cc67a8cb7eb4b
B9BDY5Y87X.doc cb563b18f432105ccbff0ecbb447013a
4G7U6MIK.doc d41d8cd98f00b204e9800998ecf8427e

 

The following URLs were used to provide a malicious payload for execution by this document.

hxxp://2752E3751847.com/cr2mgmts.exe

hxxp://2752E3751847.com/offic0semgmts.doc

hxxp://2752E3751847.com/cr2mgmts.xls

hxxp://hncidhw.top/cr1_mgmts.xls

hxxp://hncidhw.top/offic0semgmts.doc

hxxp://hncidhw.top/cr1_mgmts.exe

Smoke Loader

A commonly used malware downloader, the Smoke Loader malware operates using a set of command and control hosts to provide instructions to the malware for downloading additional payloads. While the locations of these command and control hosts are hardcoded into the Smoke Loader binary, the payload locations are not. The payload locations are instead obtained from the Smoke Loader command and control in response to the malware’s HTTP requests. The following Smoke Loader files were used in this campaign.

Filename MD5
urfgdwbb.exe 3268d09954402c80cb44ff589b1b33ab
wifahhac f098d7ddc3b9b22162dd4007c2f140dd

 

After completing its initial check-in with command and control infrastructure, this Smoke Loader instance obtained its payload set from the following locations.

hxxps://reterbawax.top/feedweb/feed.php

hxxps://nyminalowe.info/feedweb/feed.php

hxxps://uppedutari.com/feedweb/feed.php

hxxps://irveneloni.info/feedweb/feed.php

hxxps://zelispecto.top/feedweb/feed.php

Zeus Panda

The following file set was identified as used in this campaign to infect machines with malware featuring extensive anti-analysis functionality including the ability to detect multiple forms of virtualization and physical device restoration utilities.

Filename MD5 Size
9D9B.tmp.exe 0f4f6d65af765b2af56d4efa22d13bcd 179,712
PluginManager.isf 96db7dea65e4b42031fa786f5b0b5741 576
services_rdri.dat 0564ce16c5d078a29dd492b17f8a77da 24,152
Solarized.evw 3cc91fdc9fe5855207416c8bac13eca3 1,200

 

The following payload locations were used by Zeus Panda to obtain it’s payloads.

hxxps://bilinom.info/grabber.bin

hxxps://bilinom.info/backsocks.bin

hxxps://bilinom.info/webinjects_1new.dat

The command and control hosts below were used to support this malware. These command and control hosts are used to log records of new infections as well as to provide configuration data that is used by the malware to conduct extensive credential-stealing operations. Credentials are primary stolen via web injects that are customized for customers of each financial institution listed in the configuration document.

hxxps://bilinom.info/c0/

hxxps://bilinom.info/1ewzugudiciemvovyyrmo.dat

hxxps://bilinom.info/gsZHT/

Finally, we the executable below was identified within an infected environment at the completion of the infection process.

Filename MD5
1492190856824.5c815e51-8b2d-42cb-89b7-fb200a379483.main.exe 0f4f6d65af765b2af56d4efa22d13bcd


Recommendation:

PhishMe® cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that contain subject lines as described above. PhishMe Simulator™ customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.  A simulation template will be available by end of day.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe Threat Alerts today.

PhishMe CEO and Co-Founder, Rohyt Belani, Named a 2017 Washington Business Journal 40 Under 40 Honoree
Tracking and Mitigating Zyklon Phishing Using Threat Intelligence and Yara

Leave a Reply