2017-11-16 - MALSPAM USING CVE-2017-0199 TO PUSH LOKI BOT

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-11-16-Loki-bot-malspam-traffic.pcap.zip   362 kB (361,691 bytes)

• 2017-11-16-Loki-bot-malspam-traffic.pcap   (673,526 bytes)

• Zip archive of the email and associated artifacts:  2017-11-16-Loki-bot-malspam-and-artifacts.zip   392 kB (391,645 bytes)

• 2017-11-16-Loki-bot-binary-7571BA.exe   (704,512 bytes)
• 2017-11-16-Lokibot-malspam-0549-UTC.eml   (12,936 bytes)
• 2017-11-16-josephioseph.com-timaya-htadrills.hta.txt   (2,331 bytes)
• SKMBT_C20171116424367.doc   (6,785 bytes)

NOTES:

• I documented a similar case back on 2017-10-10.
• This is malicious spam (malspam) with an attachment.
• The attachment is an RTF document with a CVE-2017-0199 exploit, and it's disguised as Word document.
• The exploit is designed to infect Windows hosts with Loki Bot malware.

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

• Date:  Thursday Nov 2017-11-16 05:49 UTC
• From:  Monika Bakun <admin@wahshingref.com>
• Subject:  Request For Quotation

 

Shown above:  Attachment is actually an RTF file with an exploit for CVE-2017-0199.

 

TRAFFIC

Shown above:  Traffic from this infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

• 192.185.16.72 port 80 - josephioseph.com - GET /timaya/htadrills.hta
• 192.185.16.72 port 80 - josephioseph.com - GET /timaya/drills.exe
• 209.182.213.90 port 80 - myapplicationsdownload.download - POST /

 

FILE HASHES

RTF WITH EXPLOIT FOR CVE-2017-0199:

• SHA256 hash:  9b1331d33e9c859b9f9530dd9d9e87f5730948213d2705d8455848bfeb1b08e2
  File size:  6,785 bytes
  File name:  SKMBT_C20171116424367.doc

 

HTA FILE CALLED BY RTF:

• SHA256 hash:  146bbd9122ef4104765b7fbeedffb5a850ed8d318a130cf790ed8371e1217c26
  File size:  2331 bytes
  File location:  hxxp://josephioseph.com/timaya/htadrills.hta

 

FOLLOW-UP MALWARE (LOKI BOT):

• SHA256 hash:  8a3e6b18b0532c63b3e7eda71e6962f5128c2be9e8f52a817bd90d701852473a
  File size:  704,512 bytes
  File location:  hxxp://josephioseph.com/timaya/drills.exe
  File location:  C:\Users\[username]\AppData\Roaming\drill.exe
  File location:  C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe

 

IMAGES

Shown above:  HTTP GET request caused by the RTF file returned an HTA file.

 

Shown above:  HTTP GET request for the Loki bot binary.

 

Shown above:  Loki bot post-infection traffic.

 

Shown above:  Windows Registry update noted for persistence.

 

Shown above:  An open directory with additional malware.  I've submitted URLs for these files to VirusTotal.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-11-16-Loki-bot-malspam-traffic.pcap.zip   362 kB (361,691 bytes)
• Zip archive of the email and associated artifacts:  2017-11-16-Loki-bot-malspam-and-artifacts.zip   392 kB (391,645 bytes)

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.