2018-01-15 - MALSPAM USES CVE-2017-11882 RTF FILE TO PUSH FORMBOOK INFO STEALER

ASSOCIATED FILES:

• Zip archive of the pcap:  2018-01-15-CVE-2017-11882-to-push-Formbook.pcap.zip   486 kB (485,773 bytes)

• 2018-01-15-CVE-2017-11882-to-push-Formbook.pcap   (791,092 bytes)

• Zip archive of the email and malware:  2018-01-15-CVE-2017-11882-malspam-email-malware-and-artifacts.zip   2.0 MB (1,956,304 bytes)

• 2018-01-14-malspam-pushing-Formbook-using-CVE-2017-11882-at-2137-UTC.eml   (70,951 bytes)
• 2018-01-15-Formbook-executable.exe   (292,792 bytes)
• Items 5444.doc   (50,274 bytes)
• ad1.src   (284,600 bytes)
• ad2.src   (309,176 bytes)
• ap1.src   (306,280 bytes)
• ap2.src   (289,896 bytes)
• bnk.src   (231,664 bytes)
• emm.src   (239,856 bytes)
• frn.src   (248,048 bytes)
• joe.src   (292,792 bytes)
• kin.src   (288,696 bytes)
• kri.src   (292,792 bytes)
• min.src   (314,472 bytes)
• pri.src   (314,472 bytes)
• thg.src   (302,184 bytes)
• tim.src   (314,472 bytes)
• xpl.src   (306,280 bytes)

NOTES:

• Today's malspam attachment is an RTF file disguised as a Microsoft Word document that uses an exploit for CVE-2017-11882.
• The exploit only requires that you open the RTF file using Microsoft Word on a vulnerable Windows host.
• The follow-up malware (Formbook) was retrieved using SMB (TCP port 445) from a shared drive at \\185.198.59.121\s.
• I previously documented another case of CVE-2017-11882 last year on 2017-12-13 (it was pushing Loki Bot that time).

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and partial URLs:

• hxxp://www.yg082.com/ch19/?id=
• hxxp://www.www477234.com/ch19/?id=
• hxxp://www.pmeglobal.com/ch19/?id=
• hxxp://www.julianshots.com/ch19/?id=
• hxxp://www.egiztechnologyx.com/ch19/?id=
• hxxp://www.769hqi.info/ch19/?id=
• hxxp://www.choruscallasia.tech/ch19/?id=
• hxxp://www.lifullness.com/ch19/?id=
• hxxp://www.goldenmindbody.com/ch19/?id=
• hxxp://www.bjxitianyun.com/ch19/?id=
• hxxp://www.tqceyp.info/ch19/?id=
• www.spinepoint.biz
• www.0t5fivethan.men

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

• Date:  Sunday, 2018-01-14 at 21:37 UTC
• Subject:  Re:Items 5444
• From:  "GLOBAL CONCEPT INVESTMENT.LTD DUBAI" <junkoi@iijima-mfg.jp>
• Received:  from v133-130-68-111.myvps.jp (v133-130-68-111.myvps.jp [133.130.68.111])
• Message-ID:  <5aae29598e665cb24fb47681e4d09003.squirrel@webmail.iijima-mfg.jp>
• Reply-To:  hastedxb@emirates.net.ae
• Attachment name:  Items 5444.doc

 

Shown above:  Opening the RTF file in Microsoft Word gives you a fake popup notification to distract you from the infection that's happening.

 

TRAFFIC

Shown above:  SMB traffic to retreive the follow-up malware as seen in Wireshark.

 

Shown above:  HTTP traffic caused by the Formbook info stealer.

 

Shown above:  DNS responses for two domains were malformed.

 

INFECTION TRAFFIC:

• 185.198.59.121 port 445 - SMB traffic generated by CVE-2017-11882 Word doc to retrieved follow-up malware
• 45.114.10.69 port 80 - www.yg082.com - GET /ch19/?id=[long string]==&sLNh=zPQlgBOhWfKdzF
• 43.230.143.219 port 80 - www.www477234.com - GET /ch19/?id=[long string]==&sLNh=zPQlgBOhWfKdzF&sql=1
• 52.73.124.185 port 80 - www.pmeglobal.com - GET /ch19/?id=[long string]==&sLNh=zPQlgBOhWfKdzF
• 173.236.187.105 port 80 - www.julianshots.com - GET /ch19/?id=[long string]==&sLNh=zPQlgBOhWfKdzF
• 192.64.114.107 port 80 - www.egiztechnologyx.com - GET /ch19/?id=[long string]==&sLNh=zPQlgBOhWfKdzF
• 192.64.114.107 port 80 - www.egiztechnologyx.com - POST /ch19/
• 107.179.31.205 port 80 - www.769hqi.info - GET /ch19/?id=[long string]==&sLNh=zPQlgBOhWfKdzF
• 150.95.255.38 port 80 - www.choruscallasia.tech - GET /ch19/?id=[long string]==&sLNh=zPQlgBOhWfKdzF
• 62.149.128.40 port 80 - www.lifullness.com - GET /ch19/?id=[long string]==&sLNh=zPQlgBOhWfKdzF
• 64.98.145.30 port 80 - www.goldenmindbody.com - GET /ch19/?id[long string]==&sLNh=zPQlgBOhWfKdzF
• 123.56.92.67 port 80 - www.bjxitianyun.com - GET /ch19/?id=[long string]==&sLNh=zPQlgBOhWfKdzF
• 23.88.29.4 port 80 - www.tqceyp.info - GET /ch19/?id=[long string]==&sLNh=zPQlgBOhWfKdzF
• DNS queries for www.spinepoint.biz that returned malformed response
• DNS queries for www.0t5fivethan.men that returned malformed response

 

MALWARE

EMAIL ATTACHMENT - RTF USING EXPLOIT FOR CVE-2017-11882:

• SHA256 hash:  5b307600b1ceb84f29315c95e5b21776eb6154b79214528629e4fc2310cd50e3
  File size:  50,274 bytes
  File name:  Items 5444.doc

FOLLOW-UP MALWARE RETRIEVED USING SMB FROM 185.198.59.121:

• SHA256 hash:  3f83a4ff3803dffbed605a82e30f79e39620ded61bd4a09b8e1abd08ec4c2ecb
  File size:  292,792 bytes
  File location:  \\185.198.59.121\s\joe.src
  File location:  C:\Program Files\V7n7l_rn0\mrxhxjot.exe

OTHER MALWARE FROM \\185.198.59.121\S:

• SHA256 hash:  3a55297697608f546edb2bc6cd45d8bfbda6080c68824976fb983c4448272705 - ad1.src
• SHA256 hash:  7eab92ce6b13221cb8f280da249df28503beb141197e5c0534dd76457f42a915 - ad2.src
• SHA256 hash:  d917fc781c4a69b5c77c63afce20f3055c7f21d5e48d3aa033851e2d5167e87c - ap1.src
• SHA256 hash:  79044d29c331fa75a08f55a92ba18b48dd96ccc3814ab2586ff6d4448e859aee - ap2.src
• SHA256 hash:  2d3294ea7046f87e8675d6632edc643645862b5bd8c581b1d4811ea7c3394fab - bnk.src
• SHA256 hash:  dcd346ca948ab0cbd1e3acb3107caee62e53e9e5805722c1555d0d277a1cb001 - emm.src
• SHA256 hash:  7be2ef0b3c88e508404b408b437ef1537c4cd9bcd11ca097e089b7211a110f5c - frn.src
• SHA256 hash:  bf9b9c3cd391104a1398d685a7e08412b7cfdda6c44d5c874ff117947467f97d - kin.src
• SHA256 hash:  635e5d23fe5caa9ccd951391f5a927a883f0a4500b4a9b880d2bf2190aa9c932 - kri.src
• SHA256 hash:  32d481d669217370b0090f9c7efe1b8f911d198f6b6c77521cef660b5e411ec0 - min.src
• SHA256 hash:  e4185b89d3b55f32677841c0b4e3d14c7e608e39c8b9e0349547cfcc54c9e8c9 - pri.src
• SHA256 hash:  ee9daf2cd61ef475fe4adc9856d6202ff9921e346af0ad74304ce987f80cc314 - thg.src
• SHA256 hash:  a00127d8b50411deaad498541496de2ad7e74cfd0f7241d887de37b71badb0fd - tim.src
• SHA256 hash:  3ea6830d62856acba5023f049bef88bedfe30539635ed7098ff120a0f55ed634 - xpl.src

 

IMAGES

Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

Shown above:  Registry key and associated Formbook malware on the infected Windows host.

 

Shown above:  You can easily connect to the shared drive on 185.198.59.121 and see more malware.

 

Shown above:  Although the file extensions are all .src, they are all Windows executable files.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2018-01-15-CVE-2017-11882-to-push-Formbook.pcap.zip   486 kB (485,773 bytes)
• Zip archive of the email and malware:  2018-01-15-CVE-2017-11882-malspam-email-malware-and-artifacts.zip   2.0 MB (1,956,304 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.