Thursday, July 30, 2015

Fireeye. CVE-2015-0097 Exploited in the Wild

July 30, 2015

  • "Microsoft Word Local Zone Remote Code Execution Vulnerability."
  • In the wild
  • Does not require common exploitation techniques like a heapspray or ROP chain

  • Exploit. Office can open documents as HTML files via the MSScriptControl.ScriptControl.1 control. If the document contains valid HTML (in this case, appended to the end of the document), the HTML is launched in the Local Security Zone. Scripts embedded within the HTML content then write to disk with the ADODB.Recordset Active X Control. By writing scripts to the users Startup directory as shown in Figure 1, the attacker's scripts achieve full RCE and persistence.
  • Payloadconfig.vbs - downloads and executes a binary from the attacker's server. The script saves and executes the binary as %temp%\svchost.exe.
  • One of the variants we observed is a Word Document named mat khau wifi thuong dung.doc (Vietnamese language) that is used to drop PlugX malware on a system.
  • The payload is a RAR SFX file named KB3002659.exe. This RAR SFX file contains the following three components:
    • 1.     AhnI2.exe - Legitimate AhnLab Internet Security Software digitally signed by AhnLab, Inc.
    • 2.     AhnI2.dll - Malicious PlugX DLL
    • 3.     AhnI2.asf - Encrypted file used by PlugX DLL
  • Producs affected 
    • Microsoft Excel 2007 and 2010
    • Microsoft Word 2007 and 2010
    • Microsoft Powerpoint 2007 and 2010
Labels: App - MS Office, CVE-2015-0097 - MS Office, 

ESET. Operation Potao Express: Analysis of a cyber-espionage toolkit


2011- July 2015
  • aka  Sapotao and node69
  • Group - Sandworm / Quedagh APT
  • Vectors - USB, exe as doc, xls
  • Victims - RU, BY, AM, GE 
  • Victims - MMM group, UA gov
  • has been serving modified versions of the encryption software (Win32/FakeTC) that included a backdoor to selected targets. 
  • Win32/FakeTC - data theft from encrypted drives
  • The Potao main DLL only takes care of its core functionality; the actual spying functions are implemented in the form of downloadable modules. The plugins are downloaded each time the malware starts, since they aren’t stored on the hard drive.
  • 1st Full Plugin and its export function is called Plug. Full plugins run continuously until the infected system is restarted
  • 2nd Light Plugin with an export function Scan. Light plugins terminate immediately after returning a buffer with the information they harvested off the victim’s machine.
  • Some of the plugins were signed with a certificate issued to “Grandtorg”:
  • Traffic 
  • Strong encryption. The data sent is encapsulated using the XML-RPC protocol.
  • MethodName value 10a7d030-1a61-11e3-beea-001c42e2a08b is always present in Potao traffic.
  • After receiving the request the C&C server generates an RSA-2048 public key and signs this generated key with another, static RSA-2048 private key .
  • In 2nd stage the malware generates a symmetric AES-256 key. This AES session key is encrypted with the newly received RSA-2048 public key and sent to the C&C server.
  • The actual data exchange after the key exchange is then encrypted using symmetric cryptography, which is faster, with the AES-256 key
  • The Potao malware sends an encrypted request to the server with computer ID, campaign ID, OS version, version of malware, computer name, current privileges, OS architecture (64 or 32bits) and also the name of the current process.
  • Potao USB - uses social engineering, exe in the root disguised as drive icon
  • Potao Anti RE -  uses the MurmurHash2 algorithm for computing the hashes of the API function names.
  • Potao Anti RE - encryption of strings
  • Russian TrueCrypt Win32/FakeTC - The malicious program code within the otherwise functional TrueCrypt software runs in its own thread. This thread, created at the end of the Mount function, enumerates files on the mounted encrypted drive, and if certain conditions are met, it connects to the C&C server, ready to execute commands from the attackers.

Web Analytics