{"id":85688,"date":"2018-02-05T15:42:34","date_gmt":"2018-02-05T10:12:34","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85688"},"modified":"2018-02-05T17:53:12","modified_gmt":"2018-02-05T12:23:12","slug":"malspam-campaigns-exploiting-recent-ms-office-vulnerability-cve-2017-11882","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/malspam-campaigns-exploiting-recent-ms-office-vulnerability-cve-2017-11882\/","title":{"rendered":"Malspam campaigns exploiting recent MS Office vulnerability \u2018CVE-2017-11882\u2019 – An Analysis by Quick Heal Security Labs"},"content":{"rendered":"

No wonder malspam campaigns are a major medium to spread malware. Previously, we have written about such campaigns making use of MS Office malware such as malicious macro,\u00a0CVE-2017-0199<\/a>, CVE-2017-8759<\/u><\/a>\u00a0and DDE<\/u><\/a>-based attack. Recently, we have started observing various malspam campaigns exploiting the latest MS Office vulnerability CVE-2017-11882<\/u><\/a>.<\/p>\n

Let’s take a look at in-depth analysis of one such malspam campaign exploiting vulnerability \u2018CVE-2017-1188<\/u>2<\/u><\/a>\u2019 in the wild.<\/p>\n

Attack chain<\/b><\/strong><\/p>\n

\"Attack
Fig 1. Attack chain<\/figcaption><\/figure>\n

 <\/p>\n

Vulnerability (CVE-2017-11882) analysis<\/b><\/strong><\/p>\n

A remote code execution vulnerability (CVE-2017-11882<\/u><\/a>) is triggered in the Microsoft Office Equation Editor<\/u><\/a>\u00a0<\/u>(EQNEDT32.EXE) component. The attacker can successfully exploit a stack buffer overflow vulnerability in the equation editor component of MS Office and execute an arbitrary code. The root cause of this vulnerability is copy unbounded string of FONT name defined within a FONT record structure of Equation EditorOLE object data.<\/p>\n

To exploit the vulnerability, attackers use specially crafted RTF files with doc extensions. This RTF file contains an embedded equation object class as shown in Fig 2.<\/p>\n

\"Equation
Fig 2. Equation object class<\/figcaption><\/figure>\n

 <\/p>\n

OLE file which is embedded inside the crafted RTF has a stream name “Equation Native” having the following header:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
Size<\/b><\/strong><\/td>\nDescription<\/b><\/strong><\/td>\n<\/tr>\n
WORD<\/td>\nSize of header(EQNOLEFILEHDR) == 28 (0x1C)<\/td>\n<\/tr>\n
DWORD<\/td>\nVersion<\/td>\n<\/tr>\n
WORD<\/td>\nClipboard format<\/td>\n<\/tr>\n
DWORD<\/td>\nSize of (MTEF header + MTEF data)<\/td>\n<\/tr>\n
DWORD<\/td>\nReserved1<\/td>\n<\/tr>\n
DWORD<\/td>\nReserved2<\/td>\n<\/tr>\n
DWORD<\/td>\nReserved3<\/td>\n<\/tr>\n
DWORD<\/td>\nReserved4<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

MTEF is a Math Type equation format used by equation editor.<\/p>\n

MTEF header have the following structure.<\/p>\n\n\n\n\n\n\n\n
Size<\/b><\/strong><\/td>\nDescription<\/b><\/strong><\/td>\n<\/tr>\n
BYTE<\/td>\nMTEF version<\/td>\n<\/tr>\n
BYTE<\/td>\nGenerating platform<\/td>\n<\/tr>\n
BYTE<\/td>\nGenerating product<\/td>\n<\/tr>\n
WORD<\/td>\nProduct version and subversion<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u00a0<\/b><\/strong><\/p>\n

MTEF data consists of MTEF header followed by multiple records. These records can be of different types and sizes.<\/p>\n

FONT record which is defined in MTEF data object receives crafted FONT name and triggers the vulnerability.<\/p>\n

Following is the structure of MTEF data (FONT record).<\/p>\n\n\n\n\n\n\n\n\n
Size<\/b><\/strong><\/td>\nDescription<\/b><\/strong><\/td>\n<\/tr>\n
BYTE<\/td>\nFONT tag<\/td>\n<\/tr>\n
BYTE<\/td>\nTypeface number<\/td>\n<\/tr>\n
BYTE<\/td>\nTypeface style<\/td>\n<\/tr>\n
STRING<\/td>\nFont name<\/td>\n<\/tr>\n
BYTE<\/td>\nNull terminated<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

If FONT NAME is greater than 32 bytes, it indicates the exploit attempts.<\/p>\n

 <\/p>\n

Exploit analysis<\/b><\/strong><\/p>\n

In this campaign, the initial attack vector uses spam emails with crafted RTF attachments with .doc extension.<\/p>\n

Fig 3 shows the spam email used in this campaign.<\/p>\n

\"\"
Fig 3. Spam mail with CVE-2017-11882 exploit<\/figcaption><\/figure>\n

 <\/p>\n

MS Word runs the malicious attachment and attempts to exploit. After successful exploitation, Microsoft Equation Editor starts the mshta<\/u><\/a>\u00a0process.<\/p>\n

\"\"
Fig 4. Crafted font name<\/figcaption><\/figure>\n

Let\u2019s dive into the assembly to know how it works.<\/b><\/strong><\/p>\n

The below figure is a snap that shows the stack buffer overflow scenario where 48 bytes of data gets copied into a local buffer which causes a buffer overflow and overwrites base pointer and returns address.<\/p>\n

\"\"
Fig 5. Stack-based buffer overflow<\/figcaption><\/figure>\n

Fig 6 shows the address (0x00430C12<\/b><\/strong>) which gets overwritten into the return address.<\/p>\n

\"\"
Fig 6. Overwritten return address<\/figcaption><\/figure>\n

The overwritten address is from EQUATION32.EXE and that instruction points to “WinExec<\/b><\/u><\/strong><\/a>” api as mentioned in Fig 7.<\/p>\n

\"\"
Fig.7. WinExec call<\/figcaption><\/figure>\n

After successful exploitation, mshta<\/u><\/a>\u00a0process gets executed by WinExec<\/u><\/a>\u00a0which downloads and executes the malicious hta<\/u><\/a>\u00a0file. The hta file further acts as a downloader for an infostealer malware<\/b><\/strong>.<\/p>\n

At Quick Heal Security Labs, we have seen different variants of this exploit using mshta.exe, cmd.exe, and powershell.exe being executed by WinExec for carrying out further activities.<\/p>\n

 <\/p>\n

File-less attacks<\/b><\/strong><\/p>\n

Below is a scenario where the exploit contains a code that directly executes a malware which is hosted on a public WebDav server. The payload is a typical network UNC path.<\/p>\n

Fig 8 shows the different malware hosted on public WebDav server 185.45.195.7<\/b><\/strong>.<\/p>\n

\"\"
Fig 8. WebDav server UNC path<\/figcaption><\/figure>\n

 <\/p>\n

\"\"
Fig 9. Malicious WebDav server<\/figcaption><\/figure>\n

 <\/p>\n

Obfuscation technique<\/b><\/strong><\/p>\n

To bypass signature-based detections, attackers used various obfuscation techniques in this campaign.<\/p>\n

One of the obfuscation techniques used is shown below (fig 10).<\/p>\n

\"\"
Fig.10. Obfuscation<\/figcaption><\/figure>\n

RTF math control word “\\mmath ” (math zone) is used as obfuscation in OLE embedded RTF file. Because of the use of \\mmath control word, the string cmd.exe gets divided as “c” and “md.exe” which can simply evade the signature-based detection where the signature pattern can be used is cmd.exe.<\/p>\n

 <\/p>\n

Conclusion<\/b><\/strong><\/p>\n

To defend against such exploits, Microsoft has already implemented features like DEP and ASLR in their arsenal but attacker targeted eqnedt32.exe where both these features were disabled; so carrying out such attacks using readily available exploit POC’s becomes handy for attackers. From\u00a0Microsoft Office 2007 Service Pack 3,\u00a0all versions are vulnerable to this vulnerability. Microsoft has released a patch for this vulnerability so we recommend our users to apply the latest Microsoft update packages and keep their antivirus up to date.<\/p>\n

 <\/p>\n

Safety measures<\/b><\/strong><\/p>\n