{"id":87019,"date":"2018-11-01T11:47:45","date_gmt":"2018-11-01T06:17:45","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87019"},"modified":"2018-11-01T12:06:13","modified_gmt":"2018-11-01T06:36:13","slug":"obfuscated-equation-editor-exploit-cve-2017-11882-spreading-hawkeye-keylogger","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/obfuscated-equation-editor-exploit-cve-2017-11882-spreading-hawkeye-keylogger\/","title":{"rendered":"Obfuscated Equation Editor Exploit (CVE-2017-11882) spreading Hawkeye Keylogger"},"content":{"rendered":"

Cyber-attacks through phishing emails are increasing and generally, attackers use DOC embedded macros to infiltrate victim’s machine. Recently Quick Heal Security Labs came across a Phishing e-mail sample which uses Microsoft’s equation editor exploit to spread Hawkeye keylogger.<\/p>\n

Cybercriminals use different techniques to steal confidential data. Now they are offering advanced forms of malware to fulfill their purpose. That’s why we are still observing actively evolving new threats. Hawkeye belongs to a family of keylogger. The latest Hawkeye v8 reborn uses Microsoft Office Equation Editor Vulnerability CVE-2017-11882 to infiltrate. We also published a detailed blog post on this exploit which can be read here<\/a>. This exploit uses new techniques to evade detection of AV product. It compiles its code while executing and loads payload in memory without writing it on the disk.<\/p>\n

Flow\u00a0of Execution:<\/strong><\/p>\n

\"Fig1.Flow
Fig1.Flow of execution<\/figcaption><\/figure>\n

Exploit Analysis:<\/strong><\/p>\n

The buffer overflow vulnerability is present in the \u201cFONT\u201d record in equation native object. To exploit this vulnerability, OLE object must invoke equation native object and to do so it needs to include Equation Native stream in OLE file.<\/p>\n

It can be done by using two types:<\/p>\n

    \n
  1. Use of \u201cEquation Native\u201d stream.<\/li>\n
  2. Use of CLSID<\/a> of \u201cEquation Native\u201d stream.<\/li>\n<\/ol>\n

    In this case, it uses CLSID<\/a>\u00a0instead of \u201cEquation Native\u201d stream.<\/p>\n

    \"Fig.
    Fig. 2: {0002CE02-0000-0000-C000-000000000046} of Equation Editor present in OLE file.<\/figcaption><\/figure>\n

    It uses \u201cOLE10native\u201d stream to parse the OLE objects to \u201cEquation Native\u201d stream.<\/p>\n

    Following is the minimal header of \u201cOLE10native\u201d stream:<\/p>\n\n\n\n
    DWORD<\/td>\nSize of equation object (MTEF header + MTEF data)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    After execution of OLE, file equation editor is invoked and starts parsing the record. First, it parses MTEF header and TYPESIZE header and next starts to parse FONT record. In this case, it is overflowed by the buffer of FONT record content.<\/p>\n

    The following figure shows the structure of OLE10Native stream which goes to parse by Equation Native object.<\/p>\n

    \"Fig.
    Fig. 3: Structure of header of OLE object.<\/figcaption><\/figure>\n

    Exploiting this vulnerability results in executing shellcode and finally content malicious payload download from CNC server.<\/p>\n

    \"Fig.
    Fig. 4: Malicious URL present in the Shellcode.<\/figcaption><\/figure>\n

    Shellcode connects to URL to download malware by using \u201cURLDownloadToFileW\u201d API present in Urlmon.dll and executes it to do some malicious activity. In our case, we found malware as Hawkeye keylogger which performs keylogging activity and sends data using SMTP server.<\/p>\n

    Payload Analysis:<\/strong><\/p>\n

    The Latest Hawkeye keylogger uses 3 step execution. It starts with container it executes loader which Injects Hawkeye payload into Regasm.exe<\/a> then it captures keystroke and credentials stored in the browser, outlook as well as some FTP file manager and sends them using SMTP protocol.<\/p>\n

    In the first stage, Encrypted C# code which is present in the text format in malware file is decrypted and then compiled in memory. After that Compiled code present in memory is executed by malware. Following code is used for compilation of code and in memory execution using .NET\u00a0framework utilities. As the code is in text form and compiled at runtime. It reduces payload size and helps them to hide from antivirus programs.<\/p>\n

    \"Fig5.
    Fig.\u00a0 5: Compilation and In-Memory Execution of malware<\/figcaption><\/figure>\n

    CSharpCodeProvider\u00a0is used to access utility of .NET\u00a0compiler i.e.\u00a0csc.exe<\/a> used to compile code dynamically. To execute such a code in memory without its physical copy it provides compiler option (as shown in Fig. 5). When we provide \u201cGenerateExecutable\u201d as false then it creates a class library. If we provide the value as \u201ctrue\u201d then it creates an executable file. For \u201cGenerateInMemory\u201d if we provide \u201cfalse\u201d as the value then it saves a physical copy of assembly at %temp%\/randomname.exe. If \u201cGenerateInMemory\u201d is true then it doesn\u2019t save a physical copy of assembly on secondary disk. Then by using compilerResults.CompiledAssembly.EntryPoint.Invoke(null, null); it will execute code from the entry point.<\/p>\n

    In the second stage, loader decrypts Hawkeye reborn stub from resource and injects it into\u00a0RegAsm.exe<\/a><\/a><\/strong>.\u00a0Regasm.exe is assembly registration tool of .NET used to register or unregister assembly. In this malware, by using reflection (i.e invokeMember<\/a> method) regasm.exe is executed, and hawkeye payload is passed as a parameter to regasm.exe. Then this payload is executed as child process under Regasm.exe. In Fig. 6 Text4 is the path of regasm.exe and hXYyylN6() returns decrypted byte array of payload.<\/p>\n

    \"Fig.
    Fig. 6: Injecting Hawkeye stub into Regasm.exe<\/figcaption><\/figure>\n

    In the last stage, the final payload is executed by loader under RegAsm.exe<\/a>(which is a legitimate utility of Microsoft .NET\u00a0framework).\u00a0 It looks like a genuine\u00a0Microsoft application\u00a0but\u00a0actually,\u00a0it\u00a0is\u00a0Hawkeye keylogger.\u00a0The payload is obfuscated by using\u00a0ConfuserEx\u00a01.0 and\u00a0SuppressIldasm<\/a>.\u00a0To execute malware after\u00a0rebooting,\u00a0it creates run entry.<\/p>\n

    The latest version of Hawkeye contains many\u00a0functionalities\u00a0as following.<\/p>\n