We’ve investigated a new phishing campaign spreading malicious documents that exploit the CVE-2017-0199 and CVE-2017-11882 vulnerabilities.
The purpose of this campaign is to deploy the Lokibot stealer on the infected machines. In our investigation we found misconfigurations on the malicious domains that allowed us to identify a hostname which was a name server for two scam domains registered in Brazil.
We believe that the owner of these domains might be involved in the malicious campaign.
We begin the analysis with a document that impersonates the Romanian ANAF (National Agency for Fiscal Administration) called “Factura fiscala ANAF270622.xlsx” (SHA256: 098335ca421ca8501fd243714fd02457ebbaa40dd6f91cf1ab61a58c415a27a0). The document was downloaded from https://app.any.run/tasks/e5624c90-9c9c-4f35-a80a-3beed6370c35/.
The malicious document is a xlsx file that contains a blurred image which seems to be an invoice, as highlighted below:
The file is an encrypted Excel document with a common password (“VelvetSweatshop”), as shown below:
Using oledump it`s possible to determine that there is an embedded OLE object in the document:
The document tries to exploit a vulnerability found in Microsoft Office and WordPad, that is described in CVE-2017-0199 . If successful, the malware would download a file found at http[:]//itssotiny.com/fYYbO (returns 404 at this time). However, according to VirusTotal, the link redirected to http[:]//18.104.22.168/document/77.doc (still active). Figure 5 reveals that there are two documents hosted in the same location:
The 77.doc file is an obfuscated RTF file, which exploits the another Microsoft Office vulnerability, CVE-2017-11882 :
The rtfdump.py script is utilized to list groups and the structure of the RTF file:
The Microsoft Equation Editor process that can be identified in the sandbox analysis is a strong indicator that the vulnerability is indeed CVE-2017-11882, which is a vulnerability in Microsoft Equation Editor (https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild).
The final stage consists of downloading the Lokibot stealer from http[:]//22.214.171.124/77/vbc.exe (https://www.virustotal.com/gui/file/d243ac3d475a2e3dad62640525d3b4f102bb8140cc844363d61e95ea5fc4f8fb/detection).
Due to the attacker’s mistake, phpinfo.php can be accessed by anybody and reveals crucial information about the potential attacker. As we can see in figure 8, the hostname is “WIN-2NF07F1AQLT” and it runs on a Windows Server 2016 machine:
We have expended the attacker’s infrastructure via OSINT. The following files/IP addresses could be identified:
- 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
As we can see in figure 9, the hostname is the same for a different domain:
We have identified another hostname for an older campaign – “WIN-3JS0MA784YQ”:
We’ve performed an OSINT investigation and found that the “WIN-2NF07F1AQLT” hostname appears as a name server for two domains registered in Brazil: Webcamer.com[.]br and Citydesconto.com[.]br. According to website.informer.com, these 2 domains were registered by an individual “Noe Yvert Etoua Evina” with the [email protected] email address:
These two domains seem to be scam domains. An individual with the same name appears in multiple judicial processes on jusbrasil.com.br.
Indicators of Compromise