Your Swift PrePaymaent Order is Actually CVE-2017-11882Your Swift PrePaymaent Order is Actually CVE-2017-11882

Introduction

Last week I came across an interesting email address with an Excel Spreadsheet attachment:

Figure 1: Phishing Email

There was no content in this email other than FYI and regards. The sender of this email was info@radheshyamcorp.community and the email header consisted of the following:

Received: from server.radheshyamcorp.community (unknown [162.241.204.238])
by mail.impexron.de (Postfix) with ESMTPS id 1902D1BE1B5D
for <LEFT BLANK>; Thu, 9 Jul 2020 15:40:13 +0300 (+03)
Received: from [216.38.7.243] (port=56921 helo=radheshyamcorp.community)
by server.radheshyamcorp.community with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.93)
(envelope-from info@radheshyamcorp.community)
id 1jtVqG-0001a4-GS
for <LEFT BLANK>; Thu, 09 Jul 2020 12:39:56 +0000

The domain this email was sent from is detected as a spam domain through multiple commercial spam firewalls. Knowing only this information it was likely a phishing email. In this case, I decided to download this Excel spreadsheet and poke around and see what it actually does on execution.

Analysis of the Malicious Excel Spreadsheet

In a nutshell, this Excel spreadsheet file is a weaponized malicious Excel spreadsheet having the following static characteristics:

Filename:   MT301 SWIFT PREPAYMAENT ORDER 8909.xlsx
File Hash : b285043710767254a0f415df55cfe0736fa290e6
File Size:  220307 bytes

Detonating this Excel spreadsheet file in my isolated malwareVM, I noticed that immediately after its execution the svchost.exe process launched the Microsoft Equation Editor process eqnedt32.exe and of course the the eqnedt32.exe process attempted to download the following file from a URL:

hxxp://admaris[.]ir/atlasx/italianx.exe

This link was online and served this binary file during the time of writing this post. Running this URL through a reputation services and I noticed that multiple security vendors gave this URL a bad reputation. Since the URL was still online, I decided to grab that file so I can determine what it was. This file contains the following static characteristics:

Filename:     italianx.exe
File Hash :   bd8a085b9d574b30fd69e5497cdd2b57941e537a
File Size:    939520 bytes
Compile Time: 1992-06-19 22:22:17

According to online resources, such as this one https://urlhaus.abuse.ch/url/401255/ this binary file is a variant of AgentTesla. In fact, this URL delivered multiple AgentTesla variants in the past few weeks and it is still online. This post won’t get into the technical details and reversing of this AgentTesla variant nor will it focus on validating that it is AgentTesla indeed. However, in a nutshell, AgentTesla is a spyware, a keylogger and an information stealer Trojan. Its purpose is to steal confidential information from the victim and send this information to a remote domain. According to VirusTotal, on execution, this variant attempts to communicate with the domain dellg[.]xyz. In order to maintain persistence, this variant adds itself to the Autorun key as seen in the following figure:

The interesting part in this attack is the way that this Excel spreadsheet leveraged Microsoft Equation Editor to download this AgentTesla variant. Digging a bit more about this technique and I realized that nothing new under the sun. This technique is well-known and was discovered as CVE-2017-11882. This malicious Excel spreadsheet exploits a vulnerability in Microsoft Equation Editor application.

About Microsoft Equation Editor and CVE-2017-11882

Equation Editor is a feature in Microsoft Office that allows its users to embed mathematical equation or formulas within Office documents. Older versions of Equation Editor are vulnerable to CVE-2017-11882. This CVE is an exploit that leverages a stack buffer overflow vulnerability in the Microsoft Equation Editor application. Older Equation Editor executable is not using the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) features as protection mechanism. As a result, they don’t guard against exploitation on memory corruption vulnerability. Due to that, attackers can alter the flow of execution and run shellcode in memory.

Now that we have a bit more knowledge about this CVE and technnique, we can use some free and open-srouce tools to dissect this malicious Excel spreadsheet and get some information in regarding the domain admaris[.]ir.

Using Free and Open-Source Tools to Uncover the URL

When dealing with malicious Excel spreadsheets or Word documents, you always want to use the Python Oledump tool created by Didier Stevens. Let’s first run the tool on the file MT301 SWIFT PREPAYMAENT ORDER 8909.xlsx and check the output. To do this, run the following command:

oledump.py "MT301 SWIFT PREPAYMAENT ORDER 8909.xlsx"

The output should look like the following:

Figure 2: Oledump Output

As you can see in the image above there is an embedded ole object in A1. To dump the output of this ole object, lets run the following command:

oledump.py -s A1 -v -d "MT301 SWIFT PREPAYMAENT ORDER 8909.xlsx" > ..\output.bin

The command above will parse that A1 element, decompress it and dump it into a binary file. Now lets try to use the XORSearch tool to search this binary file for multiple 32-bit shellcode patterns. To do this, run the following command:

xorsearch.exe -W output.bin

The output should look like the following:

Figure 3: XORSearch Output

As you can see above, four shellcode methods in a memory location (GetEIP methods) were found, at address 3306B through the address 32FC1 (the unencoded value is XOR 00 for each one). To analyze this shellcode, we can use the scdbg tool. Now lets run the GUI launcher of this tool and load the binary file output.bin through this tool and at a start at offset 0x3306B:

Figure 4: Launch scdbg.exe GUI

Once we clicked on the launch button, the following output windows should show the decoded output from this shellcode:

Figure 5: Shellcode decoded Output

As you can see in the image above, there is a URLDOwnloadToFileW call to download that AgentTesla variant into the affected system from the URL hXXp://admaris[.]ir/atlasx/italianx.exe then is saves is in the current user %APPDATA% folder then it attempts to create a new process of this binary at offest 43434f.

At this point it means that we successfully decoded this Shellcode and now have the URL in our possession and can continue our investigation further.

Indicators of Compromise

TypeIOCName
SHA1b285043710767254a0f415df55cfe0736fa290e6MT301 SWIFT PREPAYMAENT ORDER 8909.xlsx
SHA1bd8a085b9d574b30fd69e5497cdd2b57941e537aitalianx.exe
Domainadmaris[.]irFrom Excel Spreadsheet
Domaindellg[.]xyzFrom AgentTesla

Leave a Reply

Your email address will not be published. Required fields are marked *