Thursday, May 11, 2017

EPS obfuscation for MS Office exploits

We took a deeper look into a recent FireEye blog post on 2 new EPS exploits used while zero-day by the APT 28 / Turla group.  Both exploits have been patched. One of the samples used an interesting EPS based obfuscation technique to avoid detection. By using a 4 byte xor within native Postscript commands the exploit code can be obfuscated and decoded in memory at run time defeating static analysis.

CVE-2017-0262 Sample








QuickSand.io Report

The obfuscation

The PostScript code starts with a xor loop using key 0xC45D6491 using only built-in PostScript functionality


Using our Cryptam multi tool, we'll decode the EPS block manually:

$ php cryptam_multi.php eps.test -xor c45d6491
using XOR key c45d6491


$ ./quicksand.out eps.test.out
 -0> root {7}
  md5:237e6dcbc6af50ef5f5211818522c463
  sha1:228c21dff49376c0946fe2bbe21448bbdbfcf13a
  sha256:385655e10c8a7718bb50e969979cf4f08a2380f67827ce01d05874c49b3a5c13
  head:7b202f48656c7665
  size:347320
  yara:exploits:exploit_cve_2017_0262
  yara:executable:executable_win
  structhash:nO
  qsversion:01.06.004
  qstime:2017:05:11 14:08:48
  score:20
  is_malware:2


Deobfuscated PostScript





We've added a new PostScript XOR obfuscation warning_EPS_xor_exec Yara signature to our QuickSand_Lite project our GitHub.

Indicators

CVE-2017-0262 Sample [Report]
Filename Confirmation_letter.docx.bin
Size 251036 bytes
MD5 2abe3cc4bff46455a945d56c27e9fb45
SHA1 0bd354d1eea9e4864f4c17e6c22bfdb81d88ddee
SHA256 6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490


CVE-2017-0261 Sample [Report] (obfuscated)
Filename Trump's_Attack_on_Syria_English.docx
Size 268950 bytes
MD5 f8e92d8b5488ea76c40601c8f1a08790
SHA1 d5235d136cfcadbef431eea7253d80bde414db9d
SHA256 91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9





Monday, April 10, 2017

Office 0day goes mainstream

CVE-2017-0199 MS Office Exploit

On Friday April 7, 2017, McAfee posted that a new Office zero day affecting even the most recent versions of Windows and Office was found in the wild, FireEye released a blog post the next day confirming the zero day.

Using details from the 2 posts we were able to find 5 samples from the targeted attacks which use the "htmlfile" class ID 25336920-03f9-11cf-8fd0-00AA00686f13 to load remote content with trusted permissions.   The remote content which appears to be a RTF file with an embedded HTML-style [script language="VBScript"] exploit to download and run a remote executable using powershell.

More concerning, is the emergence of a mass-emailed campaign today (April 10, 2017). Malware Tracker discovered a large campaign using the exploit and common "Scan Data" themed emails. The emails contain a randomly named nnnnnnnn[1].doc rtf file which uses the zero day exploit in a barely modified form. We have observed 2 samples - a .doc, and a .pdf version which is still a rtf file sent to dozens of users in Australia and the US.

Microsoft previously advised that this htmlfile Class ID was high risk and how to disable it.

 Cryptam.com and QuickSand.io both detect this exploit and are free to use.

QuickSand.io malware sample of CVE-2017-0199.

Update: Microsoft has patched this exploit.