EPS obfuscation for MS Office exploits

We took a deeper look into a recent FireEye blog post on 2 new EPS exploits used while zero-day by the APT 28 / Turla group.  Both exploits have been patched. One of the samples used an interesting EPS based obfuscation technique to avoid detection. By using a 4 byte xor within native Postscript commands the exploit code can be obfuscated and decoded in memory at run time defeating static analysis.

CVE-2017-0262 Sample

QuickSand.io Report

The obfuscation

The PostScript code starts with a xor loop using key 0xC45D6491 using only built-in PostScript functionality

Using our Cryptam multi tool, we'll decode the EPS block manually:

$ php cryptam_multi.php eps.test -xor c45d6491

using XOR key c45d6491

$ ./quicksand.out eps.test.out

 -0> root {7}

  md5:237e6dcbc6af50ef5f5211818522c463

  sha1:228c21dff49376c0946fe2bbe21448bbdbfcf13a

  sha256:385655e10c8a7718bb50e969979cf4f08a2380f67827ce01d05874c49b3a5c13

  head:7b202f48656c7665

  size:347320

  yara:exploits:exploit_cve_2017_0262

  yara:executable:executable_win

  structhash:nO

  qsversion:01.06.004

  qstime:2017:05:11 14:08:48

  score:20

  is_malware:2

Deobfuscated PostScript

We've added a new PostScript XOR obfuscation warning_EPS_xor_exec Yara signature to our QuickSand_Lite project our GitHub.

Indicators

CVE-2017-0262 Sample [Report]

Filename Confirmation_letter.docx.bin

Size 251036 bytes

MD5 2abe3cc4bff46455a945d56c27e9fb45

SHA1 0bd354d1eea9e4864f4c17e6c22bfdb81d88ddee

SHA256 6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490

CVE-2017-0261 Sample [Report] (obfuscated)

Filename Trump's_Attack_on_Syria_English.docx

Size 268950 bytes

MD5 f8e92d8b5488ea76c40601c8f1a08790

SHA1 d5235d136cfcadbef431eea7253d80bde414db9d

SHA256 91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9