The RTF File continues to be used to attack a government agency in Vietnam

116

Advanced persistent threat (APT) are becoming more sophisticated and more unpredictable. Large organizations, corporate groups, financial institutions, and government are often the targets. Hackers often take advantage of the subjective of users in combination with high-tech attack techniques to steal information and take control of the system.

This time a government organization was targeted, the email containing the malicious doc file was sent to the victim, the doc file was actually a rtf file that exploited the Microsoft Office’s security vulnerability called CVE-2017-11882. This is also the loophole used to attack Da Nang at the end of July 2018. When the victim accidentally opens the contents of the exploit file, the file will be executed and the victim will not know anything.

With sophisticated attack form, instead of downloading malicious files directly from the server, the attacker chooses to decrypt the encrypted file attached to the doc file. The exploit code will overwrite this file on EQNEDT32.EXE, a standard Microsoft Office program, also a program that has been exploited for errors. When the new EQNEDT32.EXE is executed, it will decompress two other dll files, each of which has its own task and always has a connection waiting for the order from the server of the hacker.

The steps above are used in a sophisticated way to bypass the monitoring system, anti-virus software, and the analysis thus becomes more difficult.

1. Preliminary analysis

Check over we can see that this is a file in RTF format.

Use rtfobj to analyze OLE objects embedded in the file.

With the first OLEObj when opening a document on a file 8.t will be saved to the Temp folder on the computer, the remaining objects will be identified as “Not a well-formed ole object”.

2. Behavioral analysis

When opening the doc file, the Winword.exe process executes calling EQNEDT32.exe to exploit the above error.

 

The EQNEDT32.exe process drops two DXDriver.dll, ~ D7E525_tmp_ASDFS_JSKDLE.dmp files into the C:\ProgramData\. folder.

Execute running DXDriver.dll with command C:\Windows\System32\Rundll32.exe “C:\ProgramData\Application Data\DXDriver.dll”,Flush {KAQWODOS-XCJD-LKSK-KQKW-KXKSOQOWCISL}.

Use wireshark to connect to the malicious server.

3. Analyze the doc file

Executing the doc file with Winword.exe but the EQNEDT32.exe process is called using COM Object. To be able to debug, use the Image File Execution Options technique to create the Debugger key, when EQNEDT32.exe is called, the debugger can be attached.

The Debug process stops at Address Of Entry Point of the EQNEDT32.exe process.

Set Breakpoint at CreateFileW function to catch the reading of 8.t file of shellcode.

Continuing to execute step by step will go to the code area of exploit.

Shellcode performs the reading of file 8.t and then decrypts an executable file and saves it to the memory allocated by the VirtualAllocEx function.

Get the executable path EQNEDT32.exe.

Use CreateProcess to call EQNEDT32.exe in the Suspend state.

Execute the decoded code into the memory allocated in the EQNEDT32.exe process and then execute the ResumeThread function. This new process will run the decrypted code.

4. Analyze the dumped binary

Dump file 8.t is decrypted on memory, get 1 executable file already packaged with UPX.

Perform unpacking and analyzing by IDA, malicious code to retrieve victim machine information.
Check on the victim machine running antivirus software like AVG, AVAST, BKAV.
Create a run key that starts with the system.
Write environment values into the registry.

Execute two files into the C:\ProgramData folder, these two files have a similar method, which is a CAB file format (a file compression format) and is extracted by calling expand.exe.

Use expand.exe to extract the file.

Execute service with command C:\Windows\System32\Rundll32.exe “C:\ProgramData\Application Data\DXDriver.dll”,Flush {KAQWODOS-XCJD-LKSK-KQKW-KXKSOQOWCISL}

Perform self-deletion of the overwritten file EQNEDT32.exe after running.

5. Analyze DXDriver.dll

Analyzing DXDriver.dll by IDA Flush function that checked input parameters.

DXDriver.dll called with the parameter {KAQWODOS-XCJD-LKSK-KQKW-KXKSOQOWCISL} performs reading the DXDriver.dll file and then saves it in the allocated memory using the VirtualAlloc function.

Call Flush again with the parameter {DAOSOQJS-QWWE-LALM-XKSD-AKQJWKSDAXLO}.

With the second input checking the Bka.exe process, BkavSystemService.exe is running.

Read the value of DLL_INIT stored in the registry, this is the path to the remaining dll file to be extracted. Create Muxtex and call BeginApp function in the remaining dll file.

6. Analysis … ASDFS_JSKDLE.dmp

Perform read and decode values stored in the registry.

Use GET connection to http://141.105.64[.]231/Twitter/home/login.php.

Get information, system version.

Perform POST data encrypted on a malicious server.

Create a loop to wait for the command to return from the malicious server.

Download data from the server.

Extract the downloaded file from the server saved as Microsoft_Cloud.TMP.

Create a new registry value KSEC, saves the file path that has been downloaded.

Get the Microsoft_Cloud.TMP file path using GetProcAddress to get the PythonThreadStarts function address and execute this new dll.

7. IOCS

  • URL: http://141.105.64[.]231/Twitter/home/login.php
  • URL: http://27.255.65[.]110/Microsoft/Service/util.XML
  • URL: http://27.255.65[.]110/Microsoft/Service/Update.php
  • RTF: d648c374439cf5fe9df8dc59eb472067
  • 8t: 0271eb92ec62fcc732c8525fef305b7f
  • ASDFS_JSKDLE.dll: 04efa27e5b4998f8c1f7045c341b957a
  • DXDriver.dll: 0d69cc15d8e7c0930e30d26a233625f7

8. Warnings

To protect information against increasingly sophisticated, unpredictable targeted attacks, we need to be vigilant and check carefully the email received, the sender’s name, file or link attached to that email.

For individual users, it is necessary to use and regularly update the latest antivirus software.

For businesses, email scanning technologies should be used to prevent email campaigns. At the same time, using network monitoring technologies for timely detection of computers that show signs of attack.

Chim Se – CyRadar Team

Related posts: