Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: New Campaign Using Old Equation Editor Vulnerability SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Campaign Using Old Equation Editor Vulnerability

Yesterday, I found a phishing sample that looked interesting:

From: sales@tjzxchem[.]com
To: me
Subject: RE: Re: Proforma Invoice INV 075 2018-19 ’08
Reply-To: exports.sonyaceramics@gmail[.]com

Dear Respected Sir,
Please find the proforma invoice attached.

Kindly check and confirm.
Material will be dispatched with 5-7 working days.
Regards,
Armit Thakkar
Head Sales Development
Technovinyl Polymers India Ltd.
Filix 901 -C1, 9th Floor,
Opp. Asian Paints,
L.B.S.Road, Bhandup (W), 
Mumbai - 400 078, India
Mob: +91-9322266143
Ph: +91-22-61721888

There was an attached document "INV 075 2018-19.xlsx" (SHA256: abbdd98106284eb83582fa08e3452cf43e22edde9e86ffb8e9386c8e97440624) with a score of 28/60 on VT[1]. When I opened the document, it presented a nice picture asking the victim to disable the default Office security feature:

But I also received an error message from Office about an application that could not be opened. Excel tried to spawn a new process:

EQNEDT32.EXE -Embedding

Google this and you will discover that the “Equation Editor” is an Office tool that helps to write cool equations:

This tool is very useful for mathematicians or engineers who must add complex equations in their documents but who install this in a malware analysis sandbox? This is a nice way to evade automated analysis. Once my sandbox fixed and the Equation Editor installed, I re-opened the document and, immediately, the Equation Editor was launched. It downloaded and executed the following payload:

http://216.170.114.195/klonnx.exe

(SHA256: 7fe5f06d04390dd22e1065491c43c33dbebd03400826897c814db8d10469a8eb - VT score: 41/69).

Once executed, the malware copies itself into %APPDATA%\Roaming\svhost\svhost.exe

It schedules a task via schtasks.exe:

schtasks.exe /create /sc MINUTE /tn svhost.exe /MO 1 /tr "C:\Users\admin\AppData\Roaming\svhost\svhost.exe\

But also creates a shortcut in: %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe.url:

[InternetShortcut]
URL=file:///C:/Users/admin/AppData/Roaming/svhost/svhost.exe

The malware is a Razy trojan and it phones home to datalogsbackups[.]hopto[.]org (91.192.100.20) to port 2233.

The vulnerability exploited by this campaign is not new. It abuses the CVE-2017-11882 present in eqnedt32.exe[2].

[1] https://www.virustotal.com/#/file/abbdd98106284eb83582fa08e3452cf43e22edde9e86ffb8e9386c8e97440624/detection
[2] https://borncity.com/win/2017/11/28/hacker-are-misusing-cve-2017-11882-in-office-eqnedt32-exe/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Xme

499 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!