Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Email attachment using CVE-2017-8759 exploit targets Argentina

Published: 2017-09-21
Last Updated: 2017-09-21 00:39:14 UTC
by Brad Duncan (Version: 1)
2 comment(s)

Introduction

On 2017-09-12, FireEye published a blog post about a zero-day exploit utilizing CVE-2017-8759.  The vulnerability was fixed that same day with Microsoft's September 2017 Security Updates.

In FireEye's blog post, this exploit was used against Russian speakers to distribute FINSPY malware.  By 2017-09-19, I ran across another email spoofing an Argentina government agency using a CVE-2017-8759 exploit to distribute Betabot malware.

Today's diary reviews the email, malware, and traffic associated with this most recent exploit for CVE-2017-8759.

The email and attachment

The email pretends to be from the Administracion Federal de Ingresos Publicos (AFIP) a Argentina government agency responsible for tax collection and administration.  The message actually came from a commercial mail server on an IP address assigned to Gualberto Larrauri, an Argentina-based Internet service provider (ISP).

The message describes the attachment as a manual for the AFIP purchasing portal.  The attachment is a zip archive, and that archive contains a Rich Text Format (RTF) file with .doc as the file extension.  True to its word, the RTF file contains an annex to the official AFIP document covering the subject.  It also contains an exploit for CVE-2017-8759.  Merely opening the file using Microsoft Word will infect a vulnerable Windows computer.


Shown above:  Screenshot of the email.


Shown above:  Email headers indicate where the email actually came from.


Shown above:  The email attachment and extracted RTF document.

Follow-up malware

Opening the RTF document generated Powershell activity that retrieved a Windows executable.  This follow-up executable triggered EmergingThreats alerts for Neurevt.A/Betabot when I infected a host in my lab.  The malware was made persistent through a Windows registry update.


Shown above:  Follow-up malware (Betabot) made persistent on the infected Windows host.

Network traffic

Infection traffic included HTTP requests for SOAP code injection, JavaScript, Powershell script, and a Windows executable over TCP port 8007.  Post-infection activity consisted of HTTP POST requests over TCP port 80.


Shown above:  Network traffic for this infection filtered in Wireshark.


Shown above:  Alerts from Sguil in Security Onion using Suricata with the EmergingThreats Pro ruleset.

Indicators of Compromise (IOCs)

Headers from the email:

  • Received:  from vtcc.com.ar ([186.121.171.235])
  • Envelope-sender:  <compras@afip.gov.ar> 
  • Message-ID:  <f651ef3fdcbc53e64929aca0ff1df14d@vtcc.com.ar>
  • Date:  Tuesday, 2017-09-19 at 21:48 UTC
  • From:  "Administracion Federal de Ingresos Publicos - (AFIP)" <compras@afip.gov.ar>
  • Subject:  Noticia de Actualizacion - Sistema de Compras (AFIP)

File hashes:

SHA256 hash:  7bd46284dabf1f400102aa35e123eb2ffe2838560fbc016ba4f2cd376742004c

  • File size:  52,132 bytes
  • File type:  Zip archive
  • File name:  comprasAnexoII.zip
  • File description:  Email attachment

SHA256 hash:  4a07c6f26ac9feadbd78624d4e063dfed54e972772e5ee34c481bdb86c975166

  • File size:  286,981 bytes
  • File type:  Rich Text Format (RTF) file
  • File name:  comprasAnexoII.doc
  • File description:  RTF file with CVE-2017-8759 exploit

SHA256 hash:  610e6611b3b2e3bd85173cba76bf069fb7134b86f533141f79811fcc29d62b33

  • File size:  440,832
  • File type:  PE32 executable
  • File location:  hxxp://classupdate.punkdns.top:8007/txt/words.exe
  • File location:  C:\ProgramData\SystemMicrosoftDefender2.1\[random characters].exe
  • File description:  Follow-up malware, Neurevt.A (Betabot)

Infection traffic:

  • 154.16.93.182 port 8007 - classupdate.punkdns.top:8007 - GET /txt/doc.txt
  • 154.16.93.182 port 8007 - classupdate.punkdns.top:8007 - GET /txt/accounts.hta
  • 154.16.93.182 port 8007 - classupdate.punkdns.top:8007 - GET /txt/pause.ps1
  • 154.16.93.182 port 8007 - classupdate.punkdns.top:8007 - GET /txt/words.exe

Post-infection traffic:

  • 103.200.22.206 port 80 - av.bitdefenderesupdate.ru - POST /.av/logout.php
  • 103.200.22.206 port 80 - av.bitdefenderesupdate.ru - POST /.av/logout.php?id=[various numbers]

Final words

As I write this, nine days have passed since Microsoft released its update to address CVE-2017-8759.  The associated exploit is no longer a zero-day.  If your organization follows best security practices, you should be fine.

However, many organizations are notoriously slow to apply these updates.  Be aware this exploit is active in the wild.  I'm sure it will eventually find its way to wide-scale distribution through malicious spam.

A copy of the email, taffic, and associated malware for today's diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Keywords:
2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Ongoing Ykcol (Locky) campaign
Sep 20th 2017
20 hours ago by Renato (0 comments)

New tool: mac-robber.py
Sep 19th 2017
1 day ago by Jim (1 comment)

Getting some intelligence from malspam
Sep 18th 2017
3 days ago by Xme (3 comments)

rockNSM as a Incident Response Package
Sep 17th 2017
4 days ago by Guy (0 comments)

Another webshell, another backdoor!
Sep 14th 2017
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Placement of MSSP accessible log collector
created Sep 12th 2017
1 week ago by Anonymous (0 replies)

Placement of MSSP accessible log collector?
created Sep 12th 2017
1 week ago by Anonymous (0 replies)

Emsisoft Anti-Malware & Emsisoft Internet Security 2017.8 released
created Sep 2nd 2017
2 weeks ago by Anonymous (0 replies)

Strange validation attempts on DSHIELD project
created Aug 31st 2017
2 weeks ago by DrGreen (0 replies)

DShield Sensor
created Aug 21st 2017
1 month ago by Thomas (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 month ago by Johannes (12 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 month ago by Xme (2 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
4 months ago by Bojan (6 comments)

Microsoft Patch Tuesday August 2017
Aug 8th 2017
1 month ago by Johannes (6 comments)