Office exploit generators - Sophos

Office exploit generators In this paper, we are going to examine the most prominent Office exploit kits and their impact. Gabor Szappanos, Principal Malware Researcher, SophosLabs

Office Exploit Generators

Page 1 of 50


Contents Introduction ................................................................................................................................................ 4 Comparison ............................................................................................................................................... 4 MWI ......................................................................................................................................................... 5 Characteristics ................................................................................................................................... 6 Droppers ............................................................................................................................................. 9 Downloaders ...................................................................................................................................... 9 Distributed malware ........................................................................................................................ 10 Example: HawkEye ......................................................................................................................... 10 AK-1 ...................................................................................................................................................... 16 Characteristics ................................................................................................................................. 17 Downloaders .................................................................................................................................... 18 Droppers ........................................................................................................................................... 20 Distributed malware ........................................................................................................................ 20 AK-2 ...................................................................................................................................................... 21 Characteristics ................................................................................................................................. 22 Distributed malware ........................................................................................................................ 23 Example - KeyBase ........................................................................................................................ 24 DL-1 ...................................................................................................................................................... 29 Characteristics ................................................................................................................................. 29 Distributed malware ........................................................................................................................ 33 DL-2 ...................................................................................................................................................... 33 Characteristics ................................................................................................................................. 33 Distributed malware ........................................................................................................................ 36 Example - Neurevt .......................................................................................................................... 37 MNKit .................................................................................................................................................... 40 Characteristics ................................................................................................................................. 41 Distributed malware ........................................................................................................................ 43 Example – Travnet .......................................................................................................................... 43 Tran Duy Linh ...................................................................................................................................... 47 Characteristics ................................................................................................................................. 48 Office Exploit Generators

Page 2 of 50


Distributed malware ........................................................................................................................ 50 Conclusion ............................................................................................................................................... 50


Page 3 of 50


Introduction Malware authors have been extensively using document exploits in the past couple of years. Typically exploited documents were attached to email messages and sent out to large numbers of random recipients (in the case of cybercrime groups) or a smaller number of selected targets (in the case of APT groups). Criminals have realized that Microsoft Office documents offer an excellent method of delivering their creations, as users wrongly consider them safe file formats and open them without precaution. As a result document malware has experienced a resurgence, and Office exploit generators have played a crucial role: they made exploitation available for the masses. Despite their significance, most Office exploit kits have not been covered in detail. In this paper, we are going to fill this information gap and examine the most impactful Office exploit kits. The need to develop tools always comes from two primary motivations: extend the availability to groups who have no capability to accomplish the task themselves and to automate tedious manual tasks. The former lead to the appearance of commercial tools, and the latter the development of internal tools. As we will see later in this paper, some of the Office exploit kits are known to be commercial, available for purchase at underground marketplaces. Others we suspect are commercial, but haven’t seen in any of the marketplaces yet. Finally, there are tools that we suspect are internals, available only to a handful of groups.


Page 4 of 50


Comparison The following table summarizes the most important characteristics of exploit kits. The meaning of the properties will be explained later in the paper.

MWI

AK-‐1

AK-‐2

DL-‐1

DL-‐2

MNKit

TLD Kit

Downloader

ü

ü

û

ü

ü

û

û

Dropper

ü

ü

ü

û

û

ü

ü

Decoy

û

ü

ü

û

û

ü

ü

Payload Execution

WMI

ShellExecuteA WinExec

WinExec

ShellExecuteA

WinExec

WinExec

WinExec

Multiple exploits

ü

ü

û

û

û

û

û

CVE-‐2010-‐3333

ü

û

û

û

û

û

û

CVE-‐2012-‐0158

ü

ü

û

ü

ü

ü

ü

CVE-‐2013-‐3906

ü

û

û

û

û

û

û

CVE-‐2014-‐1761

ü

ü

û

û

û

û

û

CVE-‐2015-‐1641

ü

û

ü

û

û

û

û

CVE-‐2012-‐0158 is the most commonly supported exploit, despite the patch being available for nearly four years. It comes as no surprise that malware authors have been on the lookout for a suitable replacement. Over the years, there have been a few candidates, such as CVE-‐2013-‐3906, CVE-‐2014-‐ 0761, or the more recently Office exploit: CVE-‐2015-‐1641 – which started its lifecycle in APT but found its way into cybercrime back in August 2015. Strangely, less than half of the exploit kits support a decoy document, even though it’s essential for covert operations. Decoys are used to hide malicious activities by providing document content similar to that which the victim would expect to see on opening. The lack of a decoy makes the infection process much more conspicuous.

MWI Microsoft Word Intruder has already been thoroughly covered in our previous research paper. It is a well-‐documented exploit generator with dozens of research reports related to its use in campaigns. Sophos detection: Troj/DocDrop-‐DM, Troj/20141761-‐C


Page 5 of 50


Characteristics This generator first appeared in May 2013 and soon became popular in the cybercriminal groups. It is a commercial product, available in underground markets. By early 2014 it dominated the charts. Due to a subsequent policy change from the author of the kit, its usage is limited to low volume campaigns. The number of MWI generated samples climaxed in the second half of 2015, where it found an increasing popularity amongst criminal groups. Despite its long history, the popularity of this kit refuses to fade. 50 40 30 20 10 0

MWI makes use of numerous exploits within the same RTF dropper. Each exploit has been added to the kit gradually over the last couple of years. In December 2015, we observed the first attempt to utilize the CVE-‐2015-‐1641 vulnerability, but at the time of writing this paper, it is yet to be used aggressively.


Page 6 of 50


May 2014: CVE-2014-1761

June 2013: CVE-2010-3333

Dec 2015: CVE-2015-1641

Febr 2014: CVE-2013-3906

May 2013: CVE-2012-0158

The document structure of MWI generated samples (at least of the latest ones) is illustrated in the following picture. The most common samples contain three exploits: CVE-‐2012-‐0158, CVE-‐2013-‐3906, and CVE-‐2014-‐1761. Encrypted payload CVE-‐2012-‐0158 exploit and egg-‐ hunting shellcode CVE-‐2013-‐3906 exploit and egg-‐ hunting shellcode CVE-‐2014-‐1761 exploit and egg-‐ hunting shellcode

The samples begin with the start marker and the payload (which is stored within the RTF structure as encrypted ASCII

this document is a Single File Web Page,also known as Web archive file. if you see this message, your browser or editor does not support, please use Microsoft Internet Explorer¡£ ------=_NextPart_01CD27E7.8767FC40 Content-Location: file:///C:/2673C891/Doc1.htm Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="us-ascii"

This header is followed by the some metadata including document properties: User123


Page 41 of 50


User123 4 2 2012-05-01T14:08:00Z 2012-05-01T14:12:00Z 44 17 101

Interestingly, even though it would be trivial to modify, the Author name for the MNKit generated documents is almost always User123. A couple of recent samples use a different user name, User323. The next component is an embedded binary block. It is a stripped down OLE2 block that exploits the CVE-‐2012-‐0158 vulnerability. It is stored as a MIME part:

------=_NextPart_01CD27E7.8767FC40 Content-Location: file:///C:/2673C891/Doc1.files/ocxstg001.mso Content-Transfer-Encoding: base64 Content-Type: application/x-mso 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAEAAAAgAAAAEAAAD+////AAAA AAAAAAD///////////////////////////////////////////////////////////////////////////

This embedded object contains only one stream: Contents. This triggers the vulnerability and invokes the shellcode.

The shellcode enumerates all open files, selects the one that matches the expected file length of the carrier document. Then searches for the MN marker in the file that marks the beginning of the encrypted decoy document.


Page 42 of 50


Since the two-‐letter MN combination is a weak pattern, and that the MHTML is pure text, the documents are created in a way where this combination will not appear in the content preceding the payload.

If the marker is found, then the decoy and payload are decrypted, usually a running key one byte XOR algorithm, although some Plugx droppers combine it with additional LZNT decompression. Distributed malware We have identified about 250 documents generated by MNKit, which were used to distribute about 40 common APT malware families. The most frequent families of them are illustrated in this chart: Zegost 2%

Other 20%

Travnet 2% Xylow 2% Neysd 2% Blame 2% Barkio 2% Saker 3%

Poison Ivy 6% Gegnah 3%

Plugx 8%

Meciv 6%

Farﬂi 7%

Smoaler 8% Omdork 8%

Xinmic 8%

Webmonder 8%

Fakem 3%

Many of them could be familiar to the readers as we have covered in the past in detail Plugx, Smoaler, Blame. Example – Travnet The most recent use of the kit was distributing a Trojan related to the infamous NetTraveler APT operation. Our example is very similar to the one reported by Palo Alto researchers. SHA1: c64ac1fed412c4abaf7b65342441db01a53d497e Office Exploit Generators

Page 43 of 50


Original name: ПЛАН РЕАЛИЗАЦИИ ПРОЕКТА.doc First seen: 21/01/2016

The sample was most likely delivered in a targeted email campaign with an exploited MHTML document attached. It was reported from Russia. On opening the attachment, the exploit is triggered and a decoy document is created in %TEMP%\~$.doc, and displayed. Interestingly, this decoy is a blank document:

After the decoy is set up, the shellcode proceeds to decrypt the payload executable and executes it. This process is very similar to the one we have previously seen with Plugx backdoor droppers. The shellcode drops a first stage installer, which will be removed from the system after the installation is complete. This installer is a self-‐extracting RAR archive, which contains three files: • • •

RasTls.exe: clean loader Rastls.dll: malware loader Sycmentec.config: payload

The archive is configured in a way that RasTls.exe will automatically execute when the archive is unpacked. It uses the same DLL side-‐loading trick of many Plugx variants: one of the dependencies of the executable (rastls.dll) is replaced by a malicious component. Thus, when RasTls.exe is executed, it will automatically load rastls.dll, and then the installation of the backdoor will take place. The backdoor components will be dropped to the following locations:


Page 44 of 50


• • •

%PROFILE%\Application Data\RasTls.exe (clean loader) %PROFILE%\Application Data\RasTls.dll (loader) %PROFILE%\Application Data\Sycmentec.config (payload)

A startup link is created and started in %STARTMENU%\Programs\Startup\RasTls.lnk, this will make sure that the backdoor is loaded during every system startup. An additional copy of the malicious loader is created in %SYSTEM%\Ipripve.dll, which is registered as a service in the registry in HKLM\SYSTEM\CurrentControlSet\Services\Iprip\Parameters\ServiceDll RastTls.exe is an innocent application by Symantec:

When this executable loads rastls.dll, it will search for the payload file (Sycmentec.config) in the current directory, load its content, decrypt it (the algorithm is a one-‐byte XOR, the key is 0x6b), and then execute it.


Page 45 of 50


The decrypted configuration file starts with a simple loader code, and that is followed by the final backdoor code:

The loader code does nothing else but allocates a memory region, copies the backdoor there, replicates the actions of the Windows loader, and executes it. This way the final backdoor component never hits the disk, and only ever exists in memory.


Page 46 of 50


When the backdoor is loaded, it reads the content of the file Cert2015.dat, which contains the encrypted configuration data, including the C&C server name, which in the case of this sample is www.info-‐spb[.]com. When connecting to the C&C server, it uploads the collected system information:

After the connection is established, the backdoor waits for the remote commands. However, it supports only a minimal set of commands: Command

Action

:RUN_STARTUP

Downloads URL to %TEMP%\temp.bmp and copies to the startup directory

:UNINSTALL

Attempts to uninstall the Trojan (but the filenames are not synced with this version)

:RUN_REBOOT

Downloads URL to %TEMP%\temp.bmp and executes and then reboots the computer

:RUN_DIRECT

Downloads URL to %TEMP%\temp.bmp and executes

Tran Duy Linh Sophos detection: Troj/DocDrop-‐BE, Troj/20120158-‐S, The Tran Duy Linh (TDL) kit is a generator extensively used by several APT groups since 2013, but we have only seen a handful of new samples. The huge peak in June 2013 is the effect of the Tomato Garden campaign.


Page 47 of 50


60 50 40 30 20 10 0

This kit is frequently reported by security researchers, and was used by high profile APT groups and operations such as APT 12, Icefog, Spring Dragon, Hacking Team or CMStar, to name a few. Characteristics TDLKit exclusively uses the CVE-‐2012-‐0158 exploit. It generates documents in the OLE2 document format, which is the traditional proprietary Microsoft Office document format. The generated documents are all droppers that exploit only one vulnerability, usually CVE-‐2012-‐0158. In 2013 another closely related exploit was used in the Tomato Garden campaign – but this exploit has no CVE number of its own. The generated documents are Word documents. However, these documents don’t have any traditional document content, there is no text or picture in them, only an embedded Toolbar object. This embedded object exploits the CVE-‐2012-‐0158 vulnerability and activates the embedded shellcode.

Even though the documents don’t contain text, other metadata is stored there, in the document properties. The common characteristics of the TDL Kit generated documents is that the Author of the documents is “Tran Duy Linh”, or in some documents “Tran Duy Lin”.


Page 48 of 50


After the exploit triggers, the shellcode executes. To find the carrier document (and the payload) it uses the same handle enumeration technique than MNKit by the use of two 4 byte markers. In the older samples the first marker was the string ‘poiu’, later it changed.

Once the markers are found, the payload and the decoy document are decrypted, the payload is executed while the decoy is displayed to cover the activities. The encryption algorithm varies widely, likely based on the preferences of the group using it. The most common algorithm is a one byte XOR with incremented key and a partial swap of bytes in the first few hundred bytes. But the Plugx distributing groups used their usual one byte running XOR algorithm Office Exploit Generators

Page 49 of 50


combined with LZNT compression, while other groups used the same one byte running key XOR with the zero bytes left intact as we saw with MWI. Distributed malware We have identified about 330 documents generated by the TDL kit, which were used to distribute about 40 common APT malware families. The most frequent families of them are illustrated in this chart:

Rerol 2%

Darkmoon 10%

Other 26%

Meciv 9%

Esile 9%

Poison 2% Mirsonk 2% Blame 2% Thetabc Plugx 3% 3%

Pbger Netero 4% 3% Simbot 4%

Rarstone 6% Sacto Insup 6% Tavex 4% 4%

There is a significant difference in the malware families distributed by the Tran Duy Linh kit and MNKit, which indicates that these two kits are mostly used by separate APT groups.

Conclusion The cybercrime groups find Office documents a convenient way to deliver malicious programs to their targets. They have been using this method steadily over the past two years, and there is no sign that they intend to give up. But their approach is evolving over the time: they use several black market or internal tools to generate the exploited documents, and thanks to the development of these tools they get to use newer Office exploits. However, they don’t get to use zero days. Even the freshest exploit in their arsenal was fixed six months ago. It shouldn’t be difficult to protect against these kinds of activities: just applying the patches for Microsoft Office could disarm the attack.


Page 50 of 50