Hackers use 17-year-old Office vulnerability to attack Russian service centers

FortiGuard, a security threat research team under Fortinet, a provider of network security solutions, recently discovered a series of cyber attacks targeting several service centres in Russia that provide maintenance and technical support for a variety of electronic products.

The FortiGuard team pointed out that these attacks have a significant common feature – that is, their sponsors implemented “multi-stage” attack but ruled out the possibility of national hacking organizations.

The attacker uses phishing e-mail to spread malicious Office documents, and the document uses a previously-covered 17-year-old Office Remote Code Execution Vulnerability (CVE-2017-11882) to download a commercial remote-access Trojan.

The first attack took place at the end of March. A Russian service company responsible for the repair of Samsung Electronics received several e-mails and claimed to be a representative from Samsung. The content of the e-mail is written in Russian and contains a file named ” Symptom_and_repair_code_list.xlsx”.

“FortiGuard Labs discovered a series of attacks targeted at service centers in Russia. These service centers provide maintenance and support for a variety of electronic goods.

A distinctive feature of these attacks is their multi-staging. These attacks use forged emails, malicious Office documents with exploits for a vulnerability that is 17 years old, and a commercial version of a RAT that is tucked into five different layers of protective packers.”

After sifting through this email, the FortiGuard team concluded that it was not written by a native speaker. Instead, it is more like a product of translation tools. Therefore, the FortiGuard team believes that the attacker is most likely not Russian. In addition, the sender’s IP address is also not associated with the domain in the From field.

“The two most important functions “imported” by the shellcode are: URLDownloadToFileW and ExpandEnvironmentStringsW. The purpose of the first one is obvious. The last function is used to determine the exact location where the shellcode should store downloaded payload, since this location will be different under different platforms. Finally, Shellcode downloads a file from the URL: hxxp://brrange.com/imm.exe, stores it in %APPDATA%server.exe, and then tries to execute it.”

The payload uses multiple layers of protection to bypass the security check. The first phase achieved the first level of protection, using well-known ConfuserEx shelling tools to confuse object names, and the names of methods and resources, making it difficult to read and understand. These resources are used to determine the next stage payload encrypted with DES and to execute a decrypted file named Bootstrap CS, which represents the second stage of multi-layer protection.

An analysis of the C&C server revealed that the attackers registered 50 domain names on the same day, some of which have been used for malware distribution, while others involved phishing attacks.

“We also noticed that the pattern of these attacks has become quite popular today. The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case.”

Source, Image: Fortinet