Analysis of the Exploit Targeting CVE-2017-0262

EPS Processing Zero-Days Exploited

File Details

Filename 6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490.bin
Size 251,036 Bytes
MD5 2ABE3CC4BFF46455A945D56C27E9FB45
SHA1 0BD354D1EEA9E4864F4C17E6C22BFDB81D88DDEE
SHA256 6785E29698444243677300DB6A0C519909AE9E620D575E76D9BE4862B33ED490

Technologies Affected

  • Microsoft Office 2010 Service Pack 2 (32-bit editions)
  • Microsoft Office 2010 Service Pack 2 (64-bit editions)
  • Microsoft Office 2013 RT Service Pack 1
  • Microsoft Office 2013 Service Pack 1 (32-bit editions)
  • Microsoft Office 2013 Service Pack 1 (64-bit editions)
  • Microsoft Office 2016 (32-bit edition)
  • Microsoft Office 2016 (64-bit edition)

Static Analysis

Once opened, the decoy document triggers a“CVE-2017-0262” vulnerability in the EPS filter in Microsoft Office. In this case, the malicious EPS file is called “image1.eps” which is present in the .docx file,as shown in Figure 1

Figure 1

The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in “restore” operand.

Upon code execution, a shellcode gets loaded that retrieves some Windows APIs such as:-

NtAllocateVirtualMemory

NtFreeVirtualMemory  and

ZwProtectVirtualMemory

Image1.eps carries both Shellcode and payload as shown in Figure 2,3and 4:

Figure 2(Shellcode in hex byte)

Figure 3(Post script use to run shellocde in memory)

Figure 4(Payload in post script)

 

Dynamic Analysis

The exploit arrives as a malicious MS Word document. On opening the document the exploit is executed and the decoy document gets opened as shown in Figure 5

In addition to this, a number of parallel background activities are performed on the victim’s system. A file named “b12c.exe” gets dropped in the TEMP Location, as shown in Figure 6.

Note that all this execution happens within the WINWORD.EXE process running with the current user’s privileges.

Figure 6

The other activities on the victim’s system include the following:-
Installs hooks/patches the running process

“WINWORD.EXE” wrote bytes “7e50f8d2” to virtual address “0x690B78E4” (part of module “OART.DLL”)
“WINWORD.EXE” wrote bytes “5fcbfad2” to virtual address “0x6A3FCA70” (part of module “GFX.DLL”)
“WINWORD.EXE” wrote bytes “3212d5d2” to virtual address “0x687D10AC” (part of module “MSPTLS.DLL”)
“WINWORD.EXE” wrote bytes “9a210dd2” to virtual address “0x67570BA8” (part of module “MSO.DLL”)
“WINWORD.EXE” wrote bytes “e99e4837f0” to virtual address “0x76FA3D01” (“SetUnhandledExceptionFilter@KERNEL32.DLL”)
“WINWORD.EXE” wrote bytes “f348a9d2” to virtual address “0x686C9904” (part of module “RICHED20.DLL”)
“WINWORD.EXE” wrote bytes “0795feab” to virtual address “0x2F1D1B94” (part of module “WINWORD.EXE”)
“WINWORD.EXE” wrote bytes “4162f8d2” to virtual address “0x6A77F530” (part of module “WWLIB.DLL”)
“WINWORD.EXE” wrote bytes “c4caf97680bbf97652baf9769fbbf97608bbf97646cef9766138fa76de2ffa76d0d9f97600000000177927774f9127777f6f2777f4f7277711f72777f2832777857e277700000000” to virtual address “0x6A3D1000” (part of module “MSIMG32.DLL”)
“FLTLDR.EXE” wrote bytes “640ff859” to virtual address “0x2D6B1520” (part of module “FLTLDR.EXE”)
“FLTLDR.EXE” wrote bytes “ec0be459” to virtual address “0x62D3A280” (part of module “EPSIMP32.FLT”)
“FLTLDR.EXE” wrote bytes “cbec22d1” to virtual address “0x6F16A280” (part of module “EPSIMP32.FLT”)

Reads the active computer name

“WINWORD.EXE” (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME”; Key: “COMPUTERNAME”)

Queries IE security settings

“WINWORD.EXE” (Path: “HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY”; Key: “DISABLESECURITYSETTINGSCHECK”)

Contains ability to query machine time

GetSystemTimeAsFileTime@KERNEL32.DLL at PID 00002612
GetSystemTimeAsFileTime@KERNEL32.DLL at PID 00003708
GetSystemTimeAsFileTime@KERNEL32.DLL at PID 00003968

Dropped files

“index.dat” has type “data”
“~$nfirmation_letter.docx” has type “data”
“5CE7CCB4.eps” has type “PostScript document text conforming DSC level 3.0 type EPS”
“1E0D8DC3.eps” has type “PostScript document text conforming DSC level 3.0 type EPS”
“3DA60FC9.eps” has type “PostScript document text conforming DSC level 3.0 type EPS”
“Confirmation_letter.LNK” has type “MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Tue Jan 31 13:10:04 2017 mtime=Tue Jan 31 13:10:04 2017 atime=Tue Jan 31 13:12:00 2017 length=251036 window=hide”
“C536E4E8.eps” has type “PostScript document text conforming DSC level 3.0 type EPS”
“10E91D25.eps” has type “PostScript document text conforming DSC level 3.0 type EPS”
“D659E336.eps” has type “PostScript document text conforming DSC level 3.0 type EPS”
“E35E0DBF.eps” has type “PostScript document text conforming DSC level 3.0 type EPS”
“~WRS{647BA203-D4FC-4B3B-B509-FB569D30FB60}.tmp” has type “FoxPro FPT blocks size 0 next free block index 218103808 1st used item \375″”
“197227DC.eps” has type “PostScript document text conforming DSC level 3.0 type EPS”

“~WRS{4404971E-7070-402E-93A9-B1D9054058E8}.tmp” has type “data”
“4EE8C64A.eps” has type “PostScript document text conforming DSC level 3.0 type EPS”
“AB29AE2D.eps” has type “PostScript document text conforming DSC level 3.0 type EPS”
“~$Normal.dotm” has type “data”

Payload Activity

The dropped file, b12c.exe also starts a child process named “OGLCache.exe”, as shown in

b12c.exe copies itself to “%appdata%/AMD/OGLCache.exe”, where “AMD” is a new directory created by b12c.exe.

Command executed to create folder and copy itself inside the folder as show in Figure 7

/c copy “%APPDATA%\AMD\OGLCache.exe+” “%APPDATA%\AMD\OGLCache.exe”      

Once copied,“b12c.exe” terminates itself and child process “OGLCache.exe” works as the parent process as shown in Figure 8

OGLCache.exe is then used to change the personalised settings of the system. Once the user restarts or powers on the system, OGLCache.exe starts to reconfigure the system as shown in Figure 9


This reconfiguration runs as an infinite loop and the user is unable to access the system. On every restart Personalized Settings starts as the malware also makes entries in the Registry to remain persistent across reboots.

The malware also checks the CPU name from registry, possibly as an anti-virtualization measure as shown in
Figure 10

Indicators of Compromise (IoC)

Filename 6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490.bin
Size 251,036 Bytes
MD5 2ABE3CC4BFF46455A945D56C27E9FB45
SHA1 0BD354D1EEA9E4864F4C17E6C22BFDB81D88DDEE
SHA256 6785E29698444243677300DB6A0C519909AE9E620D575E76D9BE4862B33ED490

 

Filename b12c .exe(Trojan.Generic)
Size 308740 bytes
MD5 fcb719e28da41dd7443017eb1f456ff3
SHA1 cc1e37fc84fe746523a1413989fb29a9e72d12c9
SHA256 2b2668fa5331ffa99fc11d881fbce91927bfac1a8ec5705b6412c7903543116a

Precautions

At the time of Restart or power on, if the user is presented a pop-up as shown in Figure 9, carry out the following:-

  • Do a hard power-off (pull the power cord or a long press on the power-on button).
  • Open the system in Safe mode.
  • Delete the malicious files – %APPDATA%\AMD\OGLCache.exe and %APPDATA%\AMD\conf.
  • Delete the Registry entries as shown in Figure 10.
  • After following the above process, restart the system.
No Comments

Post a Comment

Comment
Name
Email
Website