Backdoor Links to Office Vulnerabilities

Monday, July 30, 2018 @ 03:07 PM gHale

Attack overview
Source: FireEye

A two-level type of attack is on a mission to distribute the Felixroot backdoor, researchers said.

The attack starts with a RTF document that says it has seminar information on environmental protection. When opened, it leverages the CVE-2017-0199 vulnerability in an effort to download a second level of attack, said researchers at FireEye. That level is a file with CVE-2017-11882, which is the Equation Editor vulnerability.

Ransomware Shuts U.S. Systems of Chinese Shipping Firm
MacOS Backdoor Found after 2 Years
Open Android Port Target of Attack
Air Gap Alert: Attackers on Prowl

Upon successful infection, the Felixroot loader ends up installed in the victim’s computer, along with an additional LNK file that points to %system32%\rundll32.exe.

The LNK file has the command to execute the loader component of Felixroot.

The embedded backdoor component, which has a custom encryption component, ends up decrypted and loaded directly in memory. The malware has a single exported function.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If so, it performs an initial system triage before launching command and control (C&C) network communications, FireEye researchers said in a post.

“Initial triage begins with connecting to Windows Management Instrumentation (WMI) via the ‘ROOT\CIMV2’ namespace,” the researchers said.

In addition to gathering a variety of system information, the malware also reads registry entries for potential administration escalation and proxy information.

Based on received commands, the backdoor can fingerprint the infected machine, drop a file and execute it, launch remote shell, terminate connection to the C&C, download and run batch script, download file, and upload file.

Communication with the C&C server is performed over HTTP and HTTPS. Sent data is encrypted using AES encryption and arranged in a custom structure.

The malware contains several commands for specific tasks. Once it has executed all tasks, it clears all the footprints from the targeted machine, by deleting the LNK file, created registry keys, and the dropper components.

“CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected,” FireEye researchers said. “We also advise that all industries remain on alert, as the threat actors involved in this campaign may eventually broaden the scope of their current targeting.”

Leave a Reply

You must be logged in to post a comment.