• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Cybersecurity  /  Malspam Campaign using CVE-2017-0199 Targets Manufacturing, Pharmaceutical and other important Industries
Malspam Campaign using CVE-2017-0199 Targets Manufacturing, Pharmaceutical and other important Industries
30 August 2017

Malspam Campaign using CVE-2017-0199 Targets Manufacturing, Pharmaceutical and other important Industries

Written by Pavankumar Chaudhari
Pavankumar Chaudhari
Cybersecurity

Quick Heal Security Labs has come across various email campaigns that are actively exploiting the famous vulnerability CVE-2017-0199 in their bid to target prominent private industries in India. CVE-2017-0199 was a zero-day vulnerability reported in April 2017 by two different security firms. Almost all of the MS Office versions were affected by it. Microsoft had issued a patch for this vulnerability on 11th April 2017. As usual, many attackers started exploiting this vulnerability in their spam campaigns.  The following is an analysis of this campaign by Quick Heal Security Labs.

Attack chain

Fig 1. Attack Chain
Fig 1. Attack Chain

 

Technical details

This vulnerability (CVE-2017-0199) triggers due to the improper handling of HTA file while parsing a crafted RTF file having an embedded OLE2 link object. Attackers use crafted RTF files with doc extension to exploit the vulnerability. This RTF file contains an embedded OLE2link object as shown in fig 2.

Fig 2. Embedded OLE2link object
Fig 2. Embedded OLE2link object

This embedded OLE2 link object points to a remotely hosted HTA file as shown in fig 3.

Fig 3. Link to Remote HTA file
Fig 3. Link to Remote HTA file

 

RTF exploit analysis

The attack in this campaign starts with a spam email with the exploit RTF doc as an attachment. This RTF file has similar contents as shown in fig 2 and fig 3. Fig 4 shows a snapshot of the spam email.

Fig 4. Spam email
Fig 4. Spam email

 

When MS Word opens the RTF attachment, the exploit code requests for the remotely hosted HTA file. Fig 5 shows the downloaded file after the request is made to the remote server.

fig5_1

Fig 5. Malicious, fake RTF File
Fig 5. Malicious, fake RTF File

After analyzing the initial bytes in the downloaded file, it seems that it is an RTF file but it’s not treated so by MS Word; there is an embedded script located below the fake RTF contents. This script gets executed by ‘mshta.exe’ that downloads the malware via PowerShell.

Payload analysis

After a successful exploitation, the malware payload gets downloaded using PowerShell. PowerShell copies this downloaded malware file to %APPDATA%\jacob.exe and executes it. In order to be persistent, it copies the ‘jacob.vbe’ file to the startup folder. This jacob.exe performs keylogging activities, monitors process activities and logs them into a file called logs.dat, located in %AppData%\Roaming\remcos. All recorded logs are sent to a remote CnC server (212.7.208.88) by the malware. According to our analysis, this malware shares many similarities with the remcos RAT family.

Fig 6 shows the malware’s keylogging activity.

Fig 6. Keylogging activity
Fig 6. Keylogging activity

 

Evading signature-based detections

In order to evade signature-based detection, malware actors are continuously evolving their exploits through RTF obfuscation. There are multiple techniques for achieving this; a few of them are shown below.

Obfuscation technique 1

URL moniker CLSID is obfuscated using control word ’\*’.

Fig 7.
Fig 7.

Obfuscation technique 2

Dummy tags are added to obfuscate URL moniker CLSID.

Fig 8.
Fig 8.

Obfuscation technique 3

Tab control word is used to obfuscate the URL string.

Fig 9.
Fig 9.

 

Targeted organizations

Fig 10 represents the statistics of organizations targeted by the malicious campaign.

Fig 10
Fig 10.

The manufacturing sector seems to be the most favored target followed by pharmaceuticals, exports, and hotels.

 

Dominating all office exploits

After disclosure, the detection count of the exploit used in this campaign is growing day by day. This only shows that many malware actors are adopting and using this vulnerability. The below statistics shows the exploit’s growing usage.

 Office exploit statistics for Q1 2017

Fig 11.
Fig 11.

Office exploit statistics for Q2 2017

Fig 12.
Fig 12.

As shown in fig 11, CVE-2012-0158 has the highest count. In fact, it has had the highest count for the last 3 years now. However, in Q2 (fig 12), CVE-2017-0199 had the highest detection count; it gained popularity in a short time period.

Malware actors have found the most reliable and prominent way to deliver malware through the MS Office vulnerability CVE-2017-0199.  Attackers are easily creating exploits using readily available POCs and delivering various malware.  We recommend our users to apply the latest security updates from Microsoft and keep their antivirus software up-to-date.

Indicators of compromise

  • 862172F84680456A0BA662F0FE3F56BF
  • 4705476555FC8FCCB28DDAFFC65D2761
  • 271AF4589D175F1725724D948A63E840
  • BA02A7463A0C5BF6954DE860C53A9339
  • 95.211.209.223
  • 212.7.208.88

Subject Matter Experts

  • Pavankumar Chaudhari, Aniruddha Dolas | Quick Heal Security Labs

 Previous PostWhy should you keep a back-up of all your data?
Next Post  Cybersecurity News Rundown August 2017
Pavankumar Chaudhari

About Pavankumar Chaudhari

Pavankumar is associated with Quick Heal Technologies as a Technical Lead (Research and Development) and is also a part of Vulnerability Research and Analysis Team....

Articles by Pavankumar Chaudhari »

Related Posts

  • Rethinking Design: Why Privacy Shouldn’t Be an Afterthought

    June 6, 2025
  • Trapped by a Call: The Digital Arrest Scam

    June 5, 2025
  • Operation Sindoor – Anatomy of a Digital Siege

    May 23, 2025
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director of Quick Heal Technologies...

    Read more..
  • Mahua Chakrabarthy
    Mahua Chakrabarthy

    A tea connoisseur who firmly believes that life is too short for dull content....

    Read more..
Topics
apt (20) Cyber-attack (36) cyber-attacks (58) cyberattack (16) cyberattacks (13) Cybersecurity (324) cyber security (32) Cyber threat (33) cyber threats (48) Data (11) data breach (55) data breaches (28) data loss (28) data loss prevention (34) data privacy (12) data protection (25) data security (15) DLP (49) Encryption (16) endpoint security (108) Enterprise security (17) Exploit (14) firewall (11) GDPR (12) hackers (11) malware (76) malware attack (23) malware attacks (12) MDM (25) Microsoft (15) Network security (22) Patch Management (12) phishing (27) Ransomware (67) ransomware attack (30) ransomware attacks (30) ransomware protection (14) security (11) Seqrite (33) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (16) windows (11)
Loading
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • About Seqrite
  • Leadership
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category
Loading

© 2025 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies