• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Cybersecurity • Malware • Security  /  Malspam campaigns exploiting recent MS Office vulnerability ‘CVE-2017-11882’
05 February 2018

Malspam campaigns exploiting recent MS Office vulnerability ‘CVE-2017-11882’

Written by Aniruddha Dolas
Aniruddha Dolas
Cybersecurity, Malware, Security
1
Estimated reading time: 4 minutes

No wonder malspam campaigns are a major medium to spread malware. Previously, we have written about such campaigns making use of MS Office malware such as malicious macro, CVE-2017-0199, CVE-2017-8759 and DDE-based attack. Recently, we have started observing various malspam campaigns exploiting the latest MS Office vulnerability CVE-2017-11882.

Let’s take a look at in-depth analysis of one such malspam campaign exploiting vulnerability ‘CVE-2017-11882’ in the wild.

Attack chain

Attack chain
Fig 1. Attack chain

 

Vulnerability (CVE-2017-11882) analysis

A remote code execution vulnerability (CVE-2017-11882) is triggered in the Microsoft Office Equation Editor (EQNEDT32.EXE) component. The attacker can successfully exploit a stack buffer overflow vulnerability in the equation editor component of MS Office and execute an arbitrary code. The root cause of this vulnerability is copy unbounded string of FONT name defined within a FONT record structure of Equation EditorOLE object data.

To exploit the vulnerability, attackers use specially crafted RTF files with doc extensions. This RTF file contains an embedded equation object class as shown in Fig 2.

Equation object class
Fig 2. Equation object class

 

OLE file which is embedded inside the crafted RTF has a stream name “Equation Native” having the following header:

Size Description
WORD Size of header(EQNOLEFILEHDR) == 28 (0x1C)
DWORD Version
WORD Clipboard format
DWORD Size of (MTEF header + MTEF data)
DWORD Reserved1
DWORD Reserved2
DWORD Reserved3
DWORD Reserved4

 

MTEF is a Math Type equation format used by equation editor.

MTEF header have the following structure.

Size Description
BYTE MTEF version
BYTE Generating platform
BYTE Generating product
WORD Product version and subversion

 

MTEF data consists of MTEF header followed by multiple records. These records can be of different types and sizes.

FONT record which is defined in MTEF data object receives crafted FONT name and triggers the vulnerability.

Following is the structure of MTEF data (FONT record).

Size Description
BYTE FONT tag
BYTE Typeface number
BYTE Typeface style
STRING Font name
BYTE Null terminated

 

If FONT NAME is greater than 32 bytes, it indicates the exploit attempts.

 

Exploit analysis

In this campaign, the initial attack vector uses spam emails with crafted RTF attachments with .doc extension.

Fig 3 shows the spam email used in this campaign.

Fig 3. Spam mail with CVE-2017-11882 exploit

 

MS Word runs the malicious attachment and attempts to exploit. After successful exploitation, Microsoft Equation Editor starts the mshta process.

Fig 4. Crafted font name

Let’s dive into the assembly to know how it works.

The below figure is a snap that shows the stack buffer overflow scenario where 48 bytes of data gets copied into a local buffer which causes a buffer overflow and overwrites base pointer and returns address.

Fig 5. Stack-based buffer overflow

Fig 6 shows the address (0x00430C12) which gets overwritten into the return address.

Fig 6. Overwritten return address

The overwritten address is from EQUATION32.EXE and that instruction points to “WinExec” api as mentioned in Fig 7.

Fig.7. WinExec call

After successful exploitation, mshta process gets executed by WinExec which downloads and executes the malicious hta file. The hta file further acts as a downloader for an infostealer malware.

At Quick Heal Security Labs, we have seen different variants of this exploit using mshta.exe, cmd.exe, and powershell.exe being executed by WinExec for carrying out further activities.

 

File-less attacks

Below is a scenario where the exploit contains a code that directly executes a malware which is hosted on a public WebDav server. The payload is a typical network UNC path.

Fig 8 shows the different malware hosted on public WebDav server 185.45.195.7.

Fig 8. WebDav server UNC path

 

Fig 9. Malicious WebDav server

 

Obfuscation technique

To bypass signature-based detections, attackers used various obfuscation techniques in this campaign.

One of the obfuscation techniques used is shown below (fig 10).

Fig.10. Obfuscation

RTF math control word “\mmath ” (math zone) is used as obfuscation in OLE embedded RTF file. Because of the use of \mmath control word, the string cmd.exe gets divided as “c” and “md.exe” which can simply evade the signature-based detection where the signature pattern can be used is cmd.exe.

 

Conclusion

To defend against such exploits, Microsoft has already implemented features like DEP and ASLR in their arsenal but attacker targeted eqnedt32.exe where both these features were disabled; so carrying out such attacks using readily available exploit POC’s becomes handy for attackers. From Microsoft Office 2007 Service Pack 3, all versions are vulnerable to this vulnerability. Microsoft has released a patch for this vulnerability so we recommend our users to apply the latest Microsoft update packages and keep their antivirus up to date.

 

Safety measures

  • To stay away from such attacks, we recommend disabling Equation Editor 3.0 if it is not being used. For this, please refer to the below link:
    https://support.microsoft.com/en-in/help/4055535/how-to-disable-equation-editor-3-0
  • We have also mentioned some phishing techniques to identify phishing emails in our previous blog post
    http://blogs.quickheal.com/quick-heal-thwarts-attempts-java-jrat-phishing-campaign-targeting-international-embassy-india/

 

Indicators of compromise:

1A74FD8314F303E96018002A9F73F1F1
F603D25DDF21A8B9C2FAE7C9DC118BE2
E64C7C14B4632E995C7922A81ABA5E15
hxxp://112.213.118[.]108:11882/
hxxp://104.254.99[.]77/x.txt
176.107.178.12
185.175.208.10

 

Subject Matter Experts

Aniruddha Dolas, Prashant Kadam | Quick Heal Security Labs

 Previous PostMulti-Factor Authentication: Everything you need to Know
Next Post  Find out how safe you are on the Internet! Take this Quiz.
Aniruddha Dolas
About Aniruddha Dolas

Aniruddha Dolas is part of the HIPS (Host-based Intrusion Prevention System) team in Quick Heal Security Labs. He has worked on various security vulnerabilities...

Articles by Aniruddha Dolas »

Related Posts

  • Turn the Page Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Building a holistic cybersecurity strategy to safeguard the pharma sector

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021
  • Data breach volumes worry governments and businesses

    The Data breach inferno burning big-ticket businesses

    February 5, 2021

1 Comment

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

  1. imoveis financiados pela caixa zona norte sp Reply to imoveis to imoveis financiados pela caixa zona norte sp'> Reply to imoveis
    March 15, 2018 at 3:51 PM

    Obrigado pɑra apresentando о atraente fotos..–entãⲟ aberto ɑ um senso
    dе reflexão. http://hittc.org.vn/UserProfile/tabid/61/userId/4787365/Default.aspx

Popular Posts

  • The Data breach inferno burning big-ticket businesses The Data breach inferno burning big-ticket businesses February 5, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks Pharma Sector needs to streamline its insides to avoid cyberattacks February 12, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond Turn the Page: Cybersecurity Predictions for 2021 & beyond February 18, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Businesses now worried about the surge in COVID-19 infodemic

    Businesses now worried about the surge in COVID-19 infodemic

    February 26, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (279) cyber security (25) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.