Auteur Sujet: [FireEye]New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit  (Lu 180 fois)

0 Membres et 1 Invité sur ce sujet

Hors ligne igor51

  • Admin
  • Mega Power Members
  • *****
  • Messages: 10281
New Targeted Attack in the Middle East by APT34, a Suspected Iranian
Threat Group, Using CVE-2017-11882 Exploit


Less than a week after Microsoft issued a patch for   href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882">CVE-2017-11882
  on Nov. 14, 2017, FireEye observed an attacker using an exploit for
  the Microsoft Office vulnerability to target a government organization
  in the Middle East. We assess this activity was carried out by a
  suspected Iranian cyber espionage threat group, whom we refer to as
  APT34, using a custom PowerShell backdoor to achieve its objectives.


 

We believe APT34 is involved in a long-term cyber espionage
  operation largely focused on reconnaissance efforts to benefit Iranian
  nation-state interests and has been operational since at least 2014.
  This threat group has conducted broad targeting across a variety of
  industries, including financial, government, energy, chemical, and
  telecommunications, and has largely focused its operations within the
  Middle East. We assess that APT34 works on behalf of the Iranian
  government based on infrastructure details that contain references to
  Iran, use of Iranian infrastructure, and targeting that aligns with
  nation-state interests.


 

APT34 uses a mix of public and non-public tools, often conducting
  spear phishing operations using compromised accounts, sometimes
  coupled with social engineering tactics. In May 2016, we published a
  blog detailing a     href="https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html">spear
    phishing campaign targeting banks in the Middle East region that
  used macro-enabled attachments to distribute POWBAT malware. We now
  attribute that campaign to APT34. In July 2017, we observed APT34
  targeting a Middle East organization using a PowerShell-based backdoor
  that we call POWRUNER and a downloader with domain generation
  algorithm functionality that we call BONDUPDATER, based on strings
  within the malware. The backdoor was delivered via a malicious .rtf
  file that exploited CVE-2017-0199.


 

In this latest campaign, APT34 leveraged the recent Microsoft Office
  vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.


 

The full report on APT34 is available to our     href="https://www.fireeye.com/products/isight-cyber-threat-intelligence-subscriptions.html">MySIGHT
    customer community. APT34 loosely aligns with     href="https://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/">public
    reporting related to the group "OilRig". As individual
  organizations may track adversaries using varied data sets, it is
  possible that our classifications of activity may not wholly align.


 

CVE-2017-11882: Microsoft Office Stack Memory Corruption Vulnerability


 

CVE-2017-11882 affects several versions of Microsoft Office and,
  when exploited, allows a remote user to run arbitrary code in the
  context of the current user as a result of improperly handling objects
  in memory. The vulnerability was patched by Microsoft on Nov. 14,
  2017. A full proof of concept (POC) was publicly released a week later
  by the reporter of the vulnerability.


 

The vulnerability exists in the old Equation Editor (EQNEDT32.EXE),
  a component of Microsoft Office that is used to insert and evaluate
  mathematical formulas. The Equation Editor is embedded in Office
  documents using object linking and embedding (OLE) technology. It is
  created as a separate process instead of child process of Office
  applications. If a crafted formula is passed to the Equation Editor,
  it does not check the data length properly while copying the data,
  which results in stack memory corruption. As the EQNEDT32.exe is
  compiled using an older compiler and does not support address space
  layout randomization (ASLR), a technique that guards against the
  exploitation of memory corruption vulnerabilities, the attacker can
  easily alter the flow of program execution.


 

Analysis


 

APT34 sent a malicious .rtf file (MD5:
  a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious
  spear phishing email sent to the victim organization. The malicious
  file exploits CVE-2017-11882, which corrupts the memory on the stack
  and then proceeds to push the malicious data to the stack. The malware
  then overwrites the function address with the address of an existing
  instruction from EQNEDT32.EXE. The overwritten instruction (displayed
  in Figure 1) is used to call the “WinExec” function from kernel32.dll,
  as depicted in the instruction at 00430c12, which calls the “WinExec” function.


 


 
 
 Figure 1: Disassembly of overwritten
    function address


 

After exploitation, the ‘WinExec’ function is successfully called to
  create a child process, “mshta.exe”, in the context of current logged
  on user. The process “mshta.exe” downloads a malicious script from
  hxxp://mumbai-m[.]site/b.txt and executes it, as seen in Figure 2.


 


 
 
 Figure 2: Attacker data copied to corrupt
    stack buffer


 

Execution Workflow


 

The malicious script goes through a series of steps to successfully
  execute and ultimately establish a connection to the command and
  control (C2) server. The full sequence of events starting with the
  exploit document is illustrated in Figure 3.


 


 
 
 Figure 3: CVE-2017-11882 and POWRUNER
    attack sequence


 
  1. The malicious .rtf file
        exploits CVE-2017-11882.
  2. The malware overwrites the
        function address with an existing instruction from
      EQNEDT32.EXE.
  3. The malware creates a child process,
        “mshta.exe,” which downloads a file from:
      hxxp://mumbai-m[.]site/b.txt.
  4. b.txt contains a PowerShell
        command to download a dropper from: hxxp://dns-update[.]club/v.txt.
        The PowerShell command also renames the downloaded file from v.txt
        to v.vbs and executes the script.
  5. The v.vbs script drops
        four components (hUpdateCheckers.base, dUpdateCheckers.base,
        cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory:
      C:\ProgramData\Windows\Microsoft\java\
  6. v.vbs uses
        CertUtil.exe, a legitimate Microsoft command-line program installed
        as part of Certificate Services, to decode the base64-encoded files
        hUpdateCheckers.base and dUpdateCheckers.base, and drop
        hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging
      directory.
  7. cUpdateCheckers.bat is launched and creates a
        scheduled task for GoogleUpdateschecker.vbs persistence.

  8.    
  9. GoogleUpdateschecker.vbs is executed after sleeping for five
      seconds.
  10. cUpdateCheckers.bat and *.base are deleted from the
        staging directory.

 

Figure 4 contains an excerpt of the v.vbs script pertaining to the
  Execution Workflow section.


 


 
 
 Figure 4: Execution Workflow Section of v.vbs


 

After successful execution of the steps mentioned in the Execution
  Workflow section, the Task Scheduler will launch
  GoogleUpdateschecker.vbs every minute, which in turn executes the
  dUpdateCheckers.ps1 and hUpdateCheckers.ps1 scripts. These PowerShell
  scripts are final stage payloads – they include a downloader with
  domain generation algorithm (DGA) functionality and the backdoor
  component, which connect to the C2 server to receive commands and
  perform additional malicious activities. 


 

hUpdateCheckers.ps1 (POWRUNER)


 

The backdoor component, POWRUNER, is a PowerShell script that sends
  and receives commands to and from the C2 server. POWRUNER is executed
  every minute by the Task Scheduler. Figure 5 contains an excerpt of
  the POWRUNER backdoor.


 


 
 
 Figure 5: POWRUNER PowerShell script hUpdateCheckers.ps1


 

POWRUNER begins by sending a random GET request to the C2 server and
  waits for a response. The server will respond with either “not_now” or
  a random 11-digit number. If the response is a random number, POWRUNER
  will send another random GET request to the server and store the
  response in a string. POWRUNER will then check the last digit of the
  stored random number response, interpret the value as a command, and
  perform an action based on that command. The command values and the
  associated actions are described in Table 1.


 
   
     
   
     
   
     
   
     

Command

        valign="top">

Description

        valign="top">

Action

0

          valign="top">

Server response string contains batch
        commands

Execute batch
          commands and send results back to server

1

          valign="top">

Server response string is a file path


     

Check for file path and
          upload (PUT) the file to server

2

          valign="top">

Server response string is a file path


     

Check for file path and
          download (GET) the file


 


  Table 1: POWRUNER commands


 

After successfully executing the command, POWRUNER sends the results
  back to the C2 server and stops execution.


 

The C2 server can also send a PowerShell command to capture and
  store a screenshot of a victim’s system. POWRUNER will send the
  captured screenshot image file to the C2 server if the “fileupload”
  command is issued. Figure 6 shows the PowerShell “Get-Screenshot”
  function sent by the C2 server.


 


 
 
 Figure 6: Powershell Screenshot Functionality


 

dUpdateCheckers.ps1 (BONDUPDATER)


 

One of the recent advancements by APT34 is the use of DGA to
  generate subdomains. The BONDUPDATER script, which was named based on
  the hard-coded string “B007”, uses a custom DGA algorithm to generate
  subdomains for communication with the C2 server.


 

DGA Implementation


 

Figure 7 provides a breakdown of how an example domain
  (456341921300006B0C8B2CE9C9B007.mumbai-m[.]site) is generated using
  BONDUPDATER’s custom DGA.


 


 
 
 Figure 7: Breakdown of subdomain created
    by BONDUPDATER


 
  1. This is a randomly
        generated number created using the following expression: $rnd =
        -join (Get-Random -InputObject (10..99) -Count (%{ Get-Random
        -InputObject (1..6)}));
  2. This value is either 0 or 1. It is
        initially set to 0. If the first resolved domain IP address starts
        with 24.125.X.X, then it is set to 1.
  3. Initially set to 000,
        then incremented by 3 after every DNS request
  4. First 12
        characters of system UUID.
  5. “B007” hardcoded string.

  6.    
  7. Hardcoded domain “mumbai-m[.]site”

 

BONDUPDATER will attempt to resolve the resulting DGA domain and
  will take the following actions based on the IP address resolution:


 
  1. Create a temporary file
        in %temp% location
    • The file created will have the last two
              octets of the resolved IP addresses as its filename.

     
  2. BONDUPDATER will evaluate the last character of the file
        name and perform the corresponding action found in Table 2.

 
   
              width="150" valign="top">

Description


   
     
   
     
   
     

Character

0

          valign="top">

File contains batch commands, it executes the
          batch commands

1

          valign="top">

Rename the temporary file as .ps1
        extension

2

          valign="top">

Rename the temporary file as .vbs
        extension


 


  Table 2: BONDUPDATER Actions


 

Figure 8 is a screenshot of BONDUPDATER’s DGA implementation.


 


 
 
 Figure 8: Domain Generation Algorithm


 

Some examples of the generated subdomains observed at time of
  execution include:


 

143610035BAF04425847B007.mumbai-m[.]site


 

835710065BAF04425847B007.mumbai-m[.]site


 

376110095BAF04425847B007.mumbai-m[.]site


 

Network Communication


 

Figure 9 shows example network communications between a POWRUNER
  backdoor client and server.


 


 
 
 Figure 9: Example Network Communication


 

In the example, the POWRUNER client sends a random GET request to
  the C2 server and the C2 server sends the random number (99999999990)
  as a response. As the response is a random number that ends with ‘0’,
  POWRUNER sends another random GET request to receive  an additional
  command string. The C2 server sends back Base64 encoded response.


 

If the server had sent the string “not_now” as response, as shown in
  Figure 10, POWRUNER would have ceased any further requests and
  terminated its execution.


 


 
 
 Figure 10: Example "not now"
    server response


 

Batch Commands


 

POWRUNER may also receive batch commands from the C2 server to
  collect host information from the system. This may include information
  about the currently logged in user, the hostname, network
  configuration data, active connections, process information, local and
  domain administrator accounts, an enumeration of user directories, and
  other data. An example batch command is provided in Figure 11.


 


 
 
 Figure 11: Batch commands sent by
    POWRUNER C2 server


 

Additional Use of POWRUNER / BONDUPDATER


 

APT34 has used POWRUNER and BONDUPDATER to target Middle East
  organizations as early as July 2017. In July 2017, a FireEye Web MPS
  appliance detected and blocked a request to retrieve and install an
  APT34 POWRUNER / BONDUPDATER downloader file. During the same month,
  FireEye observed APT34 target a separate Middle East organization
  using a malicious .rtf file (MD5: 63D66D99E46FB93676A4F475A65566D8)
 
that exploited CVE-2017-0199. This file issued a GET request to
  download a malicious file from:


 

hxxp://94.23.172.164/dupdatechecker.doc.


 

As shown in Figure 12, the script within the dupatechecker.doc file
  attempts to download another file named dupatechecker.exe from the
  same server. The file also contains a comment by the malware author
  that appears to be an apparent taunt to security researchers.


 


 
 
 Figure 12: Contents of dupdatechecker.doc script


 

The dupatechecker.exe file (MD5: C9F16F0BE8C77F0170B9B6CE876ED7FB)
  drops both BONDUPDATER and POWRUNER. These files connect to
  proxychecker[.]pro for C2.


 

Outlook and Implications


 

Recent activity by APT34 demonstrates that they are capable group
  with potential access to their own development resources. During the
  past few months, APT34 has been able to quickly incorporate exploits
  for at least two publicly vulnerabilities (CVE-2017-0199 and
    CVE-2017-11882) to target organizations in the Middle East.
  We assess that APT34’s efforts to continuously update their malware,
  including the incorporation of DGA for C2, demonstrate the group’s
  commitment to pursing strategies to deter detection. We expect APT34
  will continue to evolve their malware and tactics as they continue to
  pursue access to entities in the Middle East region.


 

IOCs


 
   
              width="290" valign="top">


          MD5 Hash or Description


   
     
   
     
   
              width="290" valign="top">

B2D13A336A3EB7BD27612BE7D4E334DF


     

   
              width="290" valign="top">

4A7290A279E6F2329EDD0615178A11FF


     

   
              width="290" valign="top">

841CE6475F271F86D0B5188E4F8BC6DB


     

   
              width="290" valign="top">

52CA9A7424B3CC34099AD218623A0979


     

   
              width="290" valign="top">

BBDE33F5709CB1452AB941C08ACC775E


     

   
              width="290" valign="top">

247B2A9FCBA6E9EC29ED818948939702


     

   
     
       
   
     
       
   
     
       
   
     
   
              width="290" valign="top">

Malware Staging Server


   
              width="290" valign="top">

D85818E82A6E64CA185EDFDDBA2D1B76


     

   
              width="290" valign="top">

C9F16F0BE8C77F0170B9B6CE876ED7FB


     

   
              width="290" valign="top">

C2


   
              width="290" valign="top">

Has resolved mumbai-m[.]site &
        hpserver[.]online


   
              width="290" valign="top">

Has resolved mumbai-m[.]site and
        dns-update[.]club


   
              width="290" valign="top">

Has resolved dns-update[.]club


     

   
              width="290" valign="top">

Has resolved dns-update[.]club


     

   
              width="290" valign="top">

Has resolved ns2.dns-update[.]club
          & hpserver[.]online & anyportals[.]com


   
     
       
   
              width="290" valign="top">

3C63BFF9EC0A340E0727E5683466F435


     

   
              width="290" valign="top">

EEB0FF0D8841C2EBE643FE328B6D9EF5


     

   
              width="290" valign="top">

FB464C365B94B03826E67EABE4BF9165


     

   
              width="290" valign="top">

635ED85BFCAAB7208A8B5C730D3D0A8C


     

   
              width="290" valign="top">

13B338C47C52DE3ED0B68E1CB7876AD2


     

   
     
       
   
              width="290" valign="top">

C2


   
              width="290" valign="top">

EAF3448808481FB1FDBB675BC5EA24DE


     

   
              width="290" valign="top">

42449DD79EA7D2B5B6482B6F0D493498


     

   
              width="290" valign="top">

A3FCB4D23C3153DD42AC124B112F1BAE


     

   
              width="290" valign="top">

EE1C482C41738AAA5964730DCBAB5DFF


     

   
              width="290" valign="top">

E516C3A3247AF2F2323291A670086A8F


     

   
              width="290" valign="top">

C2


          Filename / Domain / IP Address

CVE-2017-11882 exploit
        document

        valign="top">

A0E6933F4E0497269620F44A083B2ED4

b.txt

        valign="top">

9267D057C065EA7448ACA1511C6F29C7

v.txt/v.vbs

dUpdateCheckers.base

hUpdateCheckers.base

cUpdateCheckers.bat

dUpdateCheckers.ps1

hUpdateCheckers.ps1

GoogleUpdateschecker.vbs

        valign="top">

C87B0B711F60132235D7440ADD0360B0

hxxp://mumbai-m[.]site

POWRUNER C2

hxxp://dns-update[.]club

Malware Staging Server

CVE-2017-0199 exploit document


     
        valign="top">

63D66D99E46FB93676A4F475A65566D8

94.23.172.164:80

dupdatechecker.doc

dupdatechecker.exe

proxycheker[.]pro

46.105.221.247

148.251.55.110

185.15.247.147

145.239.33.100

82.102.14.219

v7-hpserver.online.hta

        valign="top">

E6AC6F18256C4DDE5BF06A9191562F82

dUpdateCheckers.base

hUpdateCheckers.base

cUpdateCheckers.bat

dUpdateCheckers.ps1

hUpdateCheckers.ps1

googleupdateschecker.vbs

        valign="top">

DBFEA6154D4F9D7209C1875B2D5D70D5

hpserver[.]online

v7-anyportals.hta

dUpdateCheckers.base

hUpdateCheckers.base

dUpdateCheckers.ps1

hUpdateCheckers.ps1

anyportals[.]com


Source: New Targeted Attack in the Middle East by APT34, a Suspected Iranian
Threat Group, Using CVE-2017-11882 Exploit

Security-X


Tags: