Table Of Contents

Introduction:

CVE-2017–11882, a 6-year-old vulnerability in Microsoft Office, is still being attempted to exploit by several malware families. Based on the Malware Bazaar feed as shown in figure below, recent top malware like AgentTesla, Remcos, Formbook, Loki, etc. are still targeting this vulnerability to this day.

Despite the fact that the patch was provided in 2017, given the amount of malware families that target this vulnerability, it is fair to assume that there are unpatched devices out there. As a result, this vulnerability has been a popular target for different malware families to use as their initial stager in order to attack the vulnerability and deliver their final payload.

CVE-2017–11882 Summary:

CVE-2017–11882 is a stack-based buffer overflow vulnerability found in Equation Editor. Equation Editor is a Microsoft Office component that inserts or changes OLE (Object Linking and Embedding) elements in documents. Furthermore, because it is an out-of-process COM server hosted by eqnedt32.exe, it operates as a its own process and can take commands from other processes. As a result, an attacker can execute code from within the eqnedt32.exe process. Although this stack-based buffer overflow was preventable through ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), the way the binary was linked and the fact the binary was compiled in 2000 made it not applicable for that. Its patch was released in 2017.

Technical Analysis:

The payload to exploit the CVE-2017–11882 are typically hidden within Microsoft Office files like xls, doc or rtf. These files are delivered through spam mails and acts as the initial stager that will download the loader (which will then download final payload) or the final payload directly. For the analysis on how malware abuse this vulnerability, a recent rtf format sample was taken from Malware Bazaar.

Identification:

Source: (Malware Bazaar)

SHA256: 59e7f344c86d2adef46011daccd3206e9fb87ad3edc3b88910daf4e5bc5c2401

AV-Detection: 34/59 (VirusTotal)

Analysis:

Static Analysis:

First, on the rtf file obtained from Malware Bazaar, static analysis was started using the oletool, particularly the rtfdump. Using the rtfdump tool, objects embedded within the rtf file was checked as:

rtfdump.py -f O yFwFFUG8b5.rtf

From the output in above figure, an object named b’eQUaTion.3\x00’ can be seen at stream 4. The object named eQUaTion along with 3 (vulnerable version) gives the idea that the vulnerability present in Equation Editor could possibly be exploited by it.

Now, based on the above output, it was looked deeper into the stream to view the contents of that object as:

rtfdump.py -s 4 -H yFwFFUG8b5.rtf

The output as shown in above figure point out many interesting information:

• First references to Equation Editor 3.0, PE file signature, Kernel32 DLL and some windows API can be seen.
• One interesting API is URLDownloadToFileW, which can be seen along with a URL named hxxp[:]//wsvdyhrgebwhevawe[.]ydns[.]eu/fileone/Fnvtdhenapsfwu[.]exe.
• Also, there is path %APPDATA%CHROME.exe.

Based on these above findings, it can be hypothesized that this file is an initial stager which will exploit the vulnerability in Equation Editor and try to reach wsvdyhrgebwhevawe[.]ydns[.]eu, its C2 server to download the loader/final payload named Fnvtdhenapsfwu[.]exe and save it as CHROME.exe under AppData directory. The dynamic analysis will shed more light on these above findings and hypothesis.

Dynamic Analysis:

For the dynamic analysis, AnyRun sandbox was used because the sandbox came with vulnerable version of Equation Editor.

As per the ANYRUN analysis as shown in the figures above, following interesting information was found, which support the hypothesis formed during static analysis:

• After opening the file, the vulnerability present in Equation Editor was exploited and following that, it executed the CHROME.exe (Dbatloader ) as its child process as shown in first figure. The loader CHROME.exe is actually Fnvtdhenapsfwu[.]exe, which was downloaded from its C2 hxxp[:]//wsvdyhrgebwhevawe[.]ydns[.]eu/fileone/Fnvtdhenapsfwu[.]exe after exploiting vulnerability as shown in the second figure.
• After that, the loader CHROME.exe can be seen executing SndVol.exe (Remcos RAT) as its child process in first figure. In the second figure, it can be seen that the loader contacted its C2 server to get the final payload SndVol.exe, i.e., Remcos RAT in this case.

Remcos RAT is ranked as top 4 RAT used worldwide as per Checkpoint. Since the scope of this blog is on malware families attempting to exploit the CVE-2017–11882, so it will not cover Remcos RAT analysis. A separate blog covering analysis of Remcos RAT will be out soon.

Recommendations:

• Keep software and security patches up to date.
• Use reputable antivirus software.
• Use email and web filtering solutions.
• Use reputable IPS/IDS and firewall solutions.

Conclusion:

Although CVE-2017–11882 is a legacy vulnerability, its being actively attempted to exploit by different malware families. This blog showed how malware exploit this vulnerability to act as their initial stager in order to download their final payload. In the case above, although Remcos RAT was downloaded as final payload, it is not limited to it. Other malware families like Agent Tesla, Loki, Formbook, Ave Maria, etc. are also employing this technique to deliver their malware.