# APT Targets Financial Analysts with CVE-2017-0199 **[proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts](https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts)** April 27, 2017 ----- [Blog](https://www.proofpoint.com/us/blog) [Threat Insight](https://www.proofpoint.com/us/blog/threat-insight) APT Targets Financial Analysts with CVE-2017-0199 ----- April 27, 2017 Axel F On April 20, Proofpoint observed a targeted campaign focused on financial analysts working at top global financial firms operating in Russia and neighboring countries. These analysts were linked by their coverage of the telecommunications industry, making this targeting very similar to, and likely a [continuation of, activity described in our “In Pursuit of Optical Fibers and Troop Intel” blog. This time,](https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia) [however, attackers opportunistically used spear-phishing emails with a Microsoft Word attachment](https://www.proofpoint.com/us/threat-reference/spear-phishing) [exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan, which in turn downloaded the](https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day) PlugX Remote Access Trojan (RAT). Proofpoint is tracking this attacker, believed to operate out of China, as TA459. The actor typically targets [Central Asian countries, Russia, Belarus, Mongolia, and others. TA549 possesses a diverse malware](https://www.proofpoint.com/us/threat-reference/malware) arsenal including PlugX, NetTraveler, and ZeroT. [1][2][3] In this blog, we also document other 2017 activity so far by this attack group, including their distribution of ZeroT malware and secondary payloads PCrat/Gh0st. **Analysis** In this campaign, attackers used a Microsoft Word document called 0721.doc, which exploits CVE-20170199. This vulnerability was disclosed and patched days prior to this attack. ----- _Figure 1: Microsoft Word document 0721.doc_ The document uses the logic flaw to first download the file power.rtf from hxxp://122.9.52[.]215/news/power.rtf. The payload is actually an HTML Application (HTA) file, not an RTF document. _Figure 2: The first script downloaded by the exploit document is an HTA file_ As shown in the figure above, the HTA’s VBScript changes the window size and location and then uses PowerShell to download yet another script: power.ps1. This is a PowerShell script that downloads and runs the ZeroT payload cgi.exe. ----- _Figure 3: The second script downloaded by the exploit document is a PowerShell script_ _Figure 4: Combined network traffic showing the document downloading its payloads_ **ZeroT and other payloads** The attack group has made incremental changes to ZeroT since our last analysis. While they still use RAR SFX format for the initial payloads, ZeroT now uses a the legitimate McAfee utility (SHA256 3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe) named mcut.exe instead of the Norman Safeground AS for sideloading as they have in the past. The encrypted ZeroT payload, named Mctl.mui, is decoded in memory revealing a similarly tampered PE header and only slightly modified code when compared to ZeroT payloads we analyzed previously. Once ZeroT is running, we observed that the fake User-Agent used in the requests changed from “Mozilla/6.0 (compatible; MSIE 10.0; Windows NT 6.2; Tzcdrnt/6.0)” to “Mozilla/6.0 (compatible; MSIE 11.0; Windows NT 6.2)”, thus removing the “Tzcdrnt” typo observed in previous versions. The initial beacon to index.php changed to index.txt but ZeroT still expects an RC4-encrypted response using a static key: “(*^GF(9042&*”. _Figure 5: ZeroT initial beacon over HTTP requesting URL configuration_ ----- Next, ZeroT uses HTTP beacons to transmit information about the infected system to the command and control (C&C). All posts are encrypted, unlike the last time we analyzed a sample from this actor, when the first POST was accidentally not encrypted. After that, stage 2 payloads are still retrieved as Bitmap [(BMP) images that use Least Significant Bit (LSB) Steganography to hide the real payloads. These](https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx) images appear normal in image viewers. _Figure 6: Collage of example BMP images containing stage 2 payloads hidden using LSB steganography_ The stage 2 payload was PlugX that beaconed to C&C servers www[.]icefirebest[.]com and www[.]icekkk[.]net. _Figure 7: ZeroT and PlugX HTTP network activity_ **Additional 2017 activity by TA459** ----- Throughout 2017 we observed this threat actor actively attempting to compromise victims with various malware payloads. ZeroT remained the primary stage 1 payload, but the stage 2 payloads varied. One such interesting example was “ПЛАН РЕАЛИЗАЦИИ ПРОЕКТА.rar” (SHA256 b5c208e4fb8ba255883f771d384ca85566c7be8adcf5c87114a62efb53b73fda). Translated from Russian, this file is named “PROJECT REALIZATION PLAN” and contains a compressed .scr executable. This ZeroT executable communicated with the C&C domain www[.]kz-info[.]net and downloaded PlugX as well as an additional PCRat/Gh0st Trojan which communicated with the www[.]ruvim[.]net C&C server. PCRat/Gh0st is a payload that we do not see this group using frequently. Another interesting ZeroT sample (SHA256 bc2246813d7267608e1a80a04dac32da9115a15b1550b0c4842b9d6e2e7de374) contained the executable 0228.exe and a decoy document 0228.doc in the RAR SFX archive. Bundling decoy documents is a common tactic by this group. RAR SFX directives are used to display the decoy while the malicious payload is executed. We suspect that this specific lure was copied from the news article hxxp://www.cis.minsk[.]by/news.php?id=7557. This article was about “73-го заседания Экономического совета СНГ”, translated from Russian as “73rd meeting of the CIS Economic Council”, which describes a meeting held in Moscow by the Commonwealth of Independent States (CIS) countries, an organization that includes nine out of the fifteen former Soviet Republics. _Figure 8: Decoy document_ ----- _Figure 9: The believed source of the text in decoy document_ **Conclusion** TA459 is well-known for targeting organizations in Russia and neighboring countries. However, their strategy, tactics, techniques, and procedures in this particular attack emphasize the importance of rigorous patching regimens for all organizations. Even as software vulnerabilities often take a back seat to human exploits and social engineering, robust defenses must include protection at the email gateway, proactive patch management, and thoughtful end user education. Paying attention to the details of past attacks is also an important means of preparing for future attacks. Noting who is targeted, with what malware, and with what types of lures provide clues with which organizations can improve their security posture. At the same time, multinational organizations like the financial services firms targeted here must be acutely aware of the threats from state-sponsored actors working with sophisticated malware to compromise users and networks. Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular areas of research and expertise further complicate an already difficult [security situation for organizations dealing with more traditional malware threats, phishing campaigns,](https://www.proofpoint.com/us/threat-reference/phishing) and socially engineered threats every day. **References** [[1]https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia](https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia) [[3]https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests](https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests) ----- [[3]https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx](https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx) **Indicators of Compromise (IOCs)** **IOC** **IOC Type** **Description** a64ea888d412fd406392985358a489955b0f7b27da70ff604e827df86d2ca2aa SHA256 0721.doc CVE-20170199 hxxp://122.9.52[.]215/news/power.rtf URL 0721.doc payload hxxp://122.9.52[.]215/news/power.ps1 URL 0721.doc payload hxxp://www.firesyst[.]net/info/net/sports/drag/cgi.exe URL 0721.doc payload bf4b88e42a406aa83def0942207c8358efb880b18928e41d60a2dc59a59973ba SHA256 ZeroT (cgi.exe) www.firesyst[.]net Hostname ZeroT C&C www.icekkk[.]net Hostname PlugX C&C **Indicators of Compromise (IOCs) - Related** **IOC** **IOC Type** **Description** www.kz-info[.]net Hostname ZeroT C&C www.firesyst[.]net Hostname ZeroT C&C www.buleray[.]net Hostname ZeroT C&C www.intersu[.]net Hostname ZeroT C&C 868ee879ca843349bfa3d200f858654656ec3c8128113813cd7e481a37dcc61a SHA256 ZeroT 4601133e94c4bc74916a9d96a5bc27cc3125cdc0be7225b2c7d4047f8506b3aa SHA256 ZeroT 5fd61793d498a395861fa263e4438183a3c4e6f1e4f098ac6e97c9d0911327bf SHA256 ZeroT ----- b5c208e4fb8ba255883f771d384ca85566c7be8adcf5c87114a62efb53b73fda SHA256 ZeroT ab4cbfb1468dd6b0f09f6e74ac7f0d31a001d396d8d03f01bceb2e7c917cf565 SHA256 ZeroT 79bd109dc7c35f45b781978436a6c2b98a5df659d09dee658c2daa4f1984a04e SHA256 ZeroT www.icekkk[.]net Hostname PlugX C&C www.icefirebest[.]com Hostname PlugX C&C www.ruvim[.]net Hostname PlugX C&C **ET and ETPRO Suricata/Snort Coverage** 2821028 | ETPRO TROJAN APT.ZeroT CnC Beacon HTTP POST 2825365 | ETPRO TROJAN APT.ZeroT CnC Beacon Fake User-Agent 2824641 | ETPRO TROJAN APT.ZeroT Receiving Config 2810326 | ETPRO TROJAN PlugX Related Checkin 2024196 | ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential Office Exploit Attempt 2024197 | ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in RTF 0-day ) 2016922 | ET TROJAN Backdoor family PCRat/Gh0st CnC traffic 2021716 | ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 Subscribe to the Proofpoint Blog -----