# Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions **[proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target](https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target)** June 1, 2017 ----- [Blog](https://www.proofpoint.com/us/blog) [Threat Insight](https://www.proofpoint.com/us/blog/threat-insight) Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions ----- June 01, 2017 Matthew Mesa, Axel F, Pierre T, Travis Green **Overview** In May, Proofpoint observed multiple campaigns using a new version of Microsoft Word Intruder (MWI). MWI is a tool sold on underground markets for creating exploit-laden documents, generally used in targeted attacks. We previously reported about MWI when it added support for CVE-2016-4117 [2]. After the latest update, MWI is now using CVE-2017-0199 [4][5] to launch an HTML Application (HTA) used for both information collection and payload execution. This activity targets organizations in the financial vertical including banks, banking software vendors, and ATM software and hardware vendors. The emails are sent to technology and security personnel working in departments including Fraud and Information Security. The actor involved is believed to be the Cobalt group -- an actor known to target banks in Europe and Asia and previously documented by Group IB [1]. The malicious documents created with MWI for use [in these activities delivered Metasploit Stager, Cobalt Strike, and previously undocumented malware](https://www.proofpoint.com/us/threat-reference/malware) we named Cyst Downloader. **Email Lures** While we observed numerous malicious attachments, we describe two here and list the rest in the IOC section. In the first campaign, the email (Figure 1) purported to be from FinCERT [8] with the subject “Памятка по информационной безопасности” (Information Security Notice) and contained a Microsoft Word attachment named “сводка1705.doc” (report1705) (Figure 3). Another email (Figure 2) purported to be from Security Support for PCI-DSS [3] at a major credit card company with the subject line “Безопасность” (security) and a Microsoft Word attachment (Figure 4) “Требования безопасности.doc” (Safety requirements). ----- _Figure 1: Email used to deliver the MWI document (Body translated: “Good day, important to familiarize_ _yourself!”)_ ----- _Figure 2: Email used to deliver the MWI document (Body translated: Please accept following advice_ _and recommendations regarding necessary safety precautions”)_ _Figure 3: MWI document after the exploit is triggered; the lure displays unreadable characters_ ----- _Figure 4: MWI document after the exploit is triggered; the lure describes the different ways to pay for a_ _delinquent MTS (Russian mobile provider) bill_ **MWI Advertising Integration of CVE-2017-0199** Before we describe our MWI analysis, it is worth mentioning that on May 8, 2017, an advertisement for MWI on an underground site stated that this exploit document builder integrated CVE-2017-0199, and was recruiting customers for several available seats. The full version of the original Russian advertisement and its English translation follows: Microsoft Office Word Exploits, universal .doc exploit-pack имеется несколько мест на CVE-2017-0199 (OLE2LINK) - билдер - статистика - запуск exe/dll (скриплеттов) - запуск cmd/powershell - поддержка, обновления, чистки подробности: [REDACTED_EMAIL] -- [*] MICROSOFT WORD INTRUDER 8 - the best APT-like *.doc exploit pack CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158 ----- Translation: Microsoft Office Word Exploits, universal .doc exploit-pack There are several spots available for the CVE-2017-0199 (OLE2LINK) - Builder - Statistics - Running exe / dll (scriptlets) - Starting cmd / powershell - Support, updates, cleaning Details: [REDACTED_EMAIL] -- [*] MICROSOFT WORD INTRUDER 8 - the best APT-like * .doc exploit pack CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158 **MWI Analysis** When the document is opened, it drops the embedded payload into a temporary directory as is typical of RTFs with embedded objects[6]. Next, the CVE-2017-0199 exploit downloads and executes the HTA. From our analysis, the purpose of the HTA is two-fold. It is used to download and/or execute the payload as well as collect information about the infected machine. Thus the advertisement description is accurate. In the example analyzed here, shown in Figure 5, the MWI HTA is configured to run an executable payload embedded in the document, which was previously saved into the temporary directory when the recipient opened the document. Note that the HTA could have alternatively been configured to download and run an executable, DLL, or a JScript/VBscript file. It is also configured to collect and report information about the system, such as installed antivirus applications, running processes, and whether execution of the payload was successful. ----- _Figure 5: Configuration section of the MWI HTA_ As mentioned above, depending on how MWI is configured, it has different ways of executing the payload. Figure 6 shows the code snippet used for executing EXE and DLL payloads. There is also functionality for executing JScript/VBScript (Figure 7) and cmd/Powershell. All three methods generate a section for the Command and Control (C&C) report letting the operator know if the execution was successful. ----- _Figure 6: Portion of the HTA code responsible for running DLLs and Executables_ _Figure 7: Portion of the HTA code responsible for executing VBScript/Jscript_ ----- The information collection code is responsible for profiling the system. It collects network details, operating system information, installed antivirus products, and running processes (see list below). This collected information is encoded with base64 and sent it to its C&C server. UserName ComputerName UserDomain OS Version OS SerialNumber WindowsDirectory CodeSet CountryCode OSLanguage CurrentTimeZone Locale DefaultProxy Antivirus displayName Antivirus instanceGuid Antivirus pathToSignedProductExe Antivirus pathToSignedReportingExe Antivirus productState Antivirus Timestamp Running process ProcessId Running process Name Running process ExecutablePath _Figure 8: Section of the HTA responsible for collecting information about the system_ ----- _Figure 9: Section of the HTA responsible for sending collected data_ _Figure 10: Function in the HTA used to send collected data_ **Malware Payload: Metasploit Stager** The payload installed most frequently by MWI was the Metasploit stager, which in turn downloaded Cobalt Strike. The Metasploit stager [7] is used to stage additional malware and we often see it in penetration testing as well as real attacks. **Malware Payload: Cyst Downloader and Plugin** ----- However, in at least in one case we observed an MWI document install a previously unknown malware (SHA256: af17a3b5bf4c78283b2ee338ac6d457b9f3e7b7187c7e9d8651452b78574b3d3). We are calling it the Cyst Downloader. The functionality of this loader is limited. It can create a mutex such as “syst<10 digits>” and communicate with the the C&C server to receive a DLL plugin. The URI path pattern of the C&C beacon contains a folder (random alphanumeric name) followed by a file (random alphanumeric name) with a .jpg, .php, .gif, or .png extension. The downloaded DLL is encrypted with a hardcoded "\x28\xBF\x0A\xBE\x5B\x6E\x70\x03" RC4 key and base64 encoded. The server sends the DLL in HTML comments in a fake 404 response. _Figure 11: Cyst Downloader communicating with the C&C and receiving a payload plugin_ The DLL plugin is loaded in memory by the loader and does not access the disk. This plugin has the internal name “test.dll”, which may indicate it is still in development. This plugin has only one export named “Execute”, which is hardcoded into the Cyst loader. The plugin enumerates URLs stored in the browser history, with support for Internet Explorer, Chrome, Firefox, and Opera: IE: parse history using the IUrlHistoryStg2::EnumUrls method Chrome: parse history using a SQL query : “SELECT url, (last_visit_time/1000000-11644473600) FROM urls” Firefox: parse history using a SQL query : “SELECT url, (last_visit_date/1000000) FROM moz places” ----- Opera: parse history using a SQL query : SELECT url, (last_visit_time/1000000-11644473600) FROM urls” These methods of browser history parsing are well-known and have been used for a long time by malware authors. The visited URLs retrieved are stored in malware memory using this format : "browser: (IE|Chrome|Firefox|Opera)\r\n” + “url: %s” + " | time: %d\r\n" _Figure 12: Example of visited URLs (recovered from browser history) stored in memory_ This data is then RC4 encrypted and sent to the same C&C. The attacker is likely parsing the data on the server side and searching for a set of selected domains relevant to their attack, making it an efficient filter for interesting targets. **Conclusion** Microsoft Word Intruder is a powerful tool for creating exploit documents that can be used in a variety of malicious campaigns. In this case, not only was it used to install known malware and customizable scripts and executables, but also installed a previously undocumented malware called Cyst Downloader. While exploit documents are less commonly used in attacks as malicious attachments and hosted files than macro documents, the availability of often unpatched vulnerabilities like CVE2017-0199 make it attractive to threat actors. We will continue to monitor MWI development and campaigns by Cobalt and other actors using associated exploit documents. **Acknowledgements** [Special thanks to our colleague Andrew Komarov (InfoArmor Inc.) for his help in this study.](https://www.infoarmor.com/) **References** [1] [http://www.group-ib.com/cobalt.html](http://www.group-ib.com/cobalt.html) [2] https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-8-adds-support-for-flashvulnerability [3] [https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard](https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard) [4] [https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts](https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts) ----- [5] https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatchedmicrosoft-zero-day [6] https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distributiontechniques [7] [https://blog.cobaltstrike.com/2013/06/28/staged-payloads-what-pen-testers-should-know/](https://blog.cobaltstrike.com/2013/06/28/staged-payloads-what-pen-testers-should-know/) [8] [https://www.scmagazine.com/fincert-to-help-russian-banks-respond-to-cyber-attacks/article/535448/](https://www.scmagazine.com/fincert-to-help-russian-banks-respond-to-cyber-attacks/article/535448/) **Indicators of Compromise (IOCs)** **IOC** **IOC** **Type** **Description** e559c65b51a874b9ebf4faacd830223428e507a865788c2f32a820b952ccf0b4 SHA256 MWI Document 2a918030be965cd5f365eb28cd5a0bebec32d05c6a27333ade3beaf3c54d242c SHA256 MWI Document e0f6073aee370d5e1e29da20208ffa10e1b30f4cf7860bb1a9dde67a83dee332 SHA256 MWI Document 61afc2bf91283ccc478406a4c1277a0c8549584716d8b3a89d36f9bcdc45c4fe SHA256 MWI Document af17a3b5bf4c78283b2ee338ac6d457b9f3e7b7187c7e9d8651452b78574b3d3 SHA256 MWI Document 326a01a5e2eeeeebe3dade94cf0f7298f259b72e93bd1739505e14df3e7ac21e SHA256 MWI HTA hxxp://37.1.207[.]202/wstat/ URL MWI C&C hxxp://5.45.66[.]161/wstat/ URL MWI C&C 39ac90410bd78f541eb42b1108d2264c7bd7a5feafe102cd7ac8f517c1bd3754 SHA256 Metasploit Stager hxxps://176.9.99[.]134/MAUy URL Cobalt Strike Download ----- hxxps://176.9.99[.]134/kQ6j URL Cobalt Strike Download hxxps://52.15.209[.]133/Els8 URL Cobalt Strike Download 138d3f20da09e9f5aa5a367b8ff89d349fe20a63682df2379a7a6f78f31eb53d SHA256 Cobalt Strike 176.9.99[.]134 IP Cobalt Strike C&C 52.15.209[.]133 IP Cobalt Strike C&C 922e3bccd3eb151ee46afb203f9618ae007b99a758ca95caf5324d650a496426 SHA256 Cyst Downloader 96.44.188[.]57 IP Cyst Downloader C&C 24973014fa8174ffff190ae7967a65307a23d42386683dc672babd9c6cf1e5ee SHA256 Cyst Plugin (browser history checker) **ET and ETPRO Suricata/Snort Coverage** 2024306 ET TROJAN MWI Maldoc Load Payload 2024197 ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in RTF 0day ) 2024307 ET TROJAN MWI Maldoc Posting Host Data 2814013 ETPRO TROJAN Meterpreter or Other Reverse Shell SSL Cert 2023629 ET INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike 2826544 ETPRO TROJAN Cyst Downloader Fake 404 Subscribe to the Proofpoint Blog -----