A Good Old Equation Editor Vulnerability Delivering Malware

Published: 2022-02-22
Last Updated: 2022-02-22 07:26:15 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Here is another sample demonstrating how attackers still rely on good old vulnerabilities…  In 2017, Microsoft Office suffered from a critical vulnerability that affected its Equation Editor tool, known as CVE-2017-11882[1]. It's a memory corruption vulnerability that leads to remote code execution, pretty bad. It was heavily exploited at this time and I was curious to find a new document spread with the same good old vulnerability.

The document was delivered through email and called "tt-payment-204500-usd.docx" (SHA256:c82724520ee5ffbcc6ee13c76d004aa903c2f70c93c505df87fe46e5e8cc53a9). Its current VT score is 30/59[2].

The trick is to entice the victim to click on the picture to make it readable. What's the magic behind this? When you check the Word document, there is an embedded OLE file but it does not contain a macro:
remnux@remnux:/MalwareZoo/20220219/doc/word/embeddings$ oledump.py oleObject1.bin
  1:      1227 '\x01olE10NatIve'

Let's check deeper into the document structure. You can find it link to the blurred image and the OLE file:

<w:object w:dxaOrig="95693" w:dyaOrig="82256">
  <v:shape id="_x0000_i2229" style="width:578.0px;height:461.0px">. 
    <v:imagedata r:id="rId8" o:title=""/>
  </v:shape>
  <o:OLEObject Type="Embed" ProgID="SIfdOITzHzZOAJxVO" ShapeID="_x0000_i2229" DrawAspect="Content"  
       ObjectID="_188909" r:id="rId9"/>
</w:object>

This is the object "rId9":

<Relationship Id="rId9" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" 
    Target="embeddings/oleObject1.bin"/>

When the file is opened in a vulnerable environment, Word's equation editor will automatically launch when the user clicks on the picture (which is very tempting to make it more readable) and the vulnerability is triggered. It downloads the next stage from:

hxxp://35[.]77[.]84[.]215/mali/biin.bat

This is a .Net PE file. The code is not obfuscated at all and we can see the behavior:

The second stage is downloaded from:

hxxp://35[.]77[.]84[.]215/mali/biin.jpg

Check the line 19 in the screenshot above. The downloaded payload is reversed. That is the content of the biin.jpg file:

remnux@remnux:/MalwareZoo/20220219$ xxd biin.jpg | tail -20
0012a0c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0012a0d0: 0000 0000 0000 0000 0000 000c 0012 e000  ................
0012a0e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0012a0f0: 0000 0364 0012 c000 0000 004b 0012 b8b0  ...d.......K....
0012a100: 0000 0000 0000 0000 0000 0010 0000 0000  ................
0012a110: 0000 1000 0010 0000 0000 1000 0010 0000  ................
0012a120: 8540 0003 0000 0000 0000 0200 0013 0000  .@..............
0012a130: 0000 0000 0000 0004 0000 0000 0000 0004  ................
0012a140: 0000 0200 0000 2000 0040 0000 0012 c000  ...... ..@......
0012a150: 0000 2000 0012 b8fe 0000 0000 0000 0600  .. .............
0012a160: 0012 9a00 0006 010b 210e 00e0 0000 0000  ........!.......
0012a170: 0000 0000 620e 7fd6 0003 014c 0000 4550  ....b......L..EP
0012a180: 0000 0000 0000 0024 0a0d 0d2e 6564 6f6d  .......$....edom
0012a190: 2053 4f44 206e 6920 6e75 7220 6562 2074   SOD ni nur eb t
0012a1a0: 6f6e 6e61 6320 6d61 7267 6f72 7020 7369  onnac margorp si
0012a1b0: 6854 21cd 4c01 b821 cd09 b400 0eba 1f0e  hT!.L..!........
0012a1c0: 0000 0080 0000 0000 0000 0000 0000 0000  ................
0012a1d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0012a1e0: 0000 0000 0000 0040 0000 0000 0000 00b8  .......@........
0012a1f0: 0000 ffff 0000 0004 0000 0003 0090 5a4d  ..............ZM

The PE file is a DLL (SHA256:053fc3880c8a4d531d66e4a1fd6773d96b49c8ef6ec889b92898b85758197ebf).

Next, another PE file is dumped on disk: Veetyagdacrrximuif.exe (SHA256:7497a084e4ba4f9261f16145a296460cf8c206a3dd0dc1b276496fe3a697a990)

Conclusion: Patch, patch, and patch again because old vulnerabilities can always come back on stage!

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882
[2] https://www.virustotal.com/gui/file/c82724520ee5ffbcc6ee13c76d004aa903c2f70c93c505df87fe46e5e8cc53a9

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Editor Equation Exploit Malware Word
0 comment(s)
ISC Stormcast For Tuesday, February 22nd, 2022 https://isc.sans.edu/podcastdetail.html?id=7890

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
9 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives