Last Updated: 2017-09-21 00:39:14 UTC
by Brad Duncan (Version: 1)
In FireEye's blog post, this exploit was used against Russian speakers to distribute FINSPY malware. By 2017-09-19, I ran across another email spoofing an Argentina government agency using a CVE-2017-8759 exploit to distribute Betabot malware.
Today's diary reviews the email, malware, and traffic associated with this most recent exploit for CVE-2017-8759.
The email and attachment
The email pretends to be from the Administracion Federal de Ingresos Publicos (AFIP) a Argentina government agency responsible for tax collection and administration. The message actually came from a commercial mail server on an IP address assigned to Gualberto Larrauri, an Argentina-based Internet service provider (ISP).
The message describes the attachment as a manual for the AFIP purchasing portal. The attachment is a zip archive, and that archive contains a Rich Text Format (RTF) file with .doc as the file extension. True to its word, the RTF file contains an annex to the official AFIP document covering the subject. It also contains an exploit for CVE-2017-8759. Merely opening the file using Microsoft Word will infect a vulnerable Windows computer.
Opening the RTF document generated Powershell activity that retrieved a Windows executable. This follow-up executable triggered EmergingThreats alerts for Neurevt.A/Betabot when I infected a host in my lab. The malware was made persistent through a Windows registry update.
Shown above: Network traffic for this infection filtered in Wireshark.
Indicators of Compromise (IOCs)
Headers from the email:
- Received: from vtcc.com.ar ([126.96.36.199])
- Envelope-sender: <firstname.lastname@example.org>
- Message-ID: <email@example.com>
- Date: Tuesday, 2017-09-19 at 21:48 UTC
- From: "Administracion Federal de Ingresos Publicos - (AFIP)" <firstname.lastname@example.org>
- Subject: Noticia de Actualizacion - Sistema de Compras (AFIP)
- File size: 52,132 bytes
- File type: Zip archive
- File name: comprasAnexoII.zip
- File description: Email attachment
- File size: 286,981 bytes
- File type: Rich Text Format (RTF) file
- File name: comprasAnexoII.doc
- File description: RTF file with CVE-2017-8759 exploit
- File size: 440,832
- File type: PE32 executable
- File location: hxxp://classupdate.punkdns.top:8007/txt/words.exe
- File location: C:\ProgramData\SystemMicrosoftDefender2.1\[random characters].exe
- File description: Follow-up malware, Neurevt.A (Betabot)
- 188.8.131.52 port 8007 - classupdate.punkdns.top:8007 - GET /txt/doc.txt
- 184.108.40.206 port 8007 - classupdate.punkdns.top:8007 - GET /txt/accounts.hta
- 220.127.116.11 port 8007 - classupdate.punkdns.top:8007 - GET /txt/pause.ps1
- 18.104.22.168 port 8007 - classupdate.punkdns.top:8007 - GET /txt/words.exe
- 22.214.171.124 port 80 - av.bitdefenderesupdate.ru - POST /.av/logout.php
- 126.96.36.199 port 80 - av.bitdefenderesupdate.ru - POST /.av/logout.php?id=[various numbers]
As I write this, nine days have passed since Microsoft released its update to address CVE-2017-8759. The associated exploit is no longer a zero-day. If your organization follows best security practices, you should be fine.
However, many organizations are notoriously slow to apply these updates. Be aware this exploit is active in the wild. I'm sure it will eventually find its way to wide-scale distribution through malicious spam.
A copy of the email, taffic, and associated malware for today's diary can be found here.
brad [at] malware-traffic-analysis.net