Threat Level: green Handler on Duty: Lorna Hutcheson

SANS ISC: InfoSec Handlers Diary Blog - New Campaign Using Old Equation Editor Vulnerability InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Campaign Using Old Equation Editor Vulnerability

Published: 2018-10-10
Last Updated: 2018-10-11 05:44:44 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Yesterday, I found a phishing sample that looked interesting:

From: sales@tjzxchem[.]com
To: me
Subject: RE: Re: Proforma Invoice INV 075 2018-19 ’08
Reply-To: exports.sonyaceramics@gmail[.]com

Dear Respected Sir,
Please find the proforma invoice attached.

Kindly check and confirm.
Material will be dispatched with 5-7 working days.
Regards,
Armit Thakkar
Head Sales Development
Technovinyl Polymers India Ltd.
Filix 901 -C1, 9th Floor,
Opp. Asian Paints,
L.B.S.Road, Bhandup (W), 
Mumbai - 400 078, India
Mob: +91-9322266143
Ph: +91-22-61721888

There was an attached document "INV 075 2018-19.xlsx" (SHA256: abbdd98106284eb83582fa08e3452cf43e22edde9e86ffb8e9386c8e97440624) with a score of 28/60 on VT[1]. When I opened the document, it presented a nice picture asking the victim to disable the default Office security feature:

But I also received an error message from Office about an application that could not be opened. Excel tried to spawn a new process:

EQNEDT32.EXE -Embedding

Google this and you will discover that the “Equation Editor” is an Office tool that helps to write cool equations:

This tool is very useful for mathematicians or engineers who must add complex equations in their documents but who install this in a malware analysis sandbox? This is a nice way to evade automated analysis. Once my sandbox fixed and the Equation Editor installed, I re-opened the document and, immediately, the Equation Editor was launched. It downloaded and executed the following payload:

http://216.170.114.195/klonnx.exe

(SHA256: 7fe5f06d04390dd22e1065491c43c33dbebd03400826897c814db8d10469a8eb - VT score: 41/69).

Once executed, the malware copies itself into %APPDATA%\Roaming\svhost\svhost.exe

It schedules a task via schtasks.exe:

schtasks.exe /create /sc MINUTE /tn svhost.exe /MO 1 /tr "C:\Users\admin\AppData\Roaming\svhost\svhost.exe\

But also creates a shortcut in: %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe.url:

[InternetShortcut]
URL=file:///C:/Users/admin/AppData/Roaming/svhost/svhost.exe

The malware is a Razy trojan and it phones home to datalogsbackups[.]hopto[.]org (91.192.100.20) to port 2233.

The vulnerability exploited by this campaign is not new. It abuses the CVE-2017-11882 present in eqnedt32.exe[2].

[1] https://www.virustotal.com/#/file/abbdd98106284eb83582fa08e3452cf43e22edde9e86ffb8e9386c8e97440624/detection
[2] https://borncity.com/win/2017/11/28/hacker-are-misusing-cve-2017-11882-in-office-eqnedt32-exe/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
Diary Archives