SANS ISC: New Campaign Using Old Equation Editor Vulnerability

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Yesterday, I found a phishing sample that looked interesting:

From: sales@tjzxchem[.]com
To: me
Subject: RE: Re: Proforma Invoice INV 075 2018-19 ’08
Reply-To: exports.sonyaceramics@gmail[.]com

Dear Respected Sir,
Please find the proforma invoice attached.

Kindly check and confirm.
Material will be dispatched with 5-7 working days.
Regards,
Armit Thakkar
Head Sales Development
Technovinyl Polymers India Ltd.
Filix 901 -C1, 9th Floor,
Opp. Asian Paints,
L.B.S.Road, Bhandup (W), 
Mumbai - 400 078, India
Mob: +91-9322266143
Ph: +91-22-61721888

There was an attached document "INV 075 2018-19.xlsx" (SHA256: abbdd98106284eb83582fa08e3452cf43e22edde9e86ffb8e9386c8e97440624) with a score of 28/60 on VT[1]. When I opened the document, it presented a nice picture asking the victim to disable the default Office security feature:

But I also received an error message from Office about an application that could not be opened. Excel tried to spawn a new process:

EQNEDT32.EXE -Embedding

Google this and you will discover that the “Equation Editor” is an Office tool that helps to write cool equations:

This tool is very useful for mathematicians or engineers who must add complex equations in their documents but who install this in a malware analysis sandbox? This is a nice way to evade automated analysis. Once my sandbox fixed and the Equation Editor installed, I re-opened the document and, immediately, the Equation Editor was launched. It downloaded and executed the following payload:

http://216.170.114.195/klonnx.exe

(SHA256: 7fe5f06d04390dd22e1065491c43c33dbebd03400826897c814db8d10469a8eb - VT score: 41/69).

Once executed, the malware copies itself into %APPDATA%\Roaming\svhost\svhost.exe

It schedules a task via schtasks.exe:

schtasks.exe /create /sc MINUTE /tn svhost.exe /MO 1 /tr "C:\Users\admin\AppData\Roaming\svhost\svhost.exe\

But also creates a shortcut in: %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe.url:

[InternetShortcut]
URL=file:///C:/Users/admin/AppData/Roaming/svhost/svhost.exe

The malware is a Razy trojan and it phones home to datalogsbackups[.]hopto[.]org (91.192.100.20) to port 2233.

The vulnerability exploited by this campaign is not new. It abuses the CVE-2017-11882 present in eqnedt32.exe[2].

[1] https://www.virustotal.com/#/file/abbdd98106284eb83582fa08e3452cf43e22edde9e86ffb8e9386c8e97440624/detection
[2] https://borncity.com/win/2017/11/28/hacker-are-misusing-cve-2017-11882-in-office-eqnedt32-exe/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key