#1213017: New Remcos RAT Variant is Spreading by Exploiting CVE-2017-11882

Description: Several days ago, FortiGuard Labs captured a malware sample that was exploiting the Microsoft Office vulnerability CVE-2017-11882 patched by Microsoft last November. The sample is an RTF document with an Equation object. By analyzing its behavior in my test environment, I realized that it spreads a new variant of Remcos RAT, version “2.0.4 Pro,” that was released on April 7, 2018 from its official website. It is able to control the victim’s PC after infection.

In this blog, I am not going to explain the causes of the vulnerability CVE-2017-11882, but how the sample works to spread this new Remcos RAT, as well as what this variant does on a victim’s PC.

Exploit CVE-2017-11882
“RFQ File.doc” is the sample’s name, which is an RTF file. Equation object data (attack data) is included in the “\*\objdata” destination. To avoid being detected by cyber security products such as Firewall devices and Anti-AV software, the attacker added a lot of padding data in front of the real Equation object, and even the real Equation object data was split into many parts using ASCII control characters like White Space (0x20), Tab (0x09), Carriage Return (0x0D), or Line Feed(0x0A). These control characters are ignored by the parser -- MS Office Word. It’s kind of an escape method to avoid security products.

In Figure 1, you can see partial content of the RTF sample. I also added comments to it.

For you to clearly see the real Equation object data, I removed the useless padding data and restored the data that was being split. You can see the whole data in Figure 2. The malicious shellcode is in it.


Figure 1. Partial of the original RTF sample content

Figure 2. Restored Equation object data
When this RTF sample is opened in MS Office Word, a buffer overflow happens and the shellcode is executed. Because the core shellcode and data are encrypted, the data is first decrypted and then jumps to execute the core shellcode. Figure 3 below provides a partial view of the decrypted core shellcode and string content.


Figure 3. Decrypted shellcode and string content
The shellcode is a downloader. Its only purpose is to download files from “hxxp://persianlegals.com/wp-includes/js/gist.exe” into “%APPDATA%\namegh.exe” and then run the downloaded file. Figure 4 shows that it calls API CreateProcessW to run the downloaded file, and later calls API ExitProcess to terminate EQNEDT32.EXE running.


Figure 4. Code snippet of the downloaded file and exiting process
The downloaded file is a self-extracting file, which means that it contains a compression archive and a small program to decompress it into a specified folder and then execute one of the files.

For this instance, it extracts the files into the “%temp%\ 01644247\” folder, sets the entire folder to Hidden property, and later runs the file “%temp%\ 01644247\enj.exe” with the argument “%temp%\ 01644247\cgj=agr”. Figure 5 shows a screenshot of this folder in my test environment.

Through my analysis, the file “enj.exe” is, without a doubt, an AutoIt script interpreter program. The program version is 3.3.8.1, though its official website shows the latest version to 3.3.14.5. The file “cgj=agr” is the malicious AutoIt script, and “ujb.mp4” is the configuration file, which is going to be read and parsed by the “cgj=agr” script. Other files were not used in my analysis.


Figure 5. Screenshot of folder 01644247
Execute AutoIt Script
Put “cgj=agr” into any text editor and you can see that the content is full of “#xZQMLS??????????????????????????????????????????????????” characters inserted between the real script code. “#” starting lines can be thought of as a comment to AutoIt. By removing all the “#” lines we can get the clear script, as shown in Figure 6, but you may also notice that the code was obfuscated.

All the names of variables and methods are meaningless, which makes it hard to perform static analysis. So I manually deobfuscated the script and debugged it in the AutoIt Debugger.


Figure 6. “cgj=agr” AutoIt script snippet
By examining Figure 7, below, using the deobfuscated code, it’s easy to understand what it is going to do. It reads the config data from “ujb.mp4”, from which it then extracts and decrypts “[sData]” data (i.e. between “[sData]” and “[esData]”). Later, it writes the decrypted data into a random name file. This newly created file will be located in the same path as “cgj=agr”, and its name will consists of 5 random letters. This time it is “SENPR”. “SENPR” is another obfuscated AutoIt script, and I manually deobfuscated it as well.


Figure 7. Decrypting new file from the config file
This one also reads “ujb.mp4” - the config file - and loads some setting values from it, which can change the code branch.

By following its main branch, we can figure that it does the following things :

1) It adds itself into the system registry as an Auto Run item. This allows the malware to start automatically when the system starts.

It also adds a new key named “WindowsUpdate” into “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”. Figure 8 shows that the new item was added into the registry. The file name is in short name format.

2) It then extracts the “[Data]” data (i.e. between “[Data]” and “[eData]”) from the config file and decrypts it to get a PE file. It then gets the exe file’s full path in the .Net frame install directory – “RegSvcs.exe”, which will be executed later. (“RegSvcs.exe” is a .NET Services Installation Tool).

To prevent its code from being easily analyzed, it has an x86 ASM binary code that runs “RegSvcs.exe” with suspended status by calling CreateProcess and then replacing its code with the decrypted PE file. This allows the decrypted PE file to play as “RegSvcs.exe” in order to execute malicious things on a victim’s machine. I call it a fake “RegSvcs.exe” in my analysis below. BTW, the decrypted PE file was never saved into a local file. Instead, it always lives in the memory. If you are not deeply debugging it, you would never know it, but this PE file is the main component of Remcos RAT. Figure 9 shows the code snippet of “SENPR” that executes x86 ASM code to run the fake “RegSvcs.exe” in the “RegSvcs.exe” process.

Code in lines 237 and 238 show that the API “CallWindowProcW” calls the x86 ASM binary code in the “enj.exe” process (the AutoIt interpreter). The x86 ASM code contains one main function. Its purpose is to call several APIs to run the fake “RegSvcs.exe” up in the real “RegSvcs.exe”. The called APIs are familiar, such as CreateProcessW, RtlMoveMemory, ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, RtlMoveMemory, GetThreadContext, SetThreadContext, and ResumeThread, etc.

Analysis of the Fake RegSvcs.exe
When the fake RegSvcs.exe gets executed, it first reads the data from a resource named “SETTINGS”. This consists of two parts; the first part is an RC4 key seed of 80H size in bytes that is used to generate an RC4 Key to encrypt/decrypt all data in this malware, including the data sent to the C&C server.

The rest is encrypted data. Decrypting provides the information shown in Figure 10. It is like a config file that contains C&C server related information as well as some of the flags that will control the code flow. As you can see, all data were separated by the string “@@”. Later, each data is split by “@@” into a global array so that all of them can be located by an array index. In the analysis below I call it the “SETTINGS” array.


Figure 10. Decrypted resource “SETTINGS”


It first creates a sub-key in the system registry as its home, where it saves its configuration data. The sub-key locates “HKEY_CURRENT_USER \Software\Fmt-W5SO9H\”, where “Fmt-W5SO9H” is from the “SETTINGS” array. It then adds the value name “EXEpath” into FMT-W5SO9H with the value of the encrypted Unicode RegSvcs.exe full path, as you can see in Figure 11. BTW, the encryption key was generated by the first 80H data of the resource “SETTINGS”, which was used to encrypt the full path of the RegSvcs.exe (It’s shown as “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe” in my test environment.)


Figure 11. Encrypted Unicode RegSvcs.exe full path in the system registry
You may notice that this malware likes using threads to work.

It runs three threads whose thread function works together to collect data from the system clipboard, which contains software windows information that the victim is working on. In this case, the collected data is saved in the shared global variable unk_419830. unk_419830 is a global object, whose offset +4 is a string object holding the collected data. Finally, it encrypts all the collected data and saves into a local file. This local file is “%appdata%\skype\logs.dat”. The directory “skype” and the file name “logs.dat” are from the “SETTINGS” array (see Figure 10.) It masquerades as a Skype file.

Before creating these three threads, it initializes the global variable unk_419830 with keyboard information and the current local time.


Figure 12. Three threads used to steal the victim’s information
Thread1:

This thread’ task is used to encrypt the collected data in the global variable unk_419830 and then append it to the local file “%appdata%\skype\logs.dat”. If the folder does not exist, it first creates it. It performs this task every 10 seconds. For the very first time, the thread function encrypts the string of current date/time in a global variable. The string likes “\r\n{ 2018/04/18 10:26:09 - Offline Keylogger Started! }\r\n”.

The encryption algorithm is RC4, and the encryption key is also from the first 80H data from resource “SETTINGS”.

Thread2:

The purpose of this thread is to setup a keyboard hook by calling the API “SetWindowsHookExA” with the idHook parameter “WH_KEYBOARD_LL”. In this way, the hook function can handle the keys that the victim pressed before the destination software does.
More info: https://www.fortinet.com/blog/threat-research/new-remcos-rat-variant-is-spreading-by-exploiting-cve-2017-11882.html

Date added May 6, 2018, 8:58 a.m.
Source FORTINET
Subjects
  • All New Malware Alerts - New Reports / IOCs in
  • Backdoors, Trojans and RAT's
  • General Malware - New Reports in
  • Microsoft Office 2010
  • Microsoft Office 2013
  • Microsoft Office 2016
  • Remvio / Remcos Malware