Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
Analysis of a targeted attack exploiting the WinRar CVE-2018-20250 vulnerability
Message
<blockquote data-quote="Bot" data-source="post: 809100" data-attributes="member: 52014"><p>In early March, we discovered a cyberattack that used an exploit for CVE-2018-20250, an old WinRar vulnerability disclosed just several weeks prior, and targeted organizations in the satellite and communications industry. A complex attack chain incorporating multiple code execution techniques attempted to run a fileless PowerShell backdoor that could allow an adversary to take full control of compromised machines.</p><p></p><p>The WinRar vulnerability was discovered by Check Point researchers, who demonstrated in a February 20 <a href="https://research.checkpoint.com/extracting-code-execution-from-winrar/" target="_blank">blog post</a> that a specially crafted ACE file (a type of compressed file) could allow remote code execution. Attackers quickly took advantage of the vulnerability in attacks, including a targeted attack that 360 Total Security researchers <a href="https://ti.360.net/blog/articles/upgrades-in-winrar-exploit-with-social-engineering-and-encryption/" target="_blank">discovered</a> just two days after disclosure. The exploit has since been observed in multiple malware attacks.</p><p></p><p>The use of ACE files is not uncommon in malware campaigns. A combination of machine learning, advanced heuristics, behavior-based detections, and detonation enables <a href="https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp" target="_blank">Office 365 Advanced Threat Protection</a> (ATP) to regularly detect and block a variety of threats that are packed in ACE files, including common malware like Fareit, Agent Tesla, NanoCore, LokiBot and some ransomware families.</p><p></p><p>The same capabilities in Office 365 ATP detected malicious ACE files carrying the CVE-2018-20250 exploit. We spotted one of these ACE files in the sophisticated targeted attack that we describe in this blog and that stood out because of unusual, interesting techniques. Notably, the attack used techniques that are similar to campaigns carried out by the activity group known as <a href="https://attack.mitre.org/groups/G0069/" target="_blank">MuddyWater</a>, as observed by other security vendors like <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/" target="_blank">Trend Micro</a>.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig1-cve-2018-20250-attack-chain.png" alt="Attack chain diagram" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 1. Attack chain that delivered the CVE-2018-20250 exploit</em></p><p></p><p><span style="font-size: 15px"><strong>Attack chain overview</strong></span></p><p></p><p></p><p>A spear-phishing email purporting to be from the Ministry of Foreign Affairs (MFA) of the Islamic Republic of Afghanistan was sent to very specific targets and asked for “resources, telecommunication services and satellite maps”. The email came with a Word document attachment.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig2-cve-2018-20250-email.png" alt="Spear phishing email" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 2. Spear phishing email containing lure Word Document</em></p><p></p><p>When opened, the document asks the recipient to download another document from a now-inactive OneDrive link. While the URL was down during our analysis, we still reported the case to the OneDrive team.</p><p></p><p>The use of a document with just a link—no malicious macro or embedded object—was likely meant to evade conventional email security protection. This didn’t work against Office 365 ATP, which has the capability to scan emails and Office documents for URLs and analyze links for malicious behavior.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig3-cve-2018-20250-original-document.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 3. Word document lure containing OneDrive link</em></p><p></p><p>Clicking the link downloads an archive file containing a second Word document, which has malicious macro. Microsoft Word opens the document with security warning. Enabling the macro starts a series of malicious actions that leads to the download of the malware payload.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig4-cve-2018-2025-Document-With-Malicious-Macro.png" alt="Screenshot of document with malicious macro" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 4. Downloaded document with malicious macro</em></p><p></p><p>Interestingly, the document has a “Next Page” button. Clicking that button displays a fake message signifying that a certain DLL file is missing, and that the computer needs to restart. This is a social engineering technique that ensures the computer is restarted, which is needed for the payload to run. (More on this later.)</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig5-cve-2018-20250-Document-With-Malicious-Macro-with-Dialog-Box.png" alt="Document with malicious macro and dialog box" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 5. Fake message instructing user to restart the computer</em></p><p></p><p>Meanwhile, with the macro enabled, the malicious code performs the following in the background:</p><p></p><ul> <li data-xf-list-type="ul">Extract and decode a data blob from TextBox form and drop it as <em>C:\Windows\Temp\id.png</em></li> <li data-xf-list-type="ul">Create a malicious Visual Basic Script (VBScript) and drop it as <em>C:\Windows\Temp\temp.vbs</em></li> <li data-xf-list-type="ul">Add persistence by creating a COM object and adding autorun registry key to launch the created shell object</li> <li data-xf-list-type="ul">Launch <em>temp.vbs</em>, which is a wrapper for the malicious PowerShell command that decodes the <em>id.png</em> file, which results in the second-stage PowerShell script that is highly obfuscated and contains multi-layered encryption (this PowerShell script is similar to a script that has been used in past MuddyWater campaigns)</li> </ul><p></p><p>The second-stage PowerShell script collects system information, generates unique computer ID, and sends these to remote location. It acts as a backdoor and can accept commands, including:</p><p></p><ul> <li data-xf-list-type="ul">Download arbitrary file</li> <li data-xf-list-type="ul">Run command using <em>cmd.exe</em></li> <li data-xf-list-type="ul">Decode a base64-encoded command and run it using PowerShell</li> </ul><p></p><p>The PowerShell script’s ability to accept commands and download programs provided a way for a remote attacker to deliver the malicious ACE file containing CVE-2018-20250 exploit. When triggered, the exploit then drops the payload <em>dropbox.exe</em>.</p><p>The next sections discuss in detail the key components of this attack chain.</p><p></p><p><span style="font-size: 15px"><strong>Malicious macro</strong></span></p><p></p><p></p><p>The highly obfuscated malicious macro code used in this attack has a unique way of running malicious code by chaining several programs. It first extracts an encoded data taken from <em>UserForm.TextBox</em>, before decoding and saving it as <em>C:\Windows\Temp\id.png</em>. This file contains an encoded PowerShell command that is executed later by the first-stage PowerShell script.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig6-obfuscated-macro-code.png" alt="Obfuscated macro code" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 6. Obfuscated macro code</em></p><p></p><p>The malicious macro code then creates an <em>Excel.Application</em> object to write the VBScript code.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig7.vbscript-created-by-macro.png" alt="VBScript code" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 7. VBScript code created by the malicious macro</em></p><p></p><p>It then runs <em>wscript.exe</em> to launch the PowerShell script at runtime. The PowerShell script itself does not touch the disc, making it a <a href="https://www.microsoft.com/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/" target="_blank">fileless</a> component of the attack chain. <a href="https://www.microsoft.com/security/blog/2017/12/04/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land/" target="_blank">Living-off-the-land</a>, the technique of using resources that are already available on the system (e.g., <em>wscript.exe</em>) to run malicious code directly in memory, is another way that this attack tries to evade detection.</p><p></p><p><span style="font-size: 15px"><strong>PowerShell</strong></span></p><p></p><p></p><p>The first-stage PowerShell script contains multiple layers of obfuscation. When run, it decodes the file <em>id.png</em> to produce another PowerShell script that’s responsible for the rest of the actions.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig8-obfuscated-first-stage-PowerShell-code.jpg" alt="Obfuscated first-stage PowerShell" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 8. Obfuscated first-stage PowerShell code</em></p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig9-de-obfuscated-first-scate-PowerShell-script.png" alt="De-obfuscated first stage malware" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 9. De-obfuscated first-stage PowerShell script</em></p><p></p><p>The decrypted PowerShell script is also highly obfuscated. Fully de-obfuscating the malicious script requires over 40 layers of script blocks.</p><p></p><p>The second-stage PowerShell script collects system information, such as operating system, OS architecture, username, domain name, disk information, enabled-only IP addresses, and gateway IP address. It computes the MD5 hash of collected system information. The computed hash is used as the BotID (some researchers also refer to this as SYSID).</p><p></p><p>It then concatenates the hash and system information in a string that looks like the following:</p><p></p><p style="margin-left: 20px"><em><BotID>**<OS>|Disk information**<IP Address List>**<OS Architecture>**<Hostname>**<Domain>**<Username>**<Gateway IP></em></p><p></p><p>For example:</p><p></p><p style="margin-left: 20px"><em>6e6bdbd3d8b102305f016b06e995a384**Microsoft Windows 10 Enterprise|C:\WINDOWS|\Device\Harddisk0\Partition3**192[.]168[.]61[.]1-192[.]168[.]32[.]1-157[.]59[.]24[.]113**64-bit**<Hostname>**<Domain>**<Username>**131[.]107[.]160[.]113</em></p><p></p><p>It then encodes each character of the collected system information in decimal value by applying simple custom algorithm with hardcoded key (public key): 959,713. The result is formatted as XML-like data:</p><p></p><p style="margin-left: 20px"><em>{“data”:”665 545 145 145 222 545 222 145 73 367 665 438 438 438 598 616 145 518 616 566 438 [REDACTED] 616 73 145 145 665 518 365 438 316 665 513 513 432 261 181 344}</em></p><p></p><p>It sends the encoded data to a hardcoded remote command-and-control (C&C), likely to check and register the infected computer: hxxp://162[.]223<p style="text-align: left"><span style="font-size: 16px"><span style="font-family: 'Georgia'"><span style="color: #333333">[.]</span></span></span></p><p>89<p style="text-align: left"><span style="font-size: 16px"><span style="font-family: 'Georgia'"><span style="color: #333333">[.]</span></span></span></p><p>53/oa/.</p><p></p><p>It continuously waits until the remote attacker sends back “done”. Then, it sends an HTTP request to the same C&C address passing the BotID, likely to wait for command: hxxp://162<p style="text-align: left"><span style="font-size: 16px"><span style="font-family: 'Georgia'"><span style="color: #333333">[.]</span></span></span></p><p>223<p style="text-align: left"><span style="font-size: 16px"><span style="font-family: 'Georgia'"><span style="color: #333333">[.]</span></span></span></p><p>89<p style="text-align: left"><span style="font-size: 16px"><span style="font-family: 'Georgia'"><span style="color: #333333">[.]</span></span></span></p><p>53/oc/api/?t=<BOTID>.</p><p></p><p>It can accept command to download and execute command and sends back the output, encoded in Base64 format, to the remote C2 server using HTTP POST: hxxp://162<p style="text-align: left"><span style="font-size: 16px"><span style="font-family: 'Georgia'"><span style="color: #333333">[.]</span></span></span></p><p>223<p style="text-align: left"><span style="font-size: 16px"><span style="font-family: 'Georgia'"><span style="color: #333333">[.]</span></span></span></p><p>89<p style="text-align: left"><span style="font-size: 16px"><span style="font-family: 'Georgia'"><span style="color: #333333">[.]</span></span></span></p><p>53/or/?t=<BOTID>.</p><p></p><p><span style="font-size: 15px"><strong>CVE-2018-20250 exploit</strong></span></p><p></p><p></p><p>In their <a href="https://research.checkpoint.com/extracting-code-execution-from-winrar/" target="_blank">analysis</a> of the CVE-2018-20250 vulnerability, Check Point researchers found that when parsing ACE files, WinRar used an old DLL named unacev2.dll that was vulnerable to directory traversal.</p><p></p><p>Malicious ACE files that carry the CVE-2018-20250 exploit can be spotted through:</p><p></p><ul> <li data-xf-list-type="ul">Directory traversal string – The validation from <em>Unacev2.dll</em> for the destination path when extracting ACE is not enough. If attacker can craft relative path that can bypass the checks in place, it may lead to extraction of the embedded payload to the specified location.</li> <li data-xf-list-type="ul">Drop zone – In-the-wild samples commonly use the Startup folder, but it’s also possible to drop the file to known or pre-determined SMB shared folders.</li> <li data-xf-list-type="ul">Payload – The malicious payload, as in this attack, is commonly an .exe file, but in-the-wild samples and other ACE files that we’ve seen use other malicious scripts like VBScript executable.</li> </ul><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig10-ACE-file-with-CVE-2018-20250-exploit.jpg" alt="ACE file with CVE-2018-20250 exploit" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 10. ACE file with CVE-2018-20250 exploit</em></p><p></p><p>The ACE file contains three JPEG files that may look related to the email and Word document lures. When the user attempts to extract any of them, the exploit triggers and drops the payload, <em>dropbox.exe</em>, to the Startup folder.</p><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig11-contents-of-the-malicious-ACE-file.jpg" alt="Contents of the malicious ACE file" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 11. Contents of the malicious ACE file</em></p><p></p><p>Going back to the fake error message about a missing DLL and asking the user to restart the computer: The CVE-2018-20250 vulnerability only allows file write to specified folder but has no capability to run the file immediately. Since the payload was dropped in the Startup folder, it is launched when the computer restarts.</p><p></p><p>The payload <em>dropbox.exe</em> performs the same actions as the malicious macro component, which helps ensure that the PowerShell backdoor is running. The PowerShell backdoor could allow a remote attacker to take full control of the compromised machine and make it a launchpad for more malicious actions. Exposing and stopping the attacks at the early stages is critical in preventing additional, typically more damaging impact of undetected malware implants.</p><p></p><p><span style="font-size: 15px"><strong>Stopping attacks at the entry point with Office 365 ATP</strong></span></p><p></p><p></p><p>The targeted attack we discussed in this blog and other attacks that use the CVE-2018-20250 exploit show how quickly attackers can take advantage of known vulnerabilities. Attackers are always in search of new vectors to reach more victims. In this attack, they also used some sophisticated code injection techniques. Protections against cyberattacks should be advanced, real-time, and comprehensive.</p><p></p><p>The URL detonation capabilities in <a href="https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp" target="_blank">Office 365 ATP</a> was instrumental in detecting and blocking the malicious behaviors across the multiple stages of this sophisticated attack, protecting customers from potentially damaging outcomes. URL detonation, coupled with heuristics, behavior-based detections, and machine learning, allow Office 365 ATP to protect customers not only from targeted attacks, but also well-crafted spear phishing attacks—in real time.</p><p></p><p><span style="font-size: 15px"><strong>Unified protection across multiple attack vectors with Microsoft Threat Protection</strong></span></p><p></p><p></p><p>These advanced defenses from Office 365 ATP are shared with other services in <a href="https://www.microsoft.com/security/blog/the-evolution-of-microsoft-threat-protection/" target="_blank">Microsoft Threat Protection</a>, which provides seamless, integrated, and comprehensive protection against multiple attack vectors. Through signal-sharing, Microsoft threat Protection orchestrates threat remediation.</p><p></p><p>For endpoints that are not protected by Office 365 ATP, <a href="https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc" target="_blank">Microsoft Defender ATP</a> detects the attacker techniques used in this targeted attack. Microsoft Defender ATP is a unified endpoint protection platform for attack surface reduction, next generation protection, endpoint detection & response (EDR), auto investigation & remediation, as well as recently announced <a href="https://www.microsoft.com/security/blog/2019/02/28/announcing-microsoft-threat-experts/" target="_blank">managed threat hunting</a> and <a href="https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845" target="_blank">threat & vulnerability management</a>.</p><p></p><p>Microsoft Defender ATP uses machine learning, behavior monitoring, and heuristics to detect sophisticated threats. Its <a href="https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831?_lrsc=43e3d75c-e0f9-442c-b084-0fa99ad29fde" target="_blank">industry-leading optics</a>, integration with Office 365 ATP and other Microsoft Threat Protection services, and use of <a href="https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/" target="_blank">AMSI</a> give it unique capabilities to detect attacker techniques, including the exploit, obfuscation, detection evasion, and fileless techniques observed in this attack.</p><p></p><p>The attacks that immediately exploited the WinRar vulnerability demonstrate the importance of threat & vulnerability management in reducing organizational risk. Even if your organization was not affected by this attack against specific organizations in the satellite and communications industry, there are other malware campaigns that used the exploits.</p><p></p><p>Microsoft Defender ATP’s <a href="https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845" target="_blank">threat & vulnerability management</a> capability uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities. As a component of a unified endpoint protection platform, threat & hunting vulnerability management in Microsoft Defender ATP provides these unique benefits:</p><p></p><ul> <li data-xf-list-type="ul">Real-time correlation of EDR insights with info on endpoint vulnerabilities</li> <li data-xf-list-type="ul">Invaluable endpoint vulnerability context for incident investigations</li> <li data-xf-list-type="ul">Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager</li> </ul><p></p><p><img src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig12-threat-and-vulnerability-management.png" alt="Threat and Vulnerability Management" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><em>Figure 12. Sample Threat & Vulnerability Management dashboard showing WinRAR vulnerabilities on managed endpoints</em></p><p></p><p>The complex attack chain that incorporated sophisticated techniques observed in this targeted attack highlights the benefits of a comprehensive protection enriched by telemetry collected across the entire attack chain. Microsoft Threat Protection <a href="https://www.microsoft.com/security/blog/the-evolution-of-microsoft-threat-protection/" target="_blank">continues to evolve</a> to provide integrated threat protection solution for the modern workplace.</p><p></p><p> </p><p></p><p><strong><em>Rex Plantado</em></strong></p><p><em>Office 365 ATP Research Team</em></p><p></p><p> </p><p></p><p><span style="font-size: 15px"><strong>Indicators of compromise</strong></span></p><p></p><p></p><p>Files (SHA-256):</p><p></p><ul> <li data-xf-list-type="ul">68133eb271d442216e66a8267728ab38bf143627aa5026a4a6d07bb616b3d9fd (Original email attachment) – detected as Trojan:O97M/Maudon.A</li> <li data-xf-list-type="ul">ef3617a68208f047ccae2d169b8208aa87df9a4b8959e529577fe11c2e0d08c3 (Document hosted in OneDrive link) – detected as Trojan:O97M/Maudon.A</li> <li data-xf-list-type="ul">4cb0b2d9a4275d7e7f532f52c1b6ba2bd228a7b50735b0a644d2ecae96263352 (ACE file with CVE-2018-20250 exploit) – detected as Exploit:Win32/CVE-2018-20250</li> <li data-xf-list-type="ul">6f78748f5b2902c05e88c1d2e45de8e7c635512a5f25d25217766554534277fe (dropbox.exe (Win64 Payload)) – detected as Trojan:Win32/Maudon.A</li> <li data-xf-list-type="ul">c0c22e689e1e9fa11cbf8718405b20ce57c1d7c85d8e6e45c617e2b095b01b15 (Encoded id.png) – detected as Trojan<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite115" alt=":p" title="Stick out tongue :p" loading="lazy" data-shortname=":p" />owerShell/Maudon.A</li> <li data-xf-list-type="ul">0089736ee162095ac2e4e66de6468dbb7824fe73996bbea48a3bb85f7fdd53e4 (temp.vbs) – detected as ThreatRelated</li> <li data-xf-list-type="ul">1c25286b8dea0ebe4e8fca0181c474ff47cf822330ef3613a7d599c12b37ff5f (PowerShell script decrypted from id.png) – detected as Trojan<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite115" alt=":p" title="Stick out tongue :p" loading="lazy" data-shortname=":p" />owerShell/Maudon.A</li> <li data-xf-list-type="ul">144b3aa998cf9f30d6698bebe68a1248ca36dc5be534b1dedee471ada7302971 (Decrypted PowerShell) – detected as Trojan<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite115" alt=":p" title="Stick out tongue :p" loading="lazy" data-shortname=":p" />owerShell/Maudon.A</li> </ul><p></p><p>URLs:</p><p></p><ul> <li data-xf-list-type="ul">hxxps://1drv[.]ms/u/s!AgvJCoYH9skpgUNf3Y3bfhSyFQao</li> <li data-xf-list-type="ul">hxxp://162[.]223[.]89[.]53/oa/</li> <li data-xf-list-type="ul">hxxp://162[.]223[.]89[.]53/oc/api/?t=<BOTID></li> <li data-xf-list-type="ul">hxxp://162[.]223[.]89[.]53/or/?t=<BOTID></li> </ul><p></p><p> </p><p></p><p>The post <a href="https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability/" target="_blank">Analysis of a targeted attack exploiting the WinRar CVE-2018-20250 vulnerability</a> appeared first on <a href="https://www.microsoft.com/security/blog/" target="_blank">Microsoft Security.</a></p><p><a href="https://www.microsoft.com/security/blog/" target="_blank"></a></p></blockquote><p></p>
[QUOTE="Bot, post: 809100, member: 52014"] In early March, we discovered a cyberattack that used an exploit for CVE-2018-20250, an old WinRar vulnerability disclosed just several weeks prior, and targeted organizations in the satellite and communications industry. A complex attack chain incorporating multiple code execution techniques attempted to run a fileless PowerShell backdoor that could allow an adversary to take full control of compromised machines. The WinRar vulnerability was discovered by Check Point researchers, who demonstrated in a February 20 [URL='https://research.checkpoint.com/extracting-code-execution-from-winrar/']blog post[/URL] that a specially crafted ACE file (a type of compressed file) could allow remote code execution. Attackers quickly took advantage of the vulnerability in attacks, including a targeted attack that 360 Total Security researchers [URL='https://ti.360.net/blog/articles/upgrades-in-winrar-exploit-with-social-engineering-and-encryption/']discovered[/URL] just two days after disclosure. The exploit has since been observed in multiple malware attacks. The use of ACE files is not uncommon in malware campaigns. A combination of machine learning, advanced heuristics, behavior-based detections, and detonation enables [URL='https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp']Office 365 Advanced Threat Protection[/URL] (ATP) to regularly detect and block a variety of threats that are packed in ACE files, including common malware like Fareit, Agent Tesla, NanoCore, LokiBot and some ransomware families. The same capabilities in Office 365 ATP detected malicious ACE files carrying the CVE-2018-20250 exploit. We spotted one of these ACE files in the sophisticated targeted attack that we describe in this blog and that stood out because of unusual, interesting techniques. Notably, the attack used techniques that are similar to campaigns carried out by the activity group known as [URL='https://attack.mitre.org/groups/G0069/']MuddyWater[/URL], as observed by other security vendors like [URL='https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/']Trend Micro[/URL]. [IMG alt="Attack chain diagram"]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig1-cve-2018-20250-attack-chain.png[/IMG] [CENTER][I]Figure 1. Attack chain that delivered the CVE-2018-20250 exploit[/I][/CENTER] [SIZE=4][B]Attack chain overview[/B][/SIZE] A spear-phishing email purporting to be from the Ministry of Foreign Affairs (MFA) of the Islamic Republic of Afghanistan was sent to very specific targets and asked for “resources, telecommunication services and satellite maps”. The email came with a Word document attachment. [IMG alt="Spear phishing email"]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig2-cve-2018-20250-email.png[/IMG] [CENTER][I]Figure 2. Spear phishing email containing lure Word Document[/I][/CENTER] When opened, the document asks the recipient to download another document from a now-inactive OneDrive link. While the URL was down during our analysis, we still reported the case to the OneDrive team. The use of a document with just a link—no malicious macro or embedded object—was likely meant to evade conventional email security protection. This didn’t work against Office 365 ATP, which has the capability to scan emails and Office documents for URLs and analyze links for malicious behavior. [IMG]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig3-cve-2018-20250-original-document.png[/IMG] [CENTER][I]Figure 3. Word document lure containing OneDrive link[/I][/CENTER] Clicking the link downloads an archive file containing a second Word document, which has malicious macro. Microsoft Word opens the document with security warning. Enabling the macro starts a series of malicious actions that leads to the download of the malware payload. [IMG alt="Screenshot of document with malicious macro"]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig4-cve-2018-2025-Document-With-Malicious-Macro.png[/IMG] [CENTER][I]Figure 4. Downloaded document with malicious macro[/I][/CENTER] Interestingly, the document has a “Next Page” button. Clicking that button displays a fake message signifying that a certain DLL file is missing, and that the computer needs to restart. This is a social engineering technique that ensures the computer is restarted, which is needed for the payload to run. (More on this later.) [IMG alt="Document with malicious macro and dialog box"]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig5-cve-2018-20250-Document-With-Malicious-Macro-with-Dialog-Box.png[/IMG] [CENTER][I]Figure 5. Fake message instructing user to restart the computer[/I][/CENTER] Meanwhile, with the macro enabled, the malicious code performs the following in the background: [LIST] [*]Extract and decode a data blob from TextBox form and drop it as [I]C:\Windows\Temp\id.png[/I] [*]Create a malicious Visual Basic Script (VBScript) and drop it as [I]C:\Windows\Temp\temp.vbs[/I] [*]Add persistence by creating a COM object and adding autorun registry key to launch the created shell object [*]Launch [I]temp.vbs[/I], which is a wrapper for the malicious PowerShell command that decodes the [I]id.png[/I] file, which results in the second-stage PowerShell script that is highly obfuscated and contains multi-layered encryption (this PowerShell script is similar to a script that has been used in past MuddyWater campaigns) [/LIST] The second-stage PowerShell script collects system information, generates unique computer ID, and sends these to remote location. It acts as a backdoor and can accept commands, including: [LIST] [*]Download arbitrary file [*]Run command using [I]cmd.exe[/I] [*]Decode a base64-encoded command and run it using PowerShell [/LIST] The PowerShell script’s ability to accept commands and download programs provided a way for a remote attacker to deliver the malicious ACE file containing CVE-2018-20250 exploit. When triggered, the exploit then drops the payload [I]dropbox.exe[/I]. The next sections discuss in detail the key components of this attack chain. [SIZE=4][B]Malicious macro[/B][/SIZE] The highly obfuscated malicious macro code used in this attack has a unique way of running malicious code by chaining several programs. It first extracts an encoded data taken from [I]UserForm.TextBox[/I], before decoding and saving it as [I]C:\Windows\Temp\id.png[/I]. This file contains an encoded PowerShell command that is executed later by the first-stage PowerShell script. [IMG alt="Obfuscated macro code"]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig6-obfuscated-macro-code.png[/IMG] [CENTER][I]Figure 6. Obfuscated macro code[/I][/CENTER] The malicious macro code then creates an [I]Excel.Application[/I] object to write the VBScript code. [IMG alt="VBScript code"]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig7.vbscript-created-by-macro.png[/IMG] [CENTER][I]Figure 7. VBScript code created by the malicious macro[/I][/CENTER] It then runs [I]wscript.exe[/I] to launch the PowerShell script at runtime. The PowerShell script itself does not touch the disc, making it a [URL='https://www.microsoft.com/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/']fileless[/URL] component of the attack chain. [URL='https://www.microsoft.com/security/blog/2017/12/04/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land/']Living-off-the-land[/URL], the technique of using resources that are already available on the system (e.g., [I]wscript.exe[/I]) to run malicious code directly in memory, is another way that this attack tries to evade detection. [SIZE=4][B]PowerShell[/B][/SIZE] The first-stage PowerShell script contains multiple layers of obfuscation. When run, it decodes the file [I]id.png[/I] to produce another PowerShell script that’s responsible for the rest of the actions. [IMG alt="Obfuscated first-stage PowerShell"]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig8-obfuscated-first-stage-PowerShell-code.jpg[/IMG] [CENTER][I]Figure 8. Obfuscated first-stage PowerShell code[/I][/CENTER] [IMG alt="De-obfuscated first stage malware"]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig9-de-obfuscated-first-scate-PowerShell-script.png[/IMG] [CENTER][I]Figure 9. De-obfuscated first-stage PowerShell script[/I][/CENTER] The decrypted PowerShell script is also highly obfuscated. Fully de-obfuscating the malicious script requires over 40 layers of script blocks. The second-stage PowerShell script collects system information, such as operating system, OS architecture, username, domain name, disk information, enabled-only IP addresses, and gateway IP address. It computes the MD5 hash of collected system information. The computed hash is used as the BotID (some researchers also refer to this as SYSID). It then concatenates the hash and system information in a string that looks like the following: [INDENT][I]<BotID>**<OS>|Disk information**<IP Address List>**<OS Architecture>**<Hostname>**<Domain>**<Username>**<Gateway IP>[/I][/INDENT] For example: [INDENT][I]6e6bdbd3d8b102305f016b06e995a384**Microsoft Windows 10 Enterprise|C:\WINDOWS|\Device\Harddisk0\Partition3**192[.]168[.]61[.]1-192[.]168[.]32[.]1-157[.]59[.]24[.]113**64-bit**<Hostname>**<Domain>**<Username>**131[.]107[.]160[.]113[/I][/INDENT] It then encodes each character of the collected system information in decimal value by applying simple custom algorithm with hardcoded key (public key): 959,713. The result is formatted as XML-like data: [INDENT][I]{“data”:”665 545 145 145 222 545 222 145 73 367 665 438 438 438 598 616 145 518 616 566 438 [REDACTED] 616 73 145 145 665 518 365 438 316 665 513 513 432 261 181 344}[/I][/INDENT] It sends the encoded data to a hardcoded remote command-and-control (C&C), likely to check and register the infected computer: hxxp://162[.]223[LEFT][SIZE=16px][FONT=Georgia][COLOR=#333333][.][/COLOR][/FONT][/SIZE][/LEFT]89[LEFT][SIZE=16px][FONT=Georgia][COLOR=#333333][.][/COLOR][/FONT][/SIZE][/LEFT]53/oa/. It continuously waits until the remote attacker sends back “done”. Then, it sends an HTTP request to the same C&C address passing the BotID, likely to wait for command: hxxp://162[LEFT][SIZE=16px][FONT=Georgia][COLOR=#333333][.][/COLOR][/FONT][/SIZE][/LEFT]223[LEFT][SIZE=16px][FONT=Georgia][COLOR=#333333][.][/COLOR][/FONT][/SIZE][/LEFT]89[LEFT][SIZE=16px][FONT=Georgia][COLOR=#333333][.][/COLOR][/FONT][/SIZE][/LEFT]53/oc/api/?t=<BOTID>. It can accept command to download and execute command and sends back the output, encoded in Base64 format, to the remote C2 server using HTTP POST: hxxp://162[LEFT][SIZE=16px][FONT=Georgia][COLOR=#333333][.][/COLOR][/FONT][/SIZE][/LEFT]223[LEFT][SIZE=16px][FONT=Georgia][COLOR=#333333][.][/COLOR][/FONT][/SIZE][/LEFT]89[LEFT][SIZE=16px][FONT=Georgia][COLOR=#333333][.][/COLOR][/FONT][/SIZE][/LEFT]53/or/?t=<BOTID>. [SIZE=4][B]CVE-2018-20250 exploit[/B][/SIZE] In their [URL='https://research.checkpoint.com/extracting-code-execution-from-winrar/']analysis[/URL] of the CVE-2018-20250 vulnerability, Check Point researchers found that when parsing ACE files, WinRar used an old DLL named unacev2.dll that was vulnerable to directory traversal. Malicious ACE files that carry the CVE-2018-20250 exploit can be spotted through: [LIST] [*]Directory traversal string – The validation from [I]Unacev2.dll[/I] for the destination path when extracting ACE is not enough. If attacker can craft relative path that can bypass the checks in place, it may lead to extraction of the embedded payload to the specified location. [*]Drop zone – In-the-wild samples commonly use the Startup folder, but it’s also possible to drop the file to known or pre-determined SMB shared folders. [*]Payload – The malicious payload, as in this attack, is commonly an .exe file, but in-the-wild samples and other ACE files that we’ve seen use other malicious scripts like VBScript executable. [/LIST] [IMG alt="ACE file with CVE-2018-20250 exploit"]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig10-ACE-file-with-CVE-2018-20250-exploit.jpg[/IMG] [CENTER][I]Figure 10. ACE file with CVE-2018-20250 exploit[/I][/CENTER] The ACE file contains three JPEG files that may look related to the email and Word document lures. When the user attempts to extract any of them, the exploit triggers and drops the payload, [I]dropbox.exe[/I], to the Startup folder. [IMG alt="Contents of the malicious ACE file"]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig11-contents-of-the-malicious-ACE-file.jpg[/IMG] [CENTER][I]Figure 11. Contents of the malicious ACE file[/I][/CENTER] Going back to the fake error message about a missing DLL and asking the user to restart the computer: The CVE-2018-20250 vulnerability only allows file write to specified folder but has no capability to run the file immediately. Since the payload was dropped in the Startup folder, it is launched when the computer restarts. The payload [I]dropbox.exe[/I] performs the same actions as the malicious macro component, which helps ensure that the PowerShell backdoor is running. The PowerShell backdoor could allow a remote attacker to take full control of the compromised machine and make it a launchpad for more malicious actions. Exposing and stopping the attacks at the early stages is critical in preventing additional, typically more damaging impact of undetected malware implants. [SIZE=4][B]Stopping attacks at the entry point with Office 365 ATP[/B][/SIZE] The targeted attack we discussed in this blog and other attacks that use the CVE-2018-20250 exploit show how quickly attackers can take advantage of known vulnerabilities. Attackers are always in search of new vectors to reach more victims. In this attack, they also used some sophisticated code injection techniques. Protections against cyberattacks should be advanced, real-time, and comprehensive. The URL detonation capabilities in [URL='https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp']Office 365 ATP[/URL] was instrumental in detecting and blocking the malicious behaviors across the multiple stages of this sophisticated attack, protecting customers from potentially damaging outcomes. URL detonation, coupled with heuristics, behavior-based detections, and machine learning, allow Office 365 ATP to protect customers not only from targeted attacks, but also well-crafted spear phishing attacks—in real time. [SIZE=4][B]Unified protection across multiple attack vectors with Microsoft Threat Protection[/B][/SIZE] These advanced defenses from Office 365 ATP are shared with other services in [URL='https://www.microsoft.com/security/blog/the-evolution-of-microsoft-threat-protection/']Microsoft Threat Protection[/URL], which provides seamless, integrated, and comprehensive protection against multiple attack vectors. Through signal-sharing, Microsoft threat Protection orchestrates threat remediation. For endpoints that are not protected by Office 365 ATP, [URL='https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc']Microsoft Defender ATP[/URL] detects the attacker techniques used in this targeted attack. Microsoft Defender ATP is a unified endpoint protection platform for attack surface reduction, next generation protection, endpoint detection & response (EDR), auto investigation & remediation, as well as recently announced [URL='https://www.microsoft.com/security/blog/2019/02/28/announcing-microsoft-threat-experts/']managed threat hunting[/URL] and [URL='https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845']threat & vulnerability management[/URL]. Microsoft Defender ATP uses machine learning, behavior monitoring, and heuristics to detect sophisticated threats. Its [URL='https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831?_lrsc=43e3d75c-e0f9-442c-b084-0fa99ad29fde']industry-leading optics[/URL], integration with Office 365 ATP and other Microsoft Threat Protection services, and use of [URL='https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/']AMSI[/URL] give it unique capabilities to detect attacker techniques, including the exploit, obfuscation, detection evasion, and fileless techniques observed in this attack. The attacks that immediately exploited the WinRar vulnerability demonstrate the importance of threat & vulnerability management in reducing organizational risk. Even if your organization was not affected by this attack against specific organizations in the satellite and communications industry, there are other malware campaigns that used the exploits. Microsoft Defender ATP’s [URL='https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845']threat & vulnerability management[/URL] capability uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities. As a component of a unified endpoint protection platform, threat & hunting vulnerability management in Microsoft Defender ATP provides these unique benefits: [LIST] [*]Real-time correlation of EDR insights with info on endpoint vulnerabilities [*]Invaluable endpoint vulnerability context for incident investigations [*]Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager [/LIST] [IMG alt="Threat and Vulnerability Management"]https://www.microsoft.com/security/blog/wp-content/uploads/2019/04/fig12-threat-and-vulnerability-management.png[/IMG] [CENTER][I]Figure 12. Sample Threat & Vulnerability Management dashboard showing WinRAR vulnerabilities on managed endpoints[/I][/CENTER] The complex attack chain that incorporated sophisticated techniques observed in this targeted attack highlights the benefits of a comprehensive protection enriched by telemetry collected across the entire attack chain. Microsoft Threat Protection [URL='https://www.microsoft.com/security/blog/the-evolution-of-microsoft-threat-protection/']continues to evolve[/URL] to provide integrated threat protection solution for the modern workplace. [B][I]Rex Plantado[/I][/B] [I]Office 365 ATP Research Team[/I] [SIZE=4][B]Indicators of compromise[/B][/SIZE] Files (SHA-256): [LIST] [*]68133eb271d442216e66a8267728ab38bf143627aa5026a4a6d07bb616b3d9fd (Original email attachment) – detected as Trojan:O97M/Maudon.A [*]ef3617a68208f047ccae2d169b8208aa87df9a4b8959e529577fe11c2e0d08c3 (Document hosted in OneDrive link) – detected as Trojan:O97M/Maudon.A [*]4cb0b2d9a4275d7e7f532f52c1b6ba2bd228a7b50735b0a644d2ecae96263352 (ACE file with CVE-2018-20250 exploit) – detected as Exploit:Win32/CVE-2018-20250 [*]6f78748f5b2902c05e88c1d2e45de8e7c635512a5f25d25217766554534277fe (dropbox.exe (Win64 Payload)) – detected as Trojan:Win32/Maudon.A [*]c0c22e689e1e9fa11cbf8718405b20ce57c1d7c85d8e6e45c617e2b095b01b15 (Encoded id.png) – detected as Trojan:PowerShell/Maudon.A [*]0089736ee162095ac2e4e66de6468dbb7824fe73996bbea48a3bb85f7fdd53e4 (temp.vbs) – detected as ThreatRelated [*]1c25286b8dea0ebe4e8fca0181c474ff47cf822330ef3613a7d599c12b37ff5f (PowerShell script decrypted from id.png) – detected as Trojan:PowerShell/Maudon.A [*]144b3aa998cf9f30d6698bebe68a1248ca36dc5be534b1dedee471ada7302971 (Decrypted PowerShell) – detected as Trojan:PowerShell/Maudon.A [/LIST] URLs: [LIST] [*]hxxps://1drv[.]ms/u/s!AgvJCoYH9skpgUNf3Y3bfhSyFQao [*]hxxp://162[.]223[.]89[.]53/oa/ [*]hxxp://162[.]223[.]89[.]53/oc/api/?t=<BOTID> [*]hxxp://162[.]223[.]89[.]53/or/?t=<BOTID> [/LIST] The post [URL='https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability/']Analysis of a targeted attack exploiting the WinRar CVE-2018-20250 vulnerability[/URL] appeared first on [URL='https://www.microsoft.com/security/blog/']Microsoft Security. [/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
