Fortinet security researchers recently observed a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.
The attacks stand out because of their multi-staging and are believed to have been launched by a non-Russian actor. The attackers used spear-phishing emails and malicious Office documents exploiting
CVE-2017-11882, a 17 years old vulnerability in Office’s Equation Editor that Microsoft
manually patched in October last year.
The targeted attack started at the end of March with spear-phishing emails received at a service company that repairs Samsung’s electronic devices. Pretending to come from representatives of Samsung, the emails specifically targeted this organization, were written in Russian, and contained a file named
Symptom_and_repair_code_list.xlsx, related to the targeted company’s profile.
The emails were likely the result of machine translation, instead of being created by a native Russian speaker, the security researchers
reveal. Furthermore, the headers of the email revealed that the IP address of the sender wasn’t related to the domain in the “From” field.
The attackers used different attachments for each email, but all messages had seemingly legitimate .XLSX files attached. Furthermore, all of the documents contained an exploit for the CVE-2017-11882 vulnerability.
The shellcode used in the attacks was meant to perform various tasks to gain access to the
LoadLibraryA and
GetProcAddress functions that allow it to execute the final payload. It also imports other functions, including one used to determine the exact location where the downloaded payload should be stored.
The payload features multiple-layer multi-packer protection, starting with an initial layer where the well-known ConfuserEx packer was used to obfuscate objects names, along with the names of methods and resources. From these resources, it reads the next stage payload, which is encrypted using DES, and executes the decrypted file.
The decrypted file, named
BootstrapCS, is the second stage of the multi-layer protection. While not obfuscated, it contains multiple anti-analysis checks, with the structure “settings” in the resources section determining which checks should be performed.
This stage can check for various emulation, sandbox, and virtual machine tools, and also searches for and shuts down specified processes, in addition to disabling system utilities. It also writes the payload path to startup registry keys, hides the file with system and hidden attributes, and injects the payload in various processes.
A binary resource named mainfile is the encrypted stage 3 of the payload. It is an executable that represents the third level of packing protection: a simple XOR algorithm with the KEY = 0x20 was used for encryption. The decrypted payload is injected into a process based on the value in the settings resource file.
The stage 3 of the payload references to a commercial Remote Administration Tool (RAT) called Imminent Monitor, which can be purchased by anyone, directly from the app developer (who apparently prohibits the malicious use of the program). At stage 4, the security researchers once again stumbled upon ConfuserEx.
The main payload of the attack, however, turned out to be the commercial version of the Imminent Monitor RAT, which includes five modules to record videos using the victim’s webcam, to spy on victims, and to control their machines.
The command and control (C&C) servers used in these attacks led the researchers to discover 50 domains registered on the same day, some of which were used to spread malware, while others for phishing attacks. The researchers also discovered older .XLSX samples that use the same C&C but attempt to exploit different vulnerabilities.
“We also noticed that the pattern of these attacks has become quite popular today. The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case,” Fortinet concludes.
