Lammers, stealers and RATs: same technics like Formbook malware to install JRAT and HawkEye Keylogger
Since a few days, a threat actor uses pdf for embedding a RTF document with the exploit CVE-2017–11882.
https://app.any.run/tasks/bbbbee8e-cb8d-499c-890a-6e064bbd6b6b
The shellcode in the RTF document contacts a domain officeemailinfo.net to download differents payloads:
- hxxp://officeemailinfo.net/321.jar
- hxxp://officeemailinfo.net/BOA_Instruction,doc.jar
- hxxp://officeemailinfo.net/sccccca.exe
- jrat
- (0f6a76e4e099005fcfcefb5a4de71a0e88a0c4c12607b038b272514800f1f2f6, 432afac8cb1f4952cb356ab98c3da140780a7fa34ab7a2f49b26411dd638484e)
- hawkee keylogers (c40c634c51a4c9aabbaaf2f3c2ce00ad29bf4feb12c31b1f59e9405b36a4a139)
the hawkee keylogger is connected to smtp.doctorework.com.
This domain is related to 208.91.199.223.
The jrat is connected to 91.192.100.7.
This IP is very interresting because many dynamic domains are used by the same lammers family of malware:
indigo2.publicvm.com
nandos777.ddns.net
netwokers.ddns.net
gray7.serveftp.com
cryoutlouds.dynu.net
dengsman.duckdns.org
realwire123.ddns.net
cryoutloud.dynu.net
audreysaradin.no-ip.org
evansabide24.ddns.net
04ab2023728a5045bcfff666984eb1076f1639df127abe4326a4fac2a6c6b94c
46a622bd255598fa0e9a8f4f5fef80f7a943460daeb6e56da0ff92051cb93b4a
1a5561debc2c43ca294a725783f607f23c203495227a910d0863b01b279c5ce3
73f994b05f67fcba7bf5c7683ec6e027187ecaa76f17011c3bbed699fa9033ba
4f08b128da4bb2938025d1c76f3a3a084ee3ace4e07efc9247edbbea15bc264a
b56f5e45a3284e53ddb6ac90cce36a2506a102806ef833346e232d3f29d05efb
e69dab53e1074126d6c862f7f871df2f878396233b596c9cb4024e51eef7289d
4ddb4381931732dc4bd1fbde98972bfe1c544cfbebd84500a190cb63cd8b298e
3f825a47a2e62ab9d12f73cb70e44e54eeebff4cab1e9545ab9d8865b2a8b1b7
89c933f406ba104cec418695feca4a98db8bb610db197422bab7423f9437360f
539b45430f919432ae7db567fbac187d34c2898f8b57fc07095fcdb76e0d066f
a4ff0d489fa0a463d82d022c1653173c6c40727208b7286ef840966b2ab11aeb
d554afeb34a56e55898432dbd7332ff3f8e04f8c54b50fa4f20f861b5f7bfda2
9653014c91bb41d414edc097050273f1dcd6f9074fd2f3d889982858fa6e6751
cc1b30389778cf356cdc25634495f75388aa7f37d12ec942a9f04a69294abd9a
97764965fcd85ee225d77180ebbf84d23cf65382ab648cf036c929cb97e3cce6
9c0029a9f3f6ee6fdf6f3f3acd9e463adc31d1efee1a78e6d47e8f96b4b78cd4
Analysis of Infection chain
the PDF File
If we load the pdf with Cerbero Profiler, we check the OpenAction in pdf and it’s referencing the object 9.
The object 9 is a javascript object with pieces of code.
The code exports a document nammed quote1.doc and executes the program associated to the mime type of file.
this.exportDataObject({ cName: “quote1.doc”, nLaunch: 2 });
We found the name of this files in the NAMES section.
At the section EmbeddedFile,we found the RTF document.
if you look the sequence of bits 7B 5C 72 74 66 7B it’s the magic number of rtf file.
The RTF file:
Take a look at the rtf file:
The first olestream is an archive ole embedded to store a document format composite v2.
The exploit CVE-2017–11882 is stored in the document file.
We found the CLSID COM Object of Equation
The exploit is at the offset 0800.
It’s the same implementation described by https://medium.com/@__fastcall/cve-2017-11882-rtf-44d671dc0fce
This infection chain has already described by Talos https://blog.talosintelligence.com/2018/06/my-little-formbook.html?m=1