Earlier today Microsoft released a security advisory alerting about a new Microsoft Office vulnerability being exploited in the wild. The vulnerability affects Office 2003/2007 and Office 2010 only running on Windows XP/2003.

The vulnerability is related to the parsing of TIFF images and Microsoft released a FixIt that basically block the rendering of TIFF images on the system.

The exploit we have analyzed uses ROP gadgets and ActiveX controls to heap spray memory (instead of Flash).

If they exploit is successful it uses URLDownloadToFileA to download and execute a payload from a remote HTTP server:

The downloaded payload is a RAR file containing both a malicious payload and a lure Office document that is showed to the victim.

We have found different payloads talking to the the same C&C server that use different lure documents. Some of the lure documents are related to the Pakistan Intelligence service (Inter-Services Intelligence or ISI) and the Pakistani military.

This payload communicates with the C&C server using the HTTP protocol:

GET /logitech/rt.php?cn=XXXXX@Administrator&str=&file=no HTTP/1.1

User-Agent: WinInetGet/0.1

When we showed this traffic we realized it was familiar. In fact the same protocol was used by one of the Operation Hangover payloads. We can confirm that the downloader is based on the Deksila downloader not only because it generates similar HTTP traffic but also the way it retrieves information from the system and even the raw strings from both payloads:

The presence of the following files can be used to find infected systems by different versions of the downloader:

C:Documents and Settings<username>Tempiconfall.log

C:Documents and Settings<username>HddLink.lnk

C:Documents and Settings<username>Updates.exe

C:Documents and Settings<username>wincert.exe

C:Documents and Settings<username>kayani.doc

C:Documents and Settings<username>Shanti.doc

C:Documents and Settings<username>Locations.doc

C:Documents and Settings<username>ISI.doc

C:Documents and Settings<username>GoodLuck.doc

C:cdata.txt

Based on the victim information we could retrieve from the C&C server we can confirm that most of IP addresses communicating with the C&C server are based on Pakistan.

When the infected system checkins on the C&C server a file is created with the following content:

User : [USERNAME]

IP : [IP_ADDRESS]

AV : [NAME_OF_ANTIVIRUS_SOLUTION]

The attackers are able to send other payloads to the infected systems (2nd stage) that are downloaded by the victims using HTTP requests. Based on the C&C information we collected this is the list of unique filenames that are being used to download 2nd stage payloads:

alg.exe

connhost.exe

lgfxsrc.exe

lgfxsrv.exe

lgfxsrvc.exe

msctcd.exe

svchost.exe

taskmgr.exe

taskngr.exe

waulct.exe

wimhost.exe

winlog.exe

winlogon.exe

winnit.exe

winsoun.exe

winword.exe

wmpi.exe

wsqmocn.exe

And the list of unique md5s:

0d51296e5c74a22339ec8b7e318f274a

101852851d70dfc46c4d022ef077d586

2ed6a6c349cae3842023d83c6b1ed1c5

4e878b13459f652a99168aad2dce7c9a

654f558cf824e98dde09b197dbdfd407

6a57cda67939806359a03a86fd0eabc2

8378abb63da7e678c76c09f44b43d02a

e75ad6c8484f524d93eaf249770be699

fd51dc5f1683c666a4925af8f1361d5d

fd75a23d8b3345e550c4a9bbc6dd2a0e

From all the payloads we retrieved from the C&C the following were already uploaed to Virustotal. You can notice the low Antivirus detection rate:

fd75a23d8b3345e550c4a9bbc6dd2a0e 1 / 47

6a57cda67939806359a03a86fd0eabc2 1 / 47

4e878b13459f652a99168aad2dce7c9a 1 / 47

2ed6a6c349cae3842023d83c6b1ed1c5 0 / 47

Following is a description of the different payloads we found in the C&C with the purpose to help you to build IOCs (Indicators Of Compromise) and detect infected systems.

Main Downloader

Network traffic



Perform HTTP GET requests, some examples are: /logitech/rt.php?cn=xx@<username>&str=&file=no /green/srt.php?cn=xx@<username>&str=&file=no /funbox/rt.php?cn=<MACHINE_NAME>@<USER>&str=&file=no /joy/rt.php?cn=<MACHINE_NAME>@<USER>&str=&file=no You can look for the pattern “&str=&file=no” in your proxy logs to find infected systems.



Perform HTTP GET requests, some examples are: You can look for the pattern “&str=&file=no” in your proxy logs to find infected systems. Yara rule:

rule Hangover2_Downloade { strings: $a = "WinInetGet/0.1" wide ascii $b = "Excep while up" wide ascii $c = "&file=" wide ascii $d = "&str=" wide ascii $e = "?cn=" wide ascii condition: all of them }

File stealer

It looks for the following file types on the infected system and exfiltrates them to the C&C server:

xls,xlsx

doc,docx

ppt,pptx

pdf

txt

Network traffic



Perform POST requests, some examples are: POST /crks.php HTTP/1.1 Content-Length: 44 Content-Type: application/x-www-form-urlencoded User-Agent: MyWebClient Host: xxx Connection: Keep-Alive POST /drkl.php HTTP/1.1 Content-Length: 44 Content-Type: application/x-www-form-urlencoded User-Agent: MyWebClient Host: xxx Connection: Keep-Alive POST /max.php HTTP/1.1 Content-Length: 49 Content-Type: application/x-www-form-urlencoded User-Agent: MyWebClient Host: xxx Connection: Keep-Alive



You can look for HTTP connections with the User-Agent MyWebClient Yara rule

rule Hangover2_stealer { strings: $a = "MyWebClient" wide ascii $b = "Location: {[0-9]+}" wide ascii $c = "[%s]:[C-%s]:[A-%s]:[W-%s]:[S-%d]" wide ascii condition: all of them }

Remote shell backdoor

Network traffic



This payload is a remote shell backdoor that uses a binary protocol on port 5858. Example traffic: T VICTIM:1050 -> C&C:5858 [A]

FHEPF

#

T VICTIM:5858 -> C&C:1050 [AP]

Pass

#

T VICTIM:1050 -> C&C:5858 [AP]

Authjanettedoe @ [MACHINE_NAME]#/[OPERATING_SYSTEM]#/[IP_ADDRESS]#/ Yara rule

rule Hangover2_backdoor_shell { strings: $a = "Shell started at: " wide ascii $b = "Shell closed at: " wide ascii $c = "Shell is already closed!" wide ascii $d = "Shell is not Running!" wide ascii condition: all of them }



You can also look for the creation of the following registry key: HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v WinLstart

Keylogger

This payload installs global keyboard hooks to capture keystrokes.

Yara rule

rule Hangover2_Keylogger { strings: $a = "iconfall" wide ascii $b = "/c ipconfig /all > "" wide ascii $c = "Global{CHKAJESKRB9-35NA7-94Y436G37KGT}" wide ascii condition: all of them }

Schneebly (Screenshot payload)

This payload performs screenshots and upload them to the C&C server.

Network traffic



Example traffic:





The Yara rules can be downloaded from our github repository.

Finally this is the list of IP addresses and domain names that are being used by the attackers to host C&C servers and malicious payloads:

krickmart.com

37.0.125.77

37.0.124.106

maptonote.com

myflatnet.com

lampur.com

appworldstores.com

similerwork.net

intertechsupport.net

lampur.com

twikstore.com

We will continue publishing more information about the Microsoft Office 0day and more IOC's as soon as we discover new data.