Let’s Learn (DIY): Sophisticated Cobalt Strike Gang’s CVE-2017-0199 Loader

Goal: Reverse the first stage loader RTF CVE-2017-0199 loader used by Cobalt Strike gang targeting Russian-speaking financial institutions. This loader’s been seen in conjunction with the Microsoft Word Intruder 8.0.
Source@xdxdxdxdoa
Tool: rtfdump 0.5, ILspy
CVE-2017-0199: Exploit that allows “remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API” [source].
Observed unique filename:

  • Пеня по задолженности.doc -> “Debt collection notification.doc” (from Russian to English)
  • Заявление на расторжение договора.doc -> “Application for contract closure.doc” (from Russian to English)

SHA-256: c5d7c5c94468ba74211e08d7c2ad9d0274011d432edc1af8cdf2215b2c9d9291
Type
  • Rich Text Format (CVE-2017-0199 exploit) 
  • Objects OLE embedded (Package)
  • OLE Autolink (Package)

Here are the steps:
  • I. Command: python2.7 rtfdump.py file.rtf


  • II. Command: python2.7 rtfdump.py -f O file.rtf
OLE 1.0 objects embedded within this RTF file with the “-f O” command
  • III. Command: python2.7 rtfdump.py -s 8 file.rtf | more (on the 8 field found in the previous step)
The section 01050000 02000000 indicates an OLE 1.0 object. As the line starts with 9f330500 contains an OLE file.

With option -H, we can convert the hexadecimal characters to binary:

  • IV. Command: python2.7 rtfdump.py -s 8 -H file.rtf 

With option -i, we can obtain more information about the binary (embedded object):
    • V. Command: python2.7 rtfdump.py -s 8 -H -i file.rtf 

    Name: ‘Package\x00’ Position embedded: 00000020 Size embedded: 0005339f md5: a9039264caf3285bf968849bf84ad951 magic: 02007e57

    With option -E, we can extract the embedded object:

    • VI. Command: python2.7 rtfdump.py -s 8 -H -E -d file.rtf > binary.exe

    The payload is written in Microsoft Visual C# / Basic .NET titled “ExecPS.” Using ILspy, we decompile the embedded binary. The embedded binary has a PDF icon and an internal name as “ExecPS[.]exe.”



    Checks for Dr. Web anti-virus process and breaks if they exist.
    • ProcessName = “dwengine” || “spidergate” || “spidernt” | “spideragent”
    Moreover, the embedded binary is digitally signed by “Elektro, OOO” from Nizhni Novgorod, Russia.

    • CN = Elektro, OOO
    • O = Elektro, OOO
    • STREET = d. 13 kv. 11, prospekt Soyuzny
    • L = Nizhni Novgorod
    • S = Nizhegorodskaya oblast
    • PostalCode = 603040
    • C = RU

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 8.5px Helvetica}

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google photo

    You are commenting using your Google account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s