Meni Farjon

by Meni Farjon

Chief Scientist for Advanced Threat Detection

Posted Mar 05, 2019

The latest from Mimecast Research Labs.

GettyImages-868363098.jpg

Summary

In the last few months, the Mimecast Research Labs team has seen several unique variants of Microsoft Office Word exploits, more specifically combining the previously-patched memory corruption issue CVE-2017-11882 (AKA the Equation Editor Exploit), with another issue to amplify the attack and make it go undetected. These exploits were chaining what we believed to be an unfixed vulnerability in the Object Linking and Embedding (OLE) file format and the way it’s handled in Microsoft Office Word.

Our detection engines spotted an attacker group, which seems to originate from Serbia, using specially-crafted Microsoft Word documents to take advantage of how Microsoft Word handles Integer Overflow errors in the OLE file format. The group was able to exploit this bug to circumvent many security solutions designed to protect data from infestation, including leading sandbox and anti-malware technologies.

We reached out to Microsoft when we discovered this issue, following Coordinated Vulnerability Disclosure (CVD) and with a working proof-of-concept (POC). Microsoft acknowledged it was unintended behavior, but declined to release a security patch at this time, as the issue on its own does not result in memory corruption or code execution. The issue may be fixed at a later date. You can find the timeline of our correspondence below.

Get articles like this delivered to your inbox every week. Subscribe to Cyber Resilience Insights today.

In this article, we would like to share how we found a bug in OLE32.dll incorrectly handles Integer Overflow and is used to bypass security solutions and fool parsers.

Technical Analysis

According to the format specifications for the Compound File Binary File Format, the OLE stream header contains a table called DIFAT (double-indirect file allocation table) that is an array of numbers. Each sector has an ID, which can be any 32-bit, unsigned number under 0xFFFFFFA. The DIFAT table contains all the section IDs and some special numbers. To access the sector N in the table, it’s offset computed using the following formula: sector size * (sector ID + 1), when sector ID is DIFAT[N].

The relevant parts [Pages 15-20] from the official spec are presented below:

Equation Image 1.pngEquation Image 2.pngEquation Image 3.pngEquation Image 4.png

Equation Image 5.pngIt seems that when a big sector ID exists, the formula mentioned above leads to an integer-overflow that results in a relatively small offset. The following screenshots show the code snippets that cause the overflow.

Equation Image 6.pngEquation Image 7.png

Section size is 512, and the first sector ID is 0xFF000000. Let’s apply the above formula (as in the official specification): (0xFF000000+1) * 512 = 2190433321472, or 0x1fe00000200 in hex. 

Because the result is more than 32 bits (integer overflow), only the lowest 32 bits will be the product when the code above performs the calculation. In other words, the calculated offset will be 0x200 = 512, as can be seen in the following debug screenshot.

Equation Image 8.png

This result makes sense because it points just after the header, which is the natural place for the first section.

This behavior is not documented by Microsoft in the format specifications, but it can confuse high-level parsers, which will not notice the overflow. The calculation results will also point to an impossible offset, which will lead to, in the best-case scenario, ignoring the section containing the exploit, or in the worst-case scenario result in a crash.

In one case we examined using this vulnerability in OLE, the attacks consisted of exploiting CVE-2017-11882 with an Equation stream defined inside an OLE object with an overflowed sector ID, as described above, causing the object containing the exploit and shellcode to go unextracted and therefore undetected by security solutions. When the Equation Editor Exploit is chained with this integer overflow, Microsoft Office Word mishandles the error as it ignores the higher bytes of the OLE sector ID and loads the malicious object (CVE-2017-11882) into memory while not following the correct guidelines.

In the case we examined, the attack dropped a new variant of Java JACKSBOT, a remote access backdoor that could only be active or infect its target if Java was installed. JACKSBOT is capable of taking complete control of the compromised system. Malware code reveals that it is capable of visiting URLs, creating files and/or folders, running shell commands, and executing and ending programs. It can also steal information by logging keystrokes and mouse events.

JACKSBOT’s General Capabilities:

  • Collect keystrokes
  • Steal cached passwords and grab data from web forms
  • Take screenshots
  • Take pictures and record video from a webcam
  • Record sound from the microphone
  • Transfer files
  • Collect general system and user information
  • Steal keys for cryptocurrency wallets
  • Manage SMS (for Android)
  • Steals VPN certificates

The following table lists indicators of compromise (IoC) such as hashes of files and command-and-control servers used by JACKSBOT.

Description

IOC Type

IOC

Document

Sha256

d5df2386a2a405a9d664d4b423a8a

9d31e8288b1202a82977dae445a9a6526cd

Dropped hta

Sha256

A7AC436359CB8F5E6A5B8B59DDB7C5

E9F56D88882F52B031EB50E6A8F47599A7

Dropped jar (1)

Sha256

9F64401359151AD1E3EB7B52C91291

CB7FA2F1D591FD3DF7E995F9D41B55FAAD

Dropped jar (2)

Sha256

D808B528489EDF4F26B40676253EF

9CA7827EC7227BC0BB3F86C3F06625B70EA

Dropped vbs

Sha256

CCD30B0C19B9AA21EC79E3234A9FE5

79540EDC110527DBF07D4935AF20439BA5

Malware Names

File Name

Presh.jar,pr.hta,mtfsmgr.jar,gvxfatoymt.vbs

C&C

IP

184.117.72.28

C&C

URL

Hxxp://etnografskimuzej.rs/presh.jar

C&C

IP

46.183.221.12

C&C

URL

isajra52ali20loggm.duckdns.org

Malware installation path

Path

C:\Users\USERNAME\AppData\Roaming\ntfsmgr.jar

C:\Users\USERNAME\AppData\Local\Temp\presh.jar

C&C Dropper

URL

http://anvietpro.com/pr.hta

AutoStart Path

Registry Key

Key:HKCU\Software\Microsoft\Windows

\CurrentVersion\Run

Value: ntfsmgr

Data: "C:\Program Files\Java\jre1.8.0_144

\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\ntfsmgr.jar"

Conclusion

Mimecast Targeted Threat Protection was able to detect the samples described in this report as it does not rely on structured format specifications to determine malfeasance. The code detection engine can easily read through unstructured or even entirely “broken” files to detect malicious code no matter how deeply buried or obfuscated in any given file format. The engine was designed with an “attack focused” methodology, where the engine does not “trust” any given file format and does not “follow” RFC or Format Guidelines. Instead, the engine goes byte-by-byte, trying every possible technique to decode, decrypt and de-obfuscate attack code.

Equation Image 9.png

Mimecast detects machine code (x86) in the file

Disclosure Timeline

  • May 15, 2018 – Reached out to Microsoft Security Response Center (MSRC) with information + working POC.
  • May 16, 2018 – Case opened MSRC Case 45367.
  • May 17, 2018 – MSRC responds that Microsoft will not be fixing this behavior with a security patch, as the issue by itself does not result in memory corruption and doesn't meet the security bar.
  • May 18, 2018 – As per CVD, Microsoft allows the publishing of this article.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

Meni Farjon

by Meni Farjon

Chief Scientist for Advanced Threat Detection

Posted Mar 05, 2019

You may also like:

GandCrab Ransomware Attacks Exploit Valentine’s Day Weaknesses

This Valentine’s Day, your big hea…

This Valentine’s Day, your big heart could get you in … Read More >

Joshua Douglas

by Joshua Douglas

VP, Threat Intelligence

Posted Feb 14, 2019

Mimecast Discovers Microsoft Office Product Vulnerability CVE-2019-056…

Understand the security implications of …

Understand the security implications of the latest patched M… Read More >

Matthew Gardiner

by Matthew Gardiner

Director of Enterprise Security Campaigns

Posted Jan 08, 2019

Threat Intelligence for the 99 Percent - Part 1: Explaining the Issue

Cyber threat intelligence isn’t ju…

Cyber threat intelligence isn’t just for the 1%. If y… Read More >

Marc French

by Marc French

Senior Vice President & Chief Trust Officer

Posted Jan 01, 2019