<h1>(學習用途,不完整請見諒)</h1>
# CVE-2017-0199 & FormBook
## 甚麼是 CVE-2017-0199
根據NVD的解釋
> **Descrption**
> Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad <font color="red">Remote Code Execution</font> Vulnerability w/Windows API."
這個漏洞被廣泛應用在docx也就是word檔上面,不過今天分析的是xls檔案,我就深入的查詢了一下根據exploit-db的解釋
> **Description:**
> MS Excel contains a remote code execution vulnerability upon processing OLE objects. Although this is a different issue from the MS Word HTA execution vulnerability, it has been patched together, 'silently'. By performing some tests from the Word HTA PoC posted on exploit-db[dot]com, it´s possible to exploit it through Excel too, however the target would need to either accept a security warning regarding external links or double click inside the Excel window, same applies for Powerpoint, so I guess this is the reason, Word caught the attention and no exploit PoC was made available to other Office apps.
簡單來說相比docx,excel檔更容易失敗因為這需要使用者開啟檔案後再去手動點擊,docx只需要使用者開啟檔案就好。
## 初始文件
**SHA256:038d0ee833348e46fbf0a8d441e083eff03f417f919bdff5938442a9123e675c
MD5:e8507b651098c60f782713d89592b0bb**
用oledump可以看到有個網址,這個檔案就是攻擊的下個階段,有趣的是在我分析doc檔案時,並沒有看到任何有關hta的資訊,反而看到攻擊者使用另一個漏洞,這邊猜測攻擊者最終應該是想使用CVE-2017-11882這個漏洞達成RCE(Remote Code Execution)來增加惡意程式的複雜度
攻擊者利用2017-11882來下載conhost.exe,為了節省篇幅這邊不繼續深入這個shellcode,我們只需要知道conhost.exe是下一階段的攻擊,下載下來的conhost.exe原名為mWxW.exe,並且跟我之前分析過的AgentTesla使用的可能是同個loader,都是通過動態載入多個dll的方式最後執行惡意程式的主體(FormBook),從下圖可以看到這個attendant.dll就是loader中的其中一環,最後可以看到又是熟悉的Tyrone.dll
Stage : malicious.xls --> x...x...x...x.doc(equation cve) --> conhost.exe --> attendant.dll --> gamma.dll --> Tyrone.dll(process hollowing) --> payload
## Loader
在稍微分析過後發現那些static fields代表著各式各樣的服務跟之前碰見的loader很相似可能都是因為loader採用MaaS的方式出售,而這些fields就代表著客戶可以自訂功能,有檢查重複感染、還有透過Sleep()躲過sandbox的、WebDownload....etc,這裡順帶一提time evasion中有一個string_3的static field目前還不清楚那是幹嘛的,只知道裡面存放很多資訊而其中一個是睡眠的秒數還有一個是x86,我猜應該是紀錄電腦的部分重要資訊跟惡意程式需要用到的東西,後續在loader中沒有看到額外的資訊不過仔細觀察了欄位發現絕大多數都是用來代表啟用的服務只有少數是字串。
## Persistance
Persistance是透過schtask.exe(工作排程)這個應用程式來做自啟動
## Payload(Formbook)
在Tyrone dll中發現dll把payload用process hollowing的方式執行payload,MSBuild就是我們這次的受害者
<font color=red>**在分析payload之前,得先知道這個payload的開頭維護了一個非常龐大的structure,這個structure會在後續的惡意程式中頻繁的被使用到**</font>
## Anti-Debug Analysis
我們可以看到目前有4個anti debug的function我們先來看BlackListedProcess的部分
### BlackListedProcess
根據我們解密出來的buffer這個function在搜尋一些在惡意程式分析中常被用到的exe來判斷是不是在虛擬環境裡面或是正在被分析
https://gist.github.com/82467193/22b64a0b26494bd0c15ce09f2d55b316
> 79 0x3ebe9086 vmwareuser.exe
80 0x4c6fddb5 vmwareservice.exe
81 0x276db13e vboxservice.exe
82 0xe00f0a8e vboxtray.exe
83 0x85cf9404 sandboxiedcomlaunch.exe
84 0xb2248784 sandboxierpcss.exe
85 0xcdc7e023 procmon.exe
86 0x11f5f50 filemon.exe
87 0x1dd4bc1c wireshark.exe
88 0x8235fce2 netmon.exe
89 0x21b17672 prl_tools_service.exe
90 0xbba64d93 prl_tools.exe
91 0x2f0ee0d8 prl_cc.exe
92 0x9cb95240 sharedintapp.exe
93 0x28c21e3f vmtoolsd.exe
94 0x9347ac57 vmsrvc.exe
95 0x9d9522dc vmusrvc.exe
96 0x911bc70e python.exe
97 0x74443db9 perl.exe
98 0xf04c1aa9 regmon.exe
這邊還有一個要注意的地方是如果我們在debug中直接修改flag的狀態的話,那程式跑到後面一樣會跳掉因為在白框的部分做了某種解密或是其他動作,後面會校驗這個值如果不對的話就會exit
### Module Dectect
該function在查詢image name,根據其他份報告猜測此function應該是在某些sandbox裡會先做更名的動作,所以此function在查詢特定的image name
### Search BlackListed Path
>99 0x6484bcb5 \cuckoo\\
100 0x11fc2f72 \sandcastle\\
101 0x2b44324f \aswsnx\\
102 0x9d70beea \sandbox\\
103 0x59adf952 \smpdir\\
104 0x172ac7b4 \samroot\\
105 0x5d4b4e66 \avctestsuite\\
### Search BlackListed User Name
>106 0xed297eae cuckoo
107 0xa88492a6 sandbox-
108 0xb21b057c nmsdbox-
109 0x70f35767 xxxx-ox-
110 0xb6f4d5a8 cwsx-
111 0x67cea859 wilbert-sc
112 0xc1626bff xpamast-sc
### Check Flag Group
我們在上面就有提過每個anti analysis的function在確定不存在某些分析工具或環境時,就會更改flag group中的flag,並且對buffer中的部分data作解密
## Behavior analysis(Focus on how the malware actually harm the victims)
Formbook的本體實際上是這樣運作的,以下是fortinet提供的流程圖
來解釋一下上述的流程圖,AddInProcess32.exe是payload.exe(最初檔案)會透過explorer.exe來生成我們的windows process在我的例子中是chkdsk.exe,再來會透過chkdsk.exe對特定的target process 來做注入,注入的時候會連帶創建一個shared section是用來共享數據的,會創建一堆的ini檔案跟1個screenshot,最後再透過explorer.exe來送出資料到C2 Server。
上面這張圖GetSw() == 2的是Target Process被注入這段程式碼後執行特定動作的地方,例如:chrome.exe 、 firefox.exe etc
### Keylogger
MessageHandle的部分只有對按鍵輸入跟滑鼠做監聽而已,監聽到的內容則會透過一個共享section來分享並執行對應的操作,如下圖
Windows Process(chkdsk.exe)負責寫入監聽到的數據explorer.exe則負責Traverse所有.ini並送到C2 Server
### Persistance
### C2
根據fortinet提供的報告這些C2命令分別為:
命令「1」(0x31):
FormBook 從解密的命令數據中提取一個 PE 檔,其名稱在 「%Temp%」 下有一個隨機名稱,並通過調用 API ShellExecuteA() 來運行它。
命令「2」(0x32):
此命令用於在受害人的裝置上升級 FormBook。它調用命令 「3」 的函數來卸載 FormBook。然後,將可執行檔從解密的數據包中提取到“%Temp% 資料夾中,並通過調用 CreateProcessInternalW() 執行。它最終退出在 Windows 進程中運行的當前 FormBook 實例(如 ipconfig.exe)。
命令「3」(0x33):
此命令從受害者的設備中卸載當前版本的 FormBook。為此,它會終止運行 FormBook 實例的Explorer.exe進程,通過調用 API NtDeleteValueKey() 從系統註冊表中的自動運行中刪除該專案,刪除 FormBook 可執行檔(在本例中為“C:\Program Files\X6l0\update9rq.exe”),並最終退出注入當前 FormBook 實例的 Windows 行程(如 ipconfig.exe)。
命令「4」(0x34):
此命令調用 API ShellExecuteA() 以從解密的數據包執行給定命令。
命令「5」(0x35):
命令 5 刪除檔“.sqltie”和“Cookies”,並搜索三個主要的用戶數據路徑。
命令「6」(0x36)和7(0x37):
此命令使用參數 EWX_POWEROFF(命令 7)或 EWX_REBOOT(命令 6)調用 API ExitWindowsEx(),以關閉或重新啟動受害者的設備。
命令「8」(0x38):
這要求 FormBook 將自己添加到自動運行組中,將所有被盜數據(包括鍵盤記錄器、剪貼板中的數據以及來自瀏覽器、電子郵件用戶端等的憑據)發送到 C2 伺服器。
命令「9」(0x39):
此命令將 ZIP 檔從解密數據包的開頭提取出來,直到將魔術代碼「FBNG」提取到 %Temp% 資料夾下的 {random name}.zip 檔中。然後,它會將其解壓縮到同一資料夾。它可能與命令 4 一起使用,在命令 4 中,它執行命令行來執行解壓縮的檔。
# IOC
Main object - payload.exe
md5 7eeff27dc59b2adebd7d4ec070261299
sha1 76ba5da31aaf88f6d6aea182bdbe67b86a742564
sha256 0dcaa1f7eed9efdd47ef971981c060a8e3df2792b77dd1ba65cc61140e390b9a
DNS requests
domain: dns.msftncsi.com
domain: www.ynec0p.icu
Connections
ip 43.132.150.85
ip 224.0.0.252
# MalConfg
{
<font color=red>"C2"</font>: "www.jingumashop.site/cg86/",
<font color=red>"Strings"</font>: [
"USERNAME",
"LOCALAPPDATA",
"USERPROFILE",
"APPDATA",
"TEMP",
"ProgramFiles",
"CommonProgramFiles",
"ALLUSERSPROFILE",
"/c copy \"",
"/c del \"",
"\\Run",
"\\Policies",
"\\Explorer",
"\\Registry\\User",
"\\Registry\\Machine",
"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
"Office\\15.0\\Outlook\\Profiles\\Outlook\\",
" NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\",
"\\SOFTWARE\\Mozilla\\Mozilla ",
"\\Mozilla",
"Username: ",
"Password: ",
"formSubmitURL",
"usernameField",
"encryptedUsername",
"encryptedPassword",
"\\logins.json",
"\\signons.sqlite",
"\\Microsoft\\Vault\\",
"SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins",
"\\Google\\Chrome\\User Data\\Default\\Login Data",
"SELECT origin_url, username_value, password_value FROM logins",
".exe",
".com",
".scr",
".pif",
".cmd",
".bat",
"ms",
"win",
"gdi",
"mfc",
"vga",
"igfx",
"user",
"help",
"config",
"update",
"regsvc",
"chkdsk",
"systray",
"audiodg",
"certmgr",
"autochk",
"taskhost",
"colorcpl",
"services",
"IconCache",
"ThumbCache",
"Cookies",
"SeDebugPrivilege",
"SeShutdownPrivilege",
"\\BaseNamedObjects",
"config.php",
"POST ",
" HTTP/1.1\r\n",
"Host: ",
"\r\nConnection: close\r\n",
"Content-Length: ",
"\r\nCache-Control: no-cache\r\n",
"Origin: http://",
"\r\nUser-Agent: Mozilla Firefox/4.0",
"\r\nContent-Type: application/x-www-form-urlencoded\r\n",
"Accept: */*\r\n",
"Referer: http://",
"\r\nAccept-Language: en-US",
"\r\nAccept-Encoding: gzip, deflate\r\n\r\ndat=",
"f-start",
"f-end"
],
<font color=red>"Decoy C2"</font>: [
"cerapoxy.net",
"ultradronexi.com",
"beshealtahub.shop",
"showmethetee.com",
"bixtrack.com",
"yunosave.site",
"rtppedro77.com",
"vxscnb.cfd",
"joshtalkhindi.com",
"sarma.dev",
"valuationauto.com",
"bankruptcymindebitfaster.store",
"zingymart.store",
"w8vip.net",
"munch-o-las.com",
"evolvewithsarahcoaching.com",
"hgygfrr.store",
"y6732cn.cfd",
"steancomunnyty.online",
"huz7r4a6so.com",
"linktotechnologies.com",
"passiveprofitshomemadehappy.com",
"smackedcalculated.xyz",
"emouddkb.asia",
"naplesbusinessjournal.com",
"tomaszpolak.com",
"skoda-quangninh.com",
"bakhouse.online",
"tengahmalam.cloud",
"lushengta.top",
"pekunia-wallet.com",
"genaidashboard.com",
"gov314.com",
"pmoclinic.com",
"ck6rmd.top",
"torrado.net",
"tradeprorecorder.com",
"safe8-telegram.com",
"ynec0p.icu",
"dssd.site",
"tttt2001tttt.xyz",
"tailboost.xyz",
"bestdailycash.com",
"03c.lat",
"ev520.xyz",
"thinkdisabled.com",
"vpower777usa.online",
"animal-s.com",
"blyrsl.cfd",
"wwwprevailglobal.store",
"asmcirujanos.com",
"techusd.com",
"vrmxx.com",
"soundmoneymiles.com",
"guoyao769.com",
"candisource.com",
"gmyifeng.com",
"luxurymakeupandcosmetics.com",
"jouet-plaisir.com",
"chromer1987.top",
"mmzdjm.com",
"ss031.bio",
"genevaholdingsinc.com",
"electronichealthrecord.app"
]
}
# References
https://www.anquanke.com/post/id/85873
https://www.exploit-db.com/exploits/42995
https://www.anquanke.com/post/id/85873
https://www.stormshield.com/news/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-in-phishing-campaign-part-iii
Sign in with Wallet
Connect another wallet