Threat Analysis Unit - Threat Intelligence Notification
Title: TAU-TIN - NanoCore - Old Malware, New Tricks!
Summary
In analyzing the stream of raw emails seen in the wild, TAU discovered a campaign of what first appeared to be a fairly standard spear-phishing attack. The email contained a Word document which carried an exploit for CVE-2017-11882, a vulnerability that allows for Microsoft Office documents to run arbitrary code. This exploit is nothing new, and Microsoft released a patch for this back in late 2017. This particular CVE exploits a memory corruption issue in the Equation Editor, found in certain versions of Microsoft Office. Successful exploitation of this vulnerability can lead to remote code execution on a vulnerable system. Nevertheless, we continued on with the investigation by pivoting on this particular Microsoft Word document, to then discover ten recent similar Word documents submitted to VirusTotal a total of 17 times within a four-day period in February. Out of the seventeen submissions, the majority were submitted from Italy, Czech Republic, Germany, Ukraine, United Kingdom and Austria. There were two that were submitted from the U.S, and one that was submitted from the United Arab Emirates.
Behavioral Summary
While this attack is based upon a malicious Word document, we can see the attack behavior take place using legitimate Windows applications such as the Office Equation Editor, an application used to generate complex mathematical equations. Equation Editor has a well-known vulnerability that is used in this instance to reach out to multiple online sites to download additional payloads. This behavior is tracked, as shown in the process tree below. The overall characteristics of the attack are also notable based upon the various TTPs used, also shown below in the alert summary.
Details
When the email attachment is opened, the Equation Editor process (Eqnedt32.exe) spawns under svchost.exe signifying the successful execution of the exploit embedded in the Word document. It then immediately calls out to a remote web address hxxp://sunrypero.cf and downloads a JPG file called 1126rjduu76.jpg. (At the time this sample was detonated, this domain name was live. The domain had been registered with Freenom and used the top-level domain “.cf”, which was originally created for use by the Central African Republic). Despite hosting a Word document and 2 JPG graphic files at the sunrypero.cf domain, the JPG files were in fact found to be PE files.
Once the particular JPG file is downloaded, it is saved into the users %temp% folder as “tryui.exe”. The icon for this file is shown below.
Oddly, the actor(s) didn’t include any error handling in their code, so if a HTTP request cannot be established, then the error message box (shown below) is displayed shortly after the Word document is opened.
A quick glance at the tryui.exe file returned the following string which pertains to the software known as AutoHotKey, version 1.1.23.00.
Taken from their website, “AutoHotkey is a free, open-source scripting language for Windows that allows users to easily create small to complex scripts for all kinds of tasks such as: form fillers, auto-clicking, macros, etc”.
Malware that exploits AutoHotKey isn’t a new concept, and a quick search returned a tool written by Amit Serper called ahk-dumper. This tool essentially dumps out the script from the RDATA section of the PE file. When run against the tryui.exe file it presented 143 lines of code (thank you Amit!). The code can be broken down into the following pieces:
- Uses RegExReplace to hide the string “CallWindowProc” used by “User32.dll”
- Uses RegExReplace to hide the string showing a hard-coded path for the Microsoft Regasm utility at“C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe”
- Uses “InternetGetConnectedState” used by “wininet.dll” to obtain a network connection, otherwise sleep for 1 second and retry
- Create a COM object using “WinHttpRequest.5.1” in order to get the payload found at either hxxps://share.dmca.gripe/bNdw3tI5XtihAdic.jpg or hxxps://paste.ee/r/KyH5C
- Copy downloaded file(s) into the user’s %Temp% folder
- Create file shortcut in Startup folder, and set file attributes to System, Hidden, ReadOnly
The last part is the base64 decoding routine, which uses a combination of the RegexReplace and Flip functions as shown below. The flip function simply reverses the order of the given string. The ltrim and rtrim trims characters either from the beginning (left) or end (right) of the string.
Part of the base64 routine is shown below.
In other words, when the tryui.exe file runs, it downloads a base64 encoded string from hxxps://paste.ee/r/KyH5C address (which is a site that offers similar features to PasteBin), as well as another site which was temporarily used to host a second JPG file at hxxps://share.dmca.gripe/bNdw3tI5XtihAdic.jpg. Using the two separate base64 encoded strings, it compiles a binary which is then used to install and register the C2 and keylogger component.
As long as the Regasm.exe tool is found in the hard coded path shown above, the tryui.exe will invoke regasm and use it to merge the two base64 encoded strings in order to form a separate executable file. It places what appears to be a legitimate Regasm binary disguised as natmon.exe into the locations listed below for persistence. Comparing similar files suggests that this has been used to avoid detection.
Key | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Monitor\ |
Name | NAT Monitor |
Value | C:\Program Files (x86)\NAT Monitor\natmon.exe |
The final part of the attack turns out to be the delivery of the NanoCore trojan which includes keylogger, which originally communicated back to it’s C2 located in the Netherlands over an unencrypted channel over TCP port 2960. Shortly after testing this particular sample, the bad actor(s) soon updated their C2 to use SSL over TCP port 443 in order to hide the data sent to and from the C2 server.
Side note:
As the path for Regasm.exe is hard coded within the AutoHotKey script, if Regasm.exe is not present in the same path, the malware will not run any further. However, copying a newer version of .NET’s Regasm.exe from a more recent folder path e.g. "C:\Windows\Microsoft.NET\Framework\v4.x", permits tryui.exe to launch Regasm and register an application.
While none of the above techniques are necessarily new, it is interesting to see how AutoHotKey continues to grow in popularity amongst malware authors, and how malicious scripts embedded within the legitimate AutoHotKey compiled binary are becoming more sophisticated in order to attempt to fly under the radar of modern day detection and prevention security products.
Customer Protection
Cb Defense
As always, our best practice recommendation is to deploy this rule to a small subset of sensors, assess, then define permissions to reduce any false positives. After confirming no false positives in your environment, deploy across additional groups.
Customer Action:
The following policy will prevent this style of attack from executing:
Process | Operation Attempt | Action |
Application(s) at path: **\eqnedt32.exe | Communicates over the network | Deny/Terminate |
Application(s) at path: **\eqnedt32.exe | Injects code or modifies memory of another process | Deny/Terminate |
Customers can proactively hunt for this malware campaign within the Investigate tab (ensure to enable Advanced search) by copying/pasting the following query:
applicationName:eqnedt32.exe AND TTP:NETWORK_ACCESS |
applicationName:regasm.exe AND TTP:NETWORK_ACCESS |
applicationName:regasm.exe AND threatIndicators:COMPROMISED_PARENT |
Cb Protection
The most effective way of blocking this malware is by running Cb Protection in High or Medium enforcement. Cb Protection users can also create custom rules to detect or block the files written by this malware.
Platform: Windows
Rule Type: Execute Control
Execution Action: Report
Path or File: *\eqnedt32.exe
Process: *\microsoft office\*
Implementation: As always, our best-practice recommendation is to create all custom rules in “Report” mode first, assess for false positives, and either create any higher ranking allow rules or add exclusions to the suggested custom rule to prevent legitimate operations from being blocked. After confirming no false positives in your environment, modify action to Block.
Customer Action: For systems in default deny policy, no action is required. For systems in Low enforcement, implement the custom rule using the steps recommended in the implementation section above.
Cb Response/Cb Threat Hunter
In Cb Response and Cb Threat Hunter, the Advanced Threat feed already contains queries for this particular malware. The PSC Threat feeds will detect the known hashes for this malware. Customers can blacklist known MD5 hashes, the most prominent of which are located in the IOC's section of this report.
Remediation:
MITRE ATT&CK TIDs
TID | Tactic | Description |
Execution | User execution via opening of email attachment | |
Defense Evasion | Obfuscated files or information | |
Defense Evasion, Execution | Proxying of code execution through Regasm | |
Execution | Exploitation for Client Execution | |
Defense Evasion | Masquerading | |
Persistence | Registry Run Keys / Startup Folder | |
Defense Evasion, Execution | Regsvcs/Regasm |
Indicators of Compromise (IOCs)
Indicator | Type | Context |
88334ec58de64e4a174dbf8b7027f916 cfea6ae1730a9dd580e2d5b633f1785357d50af8e07768081b3f50139144259b | MD5 SHA256 | Quotation_Sheet_#RFQ190207.doc Word Document |
20bc6c4211538b4eb7a756cfafeb0c39 3c32a519c6ea39670cb610a190cdcf3acd9a7e00b11d93d05d7395a2de0bb1ff | MD5 SHA256 | Tryui.exe |
780492fd6099b8e29fb10b454a1d7b13 391276372a25e0c0b5a4650d6454dbea85cc2e941970a2ccd7a42323b7e82141 | MD5 SHA256 | Nanocore |
hxxp://sunrypero.cf | URL | C2 |
hxxps://paste.ee/r/KyH5C | URL | C2 |
hxxps://share.dmca.gripe | URL | C2 |
185.244.30.106 | IP | C2 |
About TAU-TIN
For more information about TAU-TIN or to receive future notifications, follow the instructions in our About TAU-TIN post.
#TAU-TIN