Malware Analysis

CVE-2017-11882 - Getting Our Hands Dirty With Some Malware.

Intro

I have always liked to research things and understand the small details, When I was 12 my brother showed me the world of programming and from there I continued to the Cyber Security world and in particular, Investigate Malware and CTF’s. Today we will investigate and try to understand a little more on what exactly is happening in CVE-2017-11882 while we will investigate an RTF file that contains the FormBook Malware.

FormBook

FormBook is an infostealer malware discovered in 2016. It steals various data, including cached credentials, screenshots, and keystrokes. Additionally, it acts as a downloader for other malicious files. FormBook operates under a Malware as a Service (MaaS) model, available to cybercriminals at a low cost.

Analysis

On July 12, I received this email:

With the Attachment “RFQ-PO802302535.doc” (Can be Downloaded from https://bazaar.abuse.ch/sample/43288168a2a440b39de9d1abad631654c7bd5f3e5cb2c1baeb93f28dce6b3eb2/)

File Type

First when we Download the file, Its seems like we are dealing with a doc file (Microsoft Word file)

but when we check the file type we can see its RTF file which should give us a bad feeling about this file.

And after running strings on the file we can see more clearly that this is NOT an Microsoft Word File.

What is RTF file?

RTF was created by the Microsoft Word team back in the 1980s. It was intended as a universal format that could be used by most word processors, making it easier for people to share Word documents with people who don’t use Word.

There are a few APT groups that used this Innocent looking file for malicious activities like Leviathan (APT 40) back in 2021 or DoNot Team (APT-C-35) back in 2021.

RTF Tools

The Next step is to check out the streams on this file which we can do with rtfdump.py Written by DidierStevens.

We can see that we 3 streams following the name “EQUaTion.3”, and After looking closely we can see that all of them have the same MD5 which indicate us that those three are the same.

To Extract the stream we have two options.

Option 1

We can use this tool and extract stream 1 using the command ( -s for stream and -H for Hex display ), Which afterwards we gonna pipe the output into xxd that will filter the hexdump into just the raw bytes(Ascii) And them write the output into a file called “stage2.txt”.

remnux@remnux:~/Desktop/Malware_Samples/Doc$ rtfdump.py -s 1 -H RFQ-PO802302535.doc

00000000: 9D A6 96 38 02 00 00 00  0B 00 00 00 45 51 55 61  ...8........EQUa
00000010: 54 69 6F 6E 2E 33 00 00  00 00 00 00 00 00 00 85  Tion.3..........
00000020: 07 00 00 02 7E 4E EB 47  78 01 05 FF 42 A6 EC 2C  ....~N.Gx...B..,
00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000040: 00 00 00 00 00 00 00 00  50 06 45 00 00 00 00 00  ........P.E.....
00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000060: 00 00 00 00 00 00 00 00  29 C3 44 00 00 00 00 E9  ........).D.....
00000070: FE 01 00 00 BE 27 65 FE  4A 01 FB 23 97 4A 7A 97  .....'e.J..#.Jz.
00000080: 1D A8 EC 70 48 27 73 C2  BB 79 80 E7 89 32 1D C1  ...pH's..y...2..
00000090: 7D 09 23 ED 52 1C 80 15  FE 2A 7C 22 E0 D8 EA 82  }.#.R....*|"....
000000A0: 17 EF 76 67 AC 99 DF 08  E3 A6 3B E0 6F CE 2F EC  ..vg......;.o./.
000000B0: BD E6 36 EE 25 2A E1 AD  3C 7D 11 33 07 A1 3D 0E  ..6.%*..<}.3..=.
000000C0: 3E 7F B5 91 8E 63 D1 11  D9 3E 4B 29 74 E2 66 F8  >....c...>K)t.f.
000000D0: 69 4B 3F 5F B4 D1 05 46  88 78 3A D4 8A 22 F7 BA  iK?_...F.x:.."..
...

remnux@remnux:~/Desktop/Malware_Samples/Doc$ rtfdump.py -s 1 -H RFQ-PO802302535.doc | xxd -r -p > stage2.txt
remnux@remnux:~/Desktop/Malware_Samples/Doc$ cat stage2.txt

Raw bytes...

remnux@remnux:~/Desktop/Malware_Samples/Doc$ 

Option 2

Option 2 we can just take a copy of the hexdump and paste it into Cyberchef, Add in the Recipe “ From Hex “ and then save the output to a file.

Nice, Now we have the stream and we can continue with our investigation.

RTF stream

RTF Stream could be any of these things, and now we are going to check and search for them:

• Regular RTF Stream - An RTF stream refers to the content of an RTF file, which consists of encoded instructions and text that define the formatting and structure of the document.

• Malicious macros - RTF Streams can include embedded macros written in a scripting language such as Visual Basic for Applications (VBA) Whice can be used to execute malicious code.

• OLE Object - RTF files can contain embedded objects, such as OLE (Object Linking and Embedding) objects, that carry malware payloads.

• Encoded payloads or ShellCode - RTF files may include encoded or obfuscated payloads within the RTF stream itself. These payloads can be encoded using techniques such as Base64, hex encoding, or custom algorithms, making it harder to detect and analyze the malicious content.

Those of you who already looked on this kind of files, we can see already that stage2.txt looks like a ShellCode and not a ole object but We can still check for VBA and OLE object with a package written by Philippe Lagadec , oletools.

Extracting the ShellCode

After the basic checks, Now we know that we are dealing with a Obfuscated ShellCode.

So we can see that our shellcode is Obfuscated and we cannot understand nothing from it.

There are many methods that used to make it difficult for us to detect the Shellcode, Some of them are:

• XOR Encoding - This method involves XOR-ing the shellcode bytes with a chosen key to obfuscate the original byte values. To execute the shellcode, it needs to be XOR-ed again with the same key to restore the original byte values before execution.

• Polymorphism - In this technique, the shellcode is constantly changed or mutated, making it difficult to recognize by signature-based detection methods.

• Encoding with Non-Printable Characters - The shellcode is encoded using non-printable characters, which can evade detection by security tools looking for typical ASCII strings.

• Garbage Instructions - Irrelevant instructions or junk code are inserted within the shellcode, making it harder to analyze and identify the actual malicious code.

• Anti-Debugging Techniques - Obfuscation methods can include anti-debugging techniques that prevent dynamic analysis by debugger tools.

In this blog post i will not go deep into those methods but for those who wants to get deeper in this subject,

I highly recommend “The Shellcoder’s Handbook” by Chris Anley, John Heasman, Felix Lindner and Gerardo Richarte, Really Nice Book 🙂.

Back to our malware, We can use some tools to help us Deobfuscate the Shellcode, first we will try to use Xor based solution, xorsearch.py again by DidierStevens.

The primary function of xorsearch.py is to find the XOR key used to obfuscate shellcode. It does this by employing brute Force. The tool takes a sample of the obfuscated shellcode and tests various XOR keys on it to check for potential XOR-encoded strings. When a significant number of printable characters are found in the decoded output, xorsearch.py assumes it has found the correct XOR key.

Lets cat out the potential Shellcode that we found (stage2.txt) and pipe the output into the python script tool with the -W flag which tell the program to search with embedded wildcards.

remnux@remnux:~/Desktop/Malware_Samples/Doc$ cat stage2.txt | xorsearch -W -

Number of bytes read from stdin: 1968
Found XOR 00 position 0000039A: GetEIP method 3 E921FFFFFF
Found XOR 00 position 00000434: GetEIP method 3 E987FEFFFF
Found ROT 25 position 0000039A: GetEIP method 3 E921FFFFFF
Found ROT 25 position 00000434: GetEIP method 3 E987FEFFFF
Found ROT 01 position 0000039A: GetEIP method 3 E921FFFFFF
Found ROT 01 position 00000434: GetEIP method 3 E987FEFFFF
Score: 60

remnux@remnux:~/Desktop/Malware_Samples/Doc$ 

And we have a match! the program found a few potential Strings and its looking good.

To be sure and to Deobfuscate this shellcode we will start scdbg, scdbg is a shellcode analysis application. When run it will display to the user all of the Windows API the shellcode attempts to call.

Include the file (stage2.txt), mark the findSc (Find Shell Code), Scan for API Table, Report mode and Create Dump for later.

And Run…

The program found 8 possible options, just select one and…

We got a Shellcode!

We can see what this “Doc” file is doing And we’ll wrap it up.

• First we got a weird looking file, we found out that the file isn’t a doc file but rather a RTF file.
• We extracted the stream from the RTF file.
• We tried to figure out what is the method the author of this malware used to Obfuscate.
• We tried a few tools that helped us extract the shellcode.
• We Saw that the shellcode is actually Download another weird looking EXE file from a weird Domain.

The Domain in the time of writing this blog is Down, Which means that people already reported about this malware. As you can see the shellcode that we have found, is gonna download the Kt4sS99OJkneo.exe and run it, This file is another stage of the FormBook Malware whice we not gonna get into in this blog.

Virus Total Results

IOC’s

URL’s

• https[:]//www.torq.qa/fIPfypJYu76PrjPnEo[.]exe
• https[:]//www.torq.qa/Kt4sS99OJkneo[.]exe
• http[:]//www.torq.qa/Kt4sS99OJkneo[.]exe

Sample SHA-256

• [RFQ-PO802302535.doc] - [43288168a2a440b39de9d1abad631654c7bd5f3e5cb2c1baeb93f28dce6b3eb2]
• [Kt4sS99OJkneo.exe] - [b884bd75ed004c71503776351d1bd64e1a03e106be6df6baed9f16c7239e0f01]

Thank For Reading.