A malicious spam mail attack that distributes malware by attaching document or archive file has been one of the most popular method among the operators. AhnLab ASEC Analysis Team analyzed spam mails received from numbers of customers and confirmed that majority of files downloaded by malicious documents attached to the email were information stealer malware of ‘Crypter’ family: HawkEye, Nanocore, FormBook, Lokibot, Remcos. Malware Crypter complicates the signature detection of Anti-Virus(AV) by utilizing encryption algorithm and saving malware inside the file as encrypted.
Figure 1. Spam mail with a malicious document attached
As for malicious document attached to spam mail, it can be classified with the ones that require user action(Figure 2) and those not.
Figure 2. Document file that requires user action
Documents like the one shown on Figure 2 include messages such as “Enable Editing” and “Enable Content” to activate macro feature that downloads additional malware.
In this case, the additional malware will not be downloaded unless user press “Enable Content” button. The problem is that non-macro document files that exploit vulnerability are capable of downloading and running malware without user action. Hence, the best way to remain secure is not opening the document file at all.
Most of the malicious document files that do not require user action but just execution to download additional malware usually exploit Rich Text Format(RTF) document vulnerability. RTF is a document format developed by Microsoft, highly compatible and can even be opened on Hangul word processor in some instances.
The following are the key attack vectors of RTF document vulnerability that attackers exploit:
| OLE2Link vulnerability |
| CVE-2017-8570 |
| CVE-2017-0199 |
| CVE-2017-8579 |
Along with RTF format vulnerability, attackers also run shellcode that downloads additional malware aby inserting equation editor vulnerability of MS Office into RTF internal stream object.
| MS Office equation editor vulnerability |
| CVE-2017-11882 |
| CVE-2018-0802 |
When a user runs vulnerable RTF document file, the content may be normal like seen on Figure 3., but it also may print content in unidentifiable strings as seen on Figure 4. When opening an attachment file, users should suspect it as a document with RTF vulnerability it the file content is not related to the email or filled with unrecognizable strings.
Figure 3. RTF file that contains readable text.
Figure 4. RTF file that contains unrecognizable text.
According to the analysis, ASEC confirmed that most of malware ultimately downloaded to the system via RTF document were prevalent malware including HawkEye, Nanocore, FormBook, Lokibot, Remcos. Operators use language such as VB 6.0, Delphi, AutoIt, .NET and save the malware as encrypted in order to complicate AV signature detection against well-known malware like Nanocore.
Once Crypter type malware is executed, it decrypts the encrypted PE inside the file and injects it into other process by using technique like ProcessHollowing.
When information stealer malware is run in PC, user’s account information such as FTP, web browser, and outlook password can be leaked. Since the attacker can maluse the information to perform the second attack, users must make sure not to open spam mails with unknown source.
Also, users must conduct security update of MS Office products to the latest version to ensure that their PC is not exposed to vulnerability.
– https://portal.msrc.microsoft.com/ko-kr/security-guidance
AhnLab’s products detect the document file with RTF vulnerability under the following aliases:
[File Detection]
– RTF/Exploit.Gen (2018.05.17.00)
– RTF/Cve-2017-0199.Gen (2017.07.12.00)
– RTF/Cve-2017-8759.Gen (2017.10.19.00)
– RTF/Malform-A.Gen (2018.07.04.00)
– RTF/Malform-B.Gen (2018.07.04.00)
– RTF/Malform-C.Gen (2018.07.04.00)
– RTF/Malform-D.Gen (2018.07.04.00)
– RTF/Malform-E.Gen (2018.07.04.00)
– RTF/Malform.Suspic (2018.07.04.00)
[Behavior Detection]
– Malware/MDP.Downloader.M1881
Categories:Malware Information