{ "Event": { "analysis": "2", "date": "2017-04-11", "extends_uuid": "", "info": "OSINT - CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler", "publish_timestamp": "1491939455", "published": true, "threat_level_id": "3", "timestamp": "1491939061", "uuid": "58ed2c42-04f0-44b7-baa4-9f1f02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491939040", "to_ids": false, "type": "text", "uuid": "58ed2c51-35cc-45dc-9afe-4c0102de0b81", "value": "FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit. FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.\r\n\r\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch by Microsoft to address the vulnerability, which can be found here.\r\n\r\nThe vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network products detected the malicious documents. FireEye recommends that Microsoft Office users apply the patch from Microsoft.", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491939039", "to_ids": false, "type": "link", "uuid": "58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81", "value": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "Payload delivery", "comment": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "md5", "uuid": "58ed2caa-a484-459e-ab44-446802de0b81", "value": "c10dabb05a38edd8a9a0ddda1c9af10e" }, { "category": "Payload delivery", "comment": "template.doc", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "md5", "uuid": "58ed2cab-1eec-4d47-8efe-455502de0b81", "value": "9dec125f006f787a3f8ad464d480eed1" }, { "category": "Payload delivery", "comment": "copy.jpg/winword.exe", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "md5", "uuid": "58ed2cac-fc8c-49d8-a0e3-47f302de0b81", "value": "acde6fb59ed431000107c8e8ca1b7266" }, { "category": "Payload delivery", "comment": "docu.doc/document.doc", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "md5", "uuid": "58ed2cad-febc-4229-b7bd-430f02de0b81", "value": "e01982913fbc22188b83f5f9fadc1c17" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": false, "type": "vulnerability", "uuid": "58ed2cbc-9e64-4851-9097-475802de0b81", "value": "CVE-2017-0199" }, { "category": "Payload delivery", "comment": "hire_form.doc Malicious document", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "md5", "uuid": "58ed2d51-5fec-442b-a196-41dd02de0b81", "value": "5ebfd13250dd0408e3de594e419f9e01" }, { "category": "Payload delivery", "comment": "template.doc/template[?].hta Malicious HTA file", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "md5", "uuid": "58ed2d52-d5d0-4238-ad25-496502de0b81", "value": "fb475f0d8c8e9bf1bc360211179d8a28" }, { "category": "Payload delivery", "comment": "ww.vbs/maintenance.vbs Stage two VBScript", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "md5", "uuid": "58ed2d53-d174-406f-9e97-438e02de0b81", "value": "984658e34e634d56423797858a711846" }, { "category": "Payload delivery", "comment": "questions.doc/document.doc Decoy document", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "md5", "uuid": "58ed2d54-b650-421e-a53e-435c02de0b81", "value": "73bf8647920eacc7cc377b3602a7ee7a" }, { "category": "Payload delivery", "comment": "eoobvfwiglhiliqougukgm.js Malicious script", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "md5", "uuid": "58ed2d55-aaa0-4f29-86dd-494402de0b81", "value": "11fb87888bbb4dcea4891ab856ac1c52" }, { "category": "Payload delivery", "comment": "wood.exe/ dcihprianeeyirdeuceulx.exe Final payload", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "md5", "uuid": "58ed2d56-1cfc-43ee-af58-4f2602de0b81", "value": "a1faa23a3ef8cef372f5f74aed82d2de" }, { "category": "Payload delivery", "comment": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "md5", "uuid": "58ed2d57-db7c-4112-bec8-4f4602de0b81", "value": "15e51cdbd938545c9af47806984b1667" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "url", "uuid": "58ed2da6-63f4-4aed-8cd0-41e802de0b81", "value": "http://www.modani.com/media/wysiwyg/ww.vbs" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "url", "uuid": "58ed2dbf-5660-4fd9-a6ba-4bc502de0b81", "value": "http://www.modani.com/media/wysiwyg/wood.exe" }, { "category": "Network activity", "comment": "variant then connects to the following command and control (C2) server", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "ip-dst", "uuid": "58ed2de5-2bd0-4a4d-959c-45df02de0b81", "value": "217.12.203.90" }, { "category": "Network activity", "comment": "The initial stage reached out to the following URL to download the stage one malicious HTA file:", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "url", "uuid": "58ed2e50-6ad8-4998-9917-4d0402de0b81", "value": "http://95.141.38.110/mo/dnr/tmp/template.doc" }, { "category": "Network activity", "comment": "Malicious HTA", "deleted": false, "disable_correlation": false, "timestamp": "1491938958", "to_ids": true, "type": "ip-dst", "uuid": "58ed2e69-fcc8-4231-96c5-4dc602de0b81", "value": "95.141.38.110" }, { "category": "Payload delivery", "comment": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload - Xchecked via VT: 15e51cdbd938545c9af47806984b1667", "deleted": false, "disable_correlation": false, "timestamp": "1491938977", "to_ids": true, "type": "sha256", "uuid": "58ed2ea1-de84-4fd8-83e4-427602de0b81", "value": "169c9cc7120fa64c7c02cbbf3aeeefd02fef32ca5dcc61093d1ea012e4f39a18" }, { "category": "Payload delivery", "comment": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload - Xchecked via VT: 15e51cdbd938545c9af47806984b1667", "deleted": false, "disable_correlation": false, "timestamp": "1491938978", "to_ids": true, "type": "sha1", "uuid": "58ed2ea2-1270-450c-b73a-498a02de0b81", "value": "ea434604b3de06110de582a9c003c2b60368b33e" }, { "category": "External analysis", "comment": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload - Xchecked via VT: 15e51cdbd938545c9af47806984b1667", "deleted": false, "disable_correlation": false, "timestamp": "1491938979", "to_ids": false, "type": "link", "uuid": "58ed2ea3-9304-4143-ba8c-478902de0b81", "value": "https://www.virustotal.com/file/169c9cc7120fa64c7c02cbbf3aeeefd02fef32ca5dcc61093d1ea012e4f39a18/analysis/1491819886/" }, { "category": "Payload delivery", "comment": "template.doc/template[?].hta Malicious HTA file - Xchecked via VT: fb475f0d8c8e9bf1bc360211179d8a28", "deleted": false, "disable_correlation": false, "timestamp": "1491938980", "to_ids": true, "type": "sha256", "uuid": "58ed2ea4-f158-4709-9f95-497702de0b81", "value": "3e72bfa3ca0880226cacdbac28299d2a0bacde556ad3400d76be8f1666940828" }, { "category": "Payload delivery", "comment": "template.doc/template[?].hta Malicious HTA file - Xchecked via VT: fb475f0d8c8e9bf1bc360211179d8a28", "deleted": false, "disable_correlation": false, "timestamp": "1491938981", "to_ids": true, "type": "sha1", "uuid": "58ed2ea5-cb4c-4612-8f43-436702de0b81", "value": "3bb5af725d63a18a306506b3ebd12aed820e00eb" }, { "category": "External analysis", "comment": "template.doc/template[?].hta Malicious HTA file - Xchecked via VT: fb475f0d8c8e9bf1bc360211179d8a28", "deleted": false, "disable_correlation": false, "timestamp": "1491938983", "to_ids": false, "type": "link", "uuid": "58ed2ea7-ad1c-40b8-b755-485a02de0b81", "value": "https://www.virustotal.com/file/3e72bfa3ca0880226cacdbac28299d2a0bacde556ad3400d76be8f1666940828/analysis/1491935832/" }, { "category": "Payload delivery", "comment": "hire_form.doc Malicious document - Xchecked via VT: 5ebfd13250dd0408e3de594e419f9e01", "deleted": false, "disable_correlation": false, "timestamp": "1491938984", "to_ids": true, "type": "sha256", "uuid": "58ed2ea8-aaec-4ba9-a2e0-4cdd02de0b81", "value": "13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575" }, { "category": "Payload delivery", "comment": "hire_form.doc Malicious document - Xchecked via VT: 5ebfd13250dd0408e3de594e419f9e01", "deleted": false, "disable_correlation": false, "timestamp": "1491938985", "to_ids": true, "type": "sha1", "uuid": "58ed2ea9-d300-445f-a127-4bed02de0b81", "value": "0f3b135fd9eb3c6befbeb69f418ac182aeb56557" }, { "category": "External analysis", "comment": "hire_form.doc Malicious document - Xchecked via VT: 5ebfd13250dd0408e3de594e419f9e01", "deleted": false, "disable_correlation": false, "timestamp": "1491938986", "to_ids": false, "type": "link", "uuid": "58ed2eaa-7fa4-4ab8-a120-45bd02de0b81", "value": "https://www.virustotal.com/file/13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575/analysis/1491931544/" }, { "category": "Payload delivery", "comment": "docu.doc/document.doc - Xchecked via VT: e01982913fbc22188b83f5f9fadc1c17", "deleted": false, "disable_correlation": false, "timestamp": "1491938987", "to_ids": true, "type": "sha256", "uuid": "58ed2eab-5f60-4ec0-ad19-4c4702de0b81", "value": "01220917060a94315eeeb04e1ee1263c024e54e66058cb1f910dec3a48fef42a" }, { "category": "Payload delivery", "comment": "docu.doc/document.doc - Xchecked via VT: e01982913fbc22188b83f5f9fadc1c17", "deleted": false, "disable_correlation": false, "timestamp": "1491938988", "to_ids": true, "type": "sha1", "uuid": "58ed2eac-4b60-492d-82b1-45be02de0b81", "value": "fa504cb04ea83ecf1d360062fe612aba5e678f68" }, { "category": "External analysis", "comment": "docu.doc/document.doc - Xchecked via VT: e01982913fbc22188b83f5f9fadc1c17", "deleted": false, "disable_correlation": false, "timestamp": "1491938990", "to_ids": false, "type": "link", "uuid": "58ed2eae-944c-443c-a126-421302de0b81", "value": "https://www.virustotal.com/file/01220917060a94315eeeb04e1ee1263c024e54e66058cb1f910dec3a48fef42a/analysis/1491867682/" }, { "category": "Payload delivery", "comment": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc - Xchecked via VT: c10dabb05a38edd8a9a0ddda1c9af10e", "deleted": false, "disable_correlation": false, "timestamp": "1491938990", "to_ids": true, "type": "sha256", "uuid": "58ed2eae-b31c-4009-ac2d-4be002de0b81", "value": "f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66" }, { "category": "Payload delivery", "comment": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc - Xchecked via VT: c10dabb05a38edd8a9a0ddda1c9af10e", "deleted": false, "disable_correlation": false, "timestamp": "1491938991", "to_ids": true, "type": "sha1", "uuid": "58ed2eaf-af18-47b9-8151-44ea02de0b81", "value": "9aed05edab5d0200eb509ed22c8c30f19652814c" }, { "category": "External analysis", "comment": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc - Xchecked via VT: c10dabb05a38edd8a9a0ddda1c9af10e", "deleted": false, "disable_correlation": false, "timestamp": "1491938992", "to_ids": false, "type": "link", "uuid": "58ed2eb0-2948-4c1f-9107-4f8002de0b81", "value": "https://www.virustotal.com/file/f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66/analysis/1491801507/" } ] } }