Last week, it was widely reported that a new, unpatched zero-day threat exploiting Microsoft Office was discovered in the wild as part of a spear-phishing campaign. In the following E.KIA, we provide background on the exploit, its analysis and how Invincea FreeSpace automatically kills this exploit without any FixIt tool, signature update, network analysis, IOCs, or patch required. In other words, Invincea customers are protected by default from this 0day exploit, no work required. Microsoft also announced they are not releasing a patch for this 0day in spite of its growing use in exploit campaigns in the next Patch Tuesday release.
Although initial reports described targets localized to Pakistan by an APT group dubbed “Viceroy Tiger” by our friends at CrowdStrike, the exploit was quickly adapted and used to spread crimeware related threats as well.This dual usage of new exploit code by both APT and for-profit Crimeware groups was described by FireEye on November 6th.We managed to get our hands on a copy of one of the malicious MS Word document (.docx) files used in the APT attacks as well as the malicious payload that is downloaded and executed on the victim upon successful exploitation.It is important to note that this particular APT group based in India is believed to be same group responsible for Operation Hangover.
Rather than re-hash the technical aspects of the exploit code, which have already been thoroughly documented elsewhere, we will focus on how this 0day attack can be stopped and then exploited itself to deliver forensic and threat intelligence capabilities from Invincea FreeSpace combined with ThreatGRID, a leading threat intelligence provider.
See the video below for a demonstration of this capability. The rest of the analysis below follows from this demonstration.
Invincea FreeSpace™ combines protection against 0day threats with rich threat forensics that when combined with Threat Intelligence partners like ThreatGrid pinpoints the origins of and events that led up to the virtual infection. The information in Invincea’s Threat Management Service is presented at a level that analysts and security leaders can understand — no cryptic signature names to try and decipher, just real forensic data in English, e.g., “Document X was opened by user1 on host Y from an Outlook attachment” or “This hyperlink was clicked by user2 on host2, which triggered the following browser redirects ultimately leading to zbot malware that performed the following actions inside the Invincea virtual container”.Real-time threat data enables security analysts and incident responders to rapidly develop new IOC’s to feed the rest of the security stack and conduct adversary profiling tasks instead of wasting time re-imaging infected systems, attempting to identify lateral attacker movement on the network and determining the scope of data loss which is likely to have occurred.
Hat tip to @Kafeine for his assistance with the following samples now available on VirusTotal.com. Note that although these samples have a relatively high current Antivirus detection ratio now, the detection was a big goose egg when the attack campaigns were active. Furthermore, these signatures get replaced in targeted campaigns with unique ones.
The poisoned MS Word document (.docx) sample analysis is here…
The analysis of the Dorifel Trojan variant downloaded and executed on the victim upon successful exploitation via poisoned MS Word document sample is here:
The following screen capture illustrates execution of the above .docx sample on a vulnerable XP host running Office 2007 protected by Invincea FreeSpace™.As expected, Invincea FreeSpace™ detected and contained the threat without any product updates whatsoever. We have opened the Suspicious Activities Details window from the Invincea FreeSpace alert as shown in the screen capture below:
Threat forensics are automatically sent to Invincea’s Threat Management Console:
The section of the infection report detail in green contains the metadata regarding the system that triggered the virtual infection.The section highlighted in red provides the technical forensic data regarding the infection:
If we switch to the Timeline view, we can see observe the linear progression of events beginning with execution of the malicious .docx file by the victim.Next, we see the malware payload written to the virtual file system and launched as a process:
We can also drill into each specific entry to get additional details.For instance, we can click on the malicious process launch to obtain the MD5 hash of the file that was launched and also conduct open source research on the file by clicking on any of the options available:
Shortly after the initial Dorifel dropper (winword.exe) was launched, we can see that a secondary file was dropped in the current user profile directory and also launched as a process (Updates.exe):
Here is the VirusTotal report for this binary:
Next, we observe the new process launching a Windows command shell and using xcopy to move a dropped .lnk file into the user’s startup folder:
We also observe the malware performing additional reconnaissance related tasks on the victim such as writing out system information to log files.Here a command shell has been launched to gather IP address information from the victim:
But where is the collected data going?For that, we’ll leverage threat intelligence provided by ThreatGRID and integrated directly into the Invincea Management System interface:
By clicking on the ThreatGRID option, the Invincea Management System automatically queries the ThreatGRID API (subscription required) for multiple forensic indicators gathered during the virtual infection.As you can see below, we have several matches indicating that the malware binaries in question have been previously analyzed by the ThreatGRID platform:
Upon clicking on an entry, we are taken directly into the analysis of the sample in the ThreatGRID reporting console.The top menu bar allows the analyst to pivot to various sections of the report and extract artifacts of interest.The ThreatGRID platform has also positively flagged this particular sample as malicious with a threat score of 90 based solely on generic behavioral indicators (no specific malware signatures required):
Behavioral indicator detail:
If we drill into the Network Activity section, we have full details including exact URI paths of HTTP based C2 activity including a highly suspect User-Agent string:
ThreatGRID correlates samples based on multiple elements of the analysis, these elements each provide pivot points for analysts to build a larger picture of the threat as well as identify related samples.
Pivoting on the IP Address and Domain yields additional details, including other samples that ThreatGRID has seen reach out to.
Viewing the related samples takes the sample being analyzed and applies the ThreatGRID Databases global context to the sample.
Furthermore, we can easily download all analysis objects such as disk and registry artifacts as well as full network packet captures for each submission directly through the ThreatGRID interface:
With a few mouse clicks, we have confirmed that a zero-day threat targeting Microsoft Office was detected and contained by Invincea FreeSpace™.We are also able to quickly determine runtime malware behavior and develop effective host and network based indicators based on the combination of Invincea + ThreatGRID forensic data collection.This demonstrates the power of the Invincea FreeSpace™ breach prevention platform combined with the unique threat intelligence integration powered by ThreatGRID.
The choice is yours: continue to fall hopelessly behind the enemy as they exploit 0days by luring your users into clicking on links and opening attachments, or turn your users into a distributed honeynet for your threat intelligence operation. Get on the path to prevention by contacting Invincea for a free trial today!