• ISSP

Intruders used CVE-2017-0199 vulnerability

The e-mail OriginalMessage.txt.msg contains an attachment with the malicious file Prezent_UA_2k_berezen_PRESS.ppsx, which is a 16-slide presentation on socio-political situation in Ukraine.


Example of a slide from the file Prezent_UA_2k_berezen_PRESS.ppsx

The malicious file is interesting because it does not contain any embedded malicious macros. Instead, the intruders have used the CVE-2017-0199 vulnerability, which allows generating a malicious PPSX-file and delivering payload to the victim without any complex configuration. The file slide1.xml.rels is used when exploiting. Files with a .rels extension are relationship files. These files contain information on how parts of various Microsoft Office documents fit together. This information is also called “relationship parts”. In case with this malicious presentation the hxxp://socis.cf/?file=wj5yuxmp.hmf address was written into the slide1.xml.rels file:


Content of the slide1.xml.rels file

If you click on hxxp://socis.cf/?file=wj5yuxmp.hmf, you will see a script that creates a malicious file in the %temp% directory and runs it. As at the time of analysis, this address is no longer available.


Indicators of Compromise

URLs:

hxxp://socis.cf/?file=wj5yuxmp.hmf

IP addresses:

185.176.43.94(Bulgaria)

Files:

Prezent_UA_2k_berezen_PRESS.ppsx

MD5: CAFB6B5795C26376289832CFFC3AEE94

117 views0 comments

Recent Posts

See All