NEW Phishing Attack hits Indeed.com
Most Searched
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Video
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
eBook
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Buyer's Guide
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Vinay Pidathala | Jun 30, 2020
Share this article
Menlo labs has observed limited attacks, where attackers are continuing to exploit CVE-2017-11882, an old Microsoft exploit with a patch that was issued more than two years ago. As a matter of fact, an FBI report published on May 12 2020, listed it as one of the top 10 vulnerabilities routinely getting exploited. We are still analyzing some details of the malware involved in the three attacks and will post it in part 2 of this series. The following are some noteworthy features in all the attacks we identified.
The first attack we observed was served from loginto.me. A subdomain under loginto.me was used to serve an RTF file. If the user opens the Word document, CVE-2017-11882 is triggered and an HTTP request to a bit.ly site is made. The bit.ly site redirects to Femto uploader, which ironically, has stopped anonymous uploads because of the excessive abuse by attackers hosting their malicious payloads (see screenshot below)
Once the executable hosted at femto is downloaded and executed on the endpoint, there is another HTTP request to paste.ee, from where, data is downloaded.
The downloaded data goes through some character replacements, see screenshot below and eventually the NetWire RAT gets downloaded.
Netwire is a remote access trojan that has been around for a while. The trojan was primarily used to steal credential and payment card data.
The second attack we observed was hosted on dropsend.com which looks like a popular file-sharing website. The file hosted on this website was a malicious Microsoft excel, with the name Petratex – PO_RFQ.xlsx. Once the Microsoft excel spreadsheet is opened, an HTTP request is made to download the Agent Tesla malware. Agent Tesla is a well-known malware and has been well documented. It is a fully functioning RAT (Remote Access Trojan) that is capable of stealing credentials, taking screenshots, downloading additional files.
The third attack we noticed used the lure of Authorization as the filename. This file was hosted on the one drive. Opening the excel file resulted in a binary downloaded from “centraldeplaya.com”, as is shown in the screenshot below.
The executable downloaded is the Houdini or H-Worm RAT. The following functionalities are built into the RAT.
Functionality
Executes a file specified by the C2
Overwrites the installed malware with an updated version and executes it
Deletes all the reg keys created and the file
POST request to download file from C2
GET request to download file from C2
Upload a file specified by the C2, to the C2. The POST request is sent to the URI /is-rlartg POST /is-rlsartg{*}<file_name>
Sleep for a specified period of time
Menlo Security has a more detailed write up about this RAT
The fact that CVE-2017-11882 is continuing to be exploited speaks not only to the reliability of the exploit, but to the fact that there are companies out there that are still using outdated software. Patching applications and operating systems to protect them against security issues is critical, but the shortage of cybersecurity professionals combined with the ever-changing enterprise environment makes it harder for enterprises to put a proper patch management process in place.
See how Menlo Security’s cloud-based Malware Protection eliminates all advanced cyber threats on the Internet by isolating all web traffic in our secure browsers.
Posted by Vinay Pidathala on Jun 30, 2020
Tagged with Menlo Labs, Threat Trends, Vulnerabilities, Web Security
Threat Trends & Research
To talk to a Menlo Security expert, please complete the form.