refamay.blogg.se - Iexplorer legit

We found out that the file is already known and identified as “Trojan.Nymeria” in the VirusTotal engine: File hash: 9a0b8943cf336dabb6d1f446035508bf55ef95fff0459eed66c4e2c48d1527df As part of the analysis, we scanned the file in VirusTotal to see if this malware is known in the industry.

The attacker renames the malware “iexplorer.exe”, making it a presumably legit.After preparation is set, the attacker downloads the malware from http///images/iexplorerexe and executes it.hkcu:\SOFTwArE\MiCROsoFT\OffiCe\$JejBnGdCskXoooBsORTypTgXxWHzHesm\$wEU\SECURITY\proteCTeDvIeW -NaMe DisableUnsafeLocationsInPV -vAlue 1 -TYPe dwORD.HKCU:\softWARE\MiCrOSoFT\OffiCe\$JejBnGdCskXoooBsORTypTgXxWHzHesm\$wEU\sECurItY\ProtEcTEdVieW -NaME DisableAttachementsInPV -vAlue 1 -Type DWOrD.HkCU:\sOFTWArE\mICrOSoft\OFfICe\$JejBnGdCskXoooBsORTypTgXxWHzHesm\$wEU\seCuRiTY\proTEcteDvIEW -NaME DisableInternetFilesInPV -vAluE 1 -TYPE dwoRd.hkCu:\sOFtwArE\MicRoSOft\oFfIcE\$JejBnGdCskXoooBsORTypTgXxWHzHesm\$wEU\SECuritY -Name VBAWarnings -VAlUe 1 -TYPE dwORD.The attacker checks the registry parameters and changing them in order to disable any security protection such as:.From the PowerShell script we deduced that the attacker targeted Office versions 11.0, 12.0, 14.0, 15.0 and 16.0.After decoding the PowerShell script, we uncovered some details regarding the preparation of the attack before actually executing the malware.The malicious HTA (https//a.doko.moe/iknfsrhta) will prompt PowerShell to execute an encoded and obfuscated string.The RTF (ipphhi.doc) file as extracted by Perception Point’s platform The server will return the ipphhi.doc file as a HTA file so that Word will handle this file not as a RTF file but as an HTA, which is the core issue of CVE-2017-0199:.In this stage, the attacker downloaded an RTF file using RemoteOle from https//a.doko.moe/ipphhidoc.If the attacker managed to trick the user to click “Yes” on the Warning message it will go to the second stage.The docx file as viewed by Perception Point’s platform The first stage is the docx file with an embedded OLE2Link object The OLE object contains a link to an external file, as seen below: Perception Point’s engines identified the malicious activity by tracking down two stages.Below you can find the headers that Proofpoint added to the email. We can see that the other vendors who scanned the emails before Perception Point didn’t find any malicious activity.

The domain “mx.” was found as a known spam mail server.

In order to gain the recipient’s trust, the attacker impersonated a supplier of the company by using an email account that seemed similar to a genuine executive account which the company is interacting with regularly.

This report examines the potential effect of the attack, in case the malicious file had not been blocked. Our client received an email that had been flagged malicious by Perception Point’s platform.

Collect system information such as process name and system information.

An attempt to steal personal data, such as usernames and passwords.

An attempt to run Loda malware in the form of an executable file.

An attempt to evade AVs by using several advanced techniques.

Our analysis below provides a detailed understanding of the attack, its intent, and the damage it would have caused. Perception Point’s platform recently caught an advanced attack (CVE-2017-0199) directed at one of our Financial Services customers delivered via a malicious Microsoft Word document.