Recently we came across an interesting sample that warranted further investigation. The file in question was named “Reservar Grupos, Eventos e Feiras Groups, Events.docx”
This particular sample (MD5: 52421a545a7472cf1451b99d914ea2dd) exploits CVE-2017-0199, which exploits the HTA handler in vulnerable versions of Microsoft Office when opening specially crafted RTF files. This CVE is heavily used to distribute malware and many criminal groups are using it. There are multiple tools publicly available for building weaponized documents, for example https://github.com/bhdresh/CVE-2017-0199 on Github.
CVE-2017-0199 uses a multistage attack where the document downloads a secondary payload over HTTP which will be a malicious HTA file. In this case, the following stage was delivered from www.m9c[.]net/uploads/15615240771.doc and www.m9c[.]net/uploads/15620093841.jpg.
This particular malicious document downloads two additional payloads from pastebin:
Usually when we see malware posted on pastebin, it is by an anonymous user. However in this case, we have a registered user, named “Jccdt” who continues to post various types of interesting PowerShell and other malware to their account: https://pastebin.com/u/jccdt
There is a lot of interesting malware here but we’ll focus on the pastes related to our initial sample. The one paste in particular we are interested in is titled “RevengFud.” The paste contains a base64 encoded PE32 executable file. After base64 decoding the payload, we get the MD5 hash of the sample: 94a0e86cc029c5e6c31e71521eda282e.
A quick analysis of the sample reveals that it is in fact Revenge RAT, so we can conclude that the actor is naming the pastes after the malware contain therein. From this naming convention it appears there are some Nanocore RAT and NjRAT samples hosted here as well.
The Revenge RAT sample uses the following domains for command & control:
Now that we have some known attacker infrastructure, the next step is pivoting into Comox with the goal of discovering any additional attacker infrastructure and malware samples. First, looking at Passive DNS for any IP addresses associated with these domains, right away we can see 97 interesting IP addresses to potentially block. Next, we can use the Passive Hash feature of Comox to identify additional domains that were associated with malware on the same IP addresses. From Passive Hash we identify an additional 8 domains. From here, one additional pivot leads us to over a thousand malware samples potentially deployed by this actor.
Closer examination of some of these samples reveals large numbers of commodity malware samples, including various off-the-shelf RATs such as Nanocore, XtremeRAT, Revenge RAT, and AsyncRAT. The majority of the infrastructure is geo-located in Brazil, and based on the language used, the actors are specifically targeting Brazilian users.
Initial RTF sample: 52421a545a7472cf1451b99d914ea2dd
Second stage delivery:
Additional pastebin malware:
Related malware c2: