Researchers believe a suspected Iranian APT group is responsible for a recent cyber- espionage operation that targeted a Middle Eastern government organisation using a recently patched remote code execution vulnerability in Microsoft Office as an attack vector.
In a 7 November blog post, FireEye researchers report that the threat actor, assessed to be APT34, used the memory corruption vulnerability CVE-2017-11882 to deploy the PowerShell-based backdoor Powruner as well as Bondupated, a downloader with domain generation algorithm (DGA) functionality. Since at last July 2017, these two malwares have been used in previous campaigns attributed to APT34, which FireEye says "loosely aligns" with reports of a group commonly referred to in cyber-security circles as OilRig.
To launch the campaign, the attackers sent a spear-phishing email with a malicious Rich Text Format file attachment to its intended victim, whom FireEye does not name. This file is specifically crafted to exploit CVE-2017-11882, which was previously discovered in the Microsoft Equation Editor component of Microsoft Office and subsequently patched on 14 November.
According to FireEye, the exploit "corrupts the memory on the stack and then proceeds to push the malicious data to the stack." At that point, the malware overwrites the function address with a instruction that calls for a certain function that creates a child process, which in turn downloads a malicious script from a domain.
This script contains a PowerShell command for downloading a dropper, which sneaks the final payloads, as well as several other key components, into the directory C:\ProgramData\Windows\Microsoft\java\.
One of the two last-stage payloads, the backdoor Powruner is capable of communicating host data to its command-and-control server, including information about the logged-in user, hostname, network configuration data, active connections, process information, local and domain admin accounts, an enumerations of user directories, FireEye reports. Additionally, the malware can capture and store a screenshot of a victim's system.
"Recent activity by APT34 demonstrates that they are capable group with potential access to their own development resources," FireEye states in its blog. "During the past few months, APT34 has been able to quickly incorporate exploits for at at least two publicly vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to target organisations in the Middle East. We assess that APT34's efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group's commitment to pursing strategies to deter detection."
In a separate blog post on Friday, Palo Alto Networks addressed a recent bevy of CVE-2017-11882 exploits found in the wild. The company's Unit 42 researchers note that since 20 November, Palo Alto has identified "thousands of attempted attacks which exploit this vulnerability...." One recent attack targeting European organisations involved an email with an attached fake invoice document, which when opened executed an infection chain sequence resulting in the final payload of the information-stealing trojan FormBook.