WinRAR exploit used by MuddyWater APT phishing gang

News by Rene Millman

A WinRAR exploit discovered recently by Check Point Software has been used in part of a phishing campaign by cyberspy group MuddyWater.

A WinRAR exploit discovered recently Check Point Software has been used in part of a phishing campaign by cyberspy group MuddyWater.

According to a blog post by Microsoft’s Office 365 ATP Research Team, the vulnerability was used in part of an intricate attack to execute a fileless PowerShell backdoor. Rex Plantado of Microsoft's Office 365 ATP Research Team said the attack used techniques that are similar to campaigns carried out by the activity group known as MuddyWater.

Plantado said that the attack started with a spear-phishing email purporting to be from the Ministry of Foreign Affairs (MFA) of the Islamic Republic of Afghanistan. This email was sent to very specific targets and asked for "resources, telecommunication services and satellite maps". The email came with a Word document attachment.

"When opened, the document asks the recipient to download another document from a now-inactive OneDrive link. While the URL was down during our analysis, we still reported the case to the OneDrive team," said Plantado.

He added that the use of a document with just a link—no malicious macro or embedded object—was likely meant to evade conventional email security protection.

Clicking the link downloads an archive file containing a second Word document, which has malicious macro. Microsoft Word opens the document with security warning. Enabling the macro starts a series of malicious actions that leads to the download of the malware payload, said Plantado.

"Interestingly, the document has a "Next Page" button. Clicking that button displays a fake message signifying that a certain DLL file is missing, and that the computer needs to restart. This is a social engineering technique that ensures the computer is restarted, which is needed for the payload to run," he added.

The malicious macro executes a number of actions in the background. "The second-stage PowerShell script collects system information, generates unique computer ID, and sends these to a remote location," he said. "It acts as a backdoor and can accept commands."

"The PowerShell script’s ability to accept commands and download programs provided a way for a remote attacker to deliver the malicious ACE file containing CVE-2018-20250 exploit. When triggered, the exploit then drops the payload dropbox.exe," he said.

"The complex attack chain that incorporated sophisticated techniques observed in this targeted attack highlights the benefits of a comprehensive protection enriched by telemetry collected across the entire attack chain," warned Plantado.

Fraser Kyne, EMEA CTO of Bromium, told SC Media UK that there have been a lot of PowerShell related attacks recently, including one that downloaded an image of Mario that delivered Ursnif to the endpoint.

"PowerShell can be a powerful method for hackers to obfuscate malware to bypass detection-based defences. Unfortunately, this type of attack is all too common because the most common attack vectors used by hackers require users to complete an action – like opening an email attachment, clicking a link, or downloading something malicious. As a result, hackers know they only need to get things right once, because there is always someone likely to click on the wrong thing," he said.

Simon Lewsley, director of ICU IT, told SC Media UK that on the assumption that an attack is in progress and that the issue has been found by the firewall reporting or the user reporting the reboot prompt with the DLL error, then it’s simply the normal process whenever exploits are found.

"You would need to identify the host from any unusual internet activity and take off the network. Treat the machine as compromised - personally, I would always format/deploy a new image over the top," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews