Skip to navigation Skip to main content Skip to footer

CVE-2017-8570 RTF and the Sisfader RAT

12 June 2018

By Matt Lewis

Ben Humphrey – Malware Researcher

In late April 2018, NCC Group researchers discovered a small number of documents exploiting CVE-2017-8570 and dropping the same payload. The purpose of these documents is to install a Remote Access Trojan (RAT) on the victims’ machine. This article gives a deep analysis of both the document, and its payload. Special thanks to Principal Security Consultant Richard Warren for identifying these documents.

Figure 1 below shows a workflow of the malicious document and malware installation.

Figure 1 – Infection Workflow

CVE-2017-8570 RTF

As previously stated, the infection vector for the RAT is in the form of an RTF document exploiting CVE-2017-8570 (Figure 2).

Figure 2 – RTF Opened in Word

Closer examination of the document shows that it is utilising the Package ActiveX control to drop and run an SCT file. This technique was blogged by McAfee a number of years ago (1).

Figure 3 – RTF Objects

The SCT file contains a block of obfuscated Javascript. There is a very large character array containing encrypted data, followed by an obfuscated decryption routine. The deobfuscated Javascript code (minus the large character array) can be seen in Figure 4.

Figure 4 – Deobfuscated Javascript


What is a WLL file?

The purpose of the Javascript code is to decrypt and write the file “wordHelpAss.wll” to the Word STARTUP directory. A WLL file is actually just a normal DLL file. This technique is not new and has been described previously (2), but it is not a technique that we generally see in the wild. Another interesting point is that the payload does not get executed straight away. In fact, the WLL file will get executed when Word next opens. This thwarts automated analysis systems, as Word is generally not restarted during analysis. When the WLL file is eventually executed it will install the RAT payload.

Sisfader RAT

The payload installed by the WLL file is not a common RAT. We believe it to be either new or custom. Context Information Security, one of the other industry partners on the UK Cyber Incident Response scheme, has named this RAT Sisfader. We have adopted this name for consistency.
It maintains persistence installing itself as a system service and has multiple components as described in the table below.

Component Name Description
DropperThis component is responsible for installing the malware
AgentThe Agent contains the main code of the RAT. It is responsible for communicating with the C2 server and executing the commands it receives. It is written to the registry in plaintext by the dropper. There are both x86 and x64 versions of the Agent.
ConfigThe Config is also written to the registry. It contains information such as the host identifier, and the C2 server URI.
Auto LoaderLoader The Auto Loader is responsible for extracting the Agent and the Config from the registry. It reads the Agent into its own address space and loads it manually (as opposed to using LoadLibrary). There are both x86 and x64 versions of the Auto Loader.

Dropper

The dropper is an x86 PE file. It is responsible for installing the malware on the victims’ computer. The malware components are located in the droppers’ resource section as can be seen in Figure 5.


Figure 5 – Payload Resources

Flow of execution

The dropper begins with an anti-emulation trick that takes the form of a thread which repeatedly calls PostMessageA() with a parameter of 0x5ACE8D0A (see Figure 6). The main thread calls GetMessageA() and waits to receive a response. If the message parameter is not 0x5ACE8D0A, then the program will exit and the malware will not get installed.

Figure 6 – Post Message Thread


The next step is to decrypt the Config, which is a 354 byte char array located in the .data section. The decryption algorithm used is a simple XOR loop using a 16 byte rolling key. Following this, the malware checks to see if it is running with elevated privileges. If it is not it will attempt to perform privilege elevation (the method for this is described later on in this post). The last step before installation is to generate a unique ID (a UUID) that is used for the C2 server to identify the host.

After figuring out the architecture of the system, the malware will write two components to the registry. The Keys that it writes to depend on whether it has successfully managed to elevate its privileges. If running as admin, it will write to HKCR. If not, it will write to HKCUSystemCurrentControlSetControl.

Data written:

Reg ValueTypeData
bREG_BINARYDLL file (in plaintext)
cREG_BINARYConfig (in plaintext)

Now it’s time to write the loader DLL, which enables the malware to maintain persistence. The AUTO resource is loaded, and copied into memory allocated with GlobalAlloc. Then a function is called that looks for a marker (0xFE19C04F). When the marker is found, the previously generated Host UUID is written.

The next step is to write the Auto DLL to disk. This can be in one of three locations, dependant on checks.

  • C:WindowsSystem32iscsiexe.dll
    • This file is actually overwritten. There is code in the payload to take control of the file so that the system does not attempt to write the original back.
  • C:WindowsSystem32appmgmts.dll
    • XP only. The payload will attempt to remove the original from the dllcache, so that the malware will not get replaced by it.
  • %LOCALAPPDATA%AppUIHelper.dll

The malware is then installed as a service using one of the following names:

  • AppMgmt
  • MSiSCSI

The service is then started.

Injection and UAC Bypass

As previously stated, if the process is not already running as Admin, then it will attempt to elevate its privileges. Here is how it does it:

  1. Creates a new process (explorer.exe / select) with the DEBUG_PROCESS creation flag.
  2. Calls WaitForDebugEvent looking for an event with the code CREATE_PROCESS_DEBUG_EVENT.
  3. Injects (using WriteProcessMemory) some code and a block of data (referenced by the code) into the explorer process. This code performs the CMSTPLUA UAC bypass (3); restarting the malware payload with elevated privileges. The code is injected at the entry point of the explorer process. This address is obtained from the _DEBUG_EVENT structure which is returned by the WaitForDebugEvent function.
  4. Calls ContinueDebugEvent to resume execution of the injected explorer process. 

This technique, although rare, is not new. It been around since at least 2013 when it was used by a bot called Win32/Napolar (4).

The Auto Loader

The main code of the malware is actually in the DllMain, not the ServiceMain function. The service itself doesn’t actually do anything.

Figure 7 – Registry Setting Functions


The purpose of the Auto DLL is to simply extract the Agent DLL and Config from the registry (Figure 7), reflectively load the Agent DLL and call and export of the Agent (in this case, the Initialize function). The Initialize function will return the main malware function into a buffer. Then the agent calls it, passing the Config (Figure 8).

Figure 8 – Agent Initialisation and Execution


The Agent

The agent performs a handshake with the server, then listens for commands. It communicates over TCP. The communication port is found in the Config (in this case it’s 9000). All communications are prefixed with the DWORD: 0xFFDDEEAA

It initialises a structure which contains data for its operation. This structure is passed around to the network communications functions.

Network Communication

It has its own custom protocol for communication. The header is 0x24 bytes in length with any additional data following it. Header structure is as follows:

OffsetSizeDescription
0x000x04Magic Bytes (0xFFDDEEAA)
0x040x04Size of Command Data
0x080x04Command Code (see Command Codes table below)
0x0C0x04Command Parameter 1
0x100x04Command Parameter 2
0x140x10Host UUID
0x24VariableCommand Data

The Command Data is XOR encrypted with a 0x10 byte rolling key which is calculated from data in the Config.

In most cases, to acknowledge that the C2 has received the command, it will send back the same command code with no data.

Command Codes

CommandDescription
0x0F01Register with C2 – sent by the host
0x0F02Registration response from C2
0x0F03Update response from Host (for command 0xE0E3)
0x1251StartProcess – Starts a process with a given command line. This is done with a call to CreateProcess
0x1252GetDriveInfo – Send drive information back to the C2
0x1253FindFile – Check to see if a file exists
0x1254CreateFile – Copy a file from the C2 to the infected machine
0x1255ReadFile – Copy a file from the infected machine to the C2
0x1256GetFileInfo – Send file information back to the C2
0x1257DeleteFile – Delete a file from the infected machine
0xE0E2Send Computer details to the C2
0xE0E3Update from C2. New Agent and Config is uploaded to the host and written to the registry
0xF0E1Beacon – This is sent to the C2 every 10 seconds. It contains the tick count, obtained from GetTickCount()
0xF0E2Ping – From the server. A way of checking if the victims computer is responding
0xF0E3Pong – Response from Ping

IOCs

File paths

  • %LOCALAPPDATA%AppUIHelper.dll
  • C:WindowsSystem32appmgmts.dll (XP only)
  • C:WindowsSystem32iscsiexe.dll (overwritten)

Registry keys

  • HKCRb
  • HKCRc
  • HKCUSystemCurrentControlSetControlb
  • HKCUSystemCurrentControlSetControlc

Services

  • AppMgmt
  • MSiSCSI

URL

  • cv3sa.gicp[dot]net
  • kmbk8.hicp[dot]net

IP Addresses

  • 103.255.45.200:9000

Files Analysed

  • cdcafe42a688ee042dc023128b7da9e591a01f1a163f9644db774acfe1d6d044
  • f1d99e124bf644cc20c7ac93701563ed19978bcf32337e3700b2fbc8a9023b82

References

  1. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/
  2. https://labs.mwrinfosecurity.com/assets/BlogFiles/WilliamKnowles-MWR-44con-PersistingWithMicrosoftOffice.pdf.
  3. https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d.
  4. https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/.

Published date:  12 June 2018

Written by:  Ben Humphrey