![sct device updater malware sct device updater malware](https://www.abrasieuro.com/wp-content/uploads/2021/08/AbrasiEuro-Logo-Rouge-Blanc.png)
The LokiBot malware payloads seen in this campaign were compiled using Borland Delphi and were UPX packed. The stolen information is relayed back to the Command & Control (C&C) server. LokiBot is a malware capable of stealing user's private data including stored credentials and cryptocurrency wallets. The malicious executables dropped by the RTF documents, leveraging the above two exploits, are from LokiBot family. The dropped file %temp%\price.exe will be executed via the Microsoft Windows command shell. Like CVE-2017-11882, the actual data for this vulnerability is in the equation native stream of the OLE object, which is shown in the below image.įig 8: Equation native stream of OLE object in RTF document The first object data of the document file is using Packager.dll to drop the file into the %TEMP% directory. The malicious executable file, having the length 0x000868B6, will be dropped in the %TEMP% directory with the name price.exe. The logic behind this loophole is similar to the remote code execution vulnerability (CVE-2017-11882) using office embedded formula editor EQNEDT32.EXE. This vulnerability will only work on systems updated with CVE-2017-1182 patch.
![sct device updater malware sct device updater malware](https://cdn.shopify.com/s/files/1/1594/4815/files/theskyx-all-sky-search-button_grande.jpg)
This exploit is a CVE-2017-11882 patch bypass vulnerability of type stack overflow. The SCT file has JavaScript, which downloads malicious executable price.exe from juanjoseriffocom/ed/price.exe, saves it to %APPDATA% with name windowsis.exe, and executes it.
![sct device updater malware sct device updater malware](https://support.bamaperformance.com/hc/en-us/article_attachments/201781999/2015-03-10_0856.jpg)
This SCT file is dropped and executed by the RTF document. The dropped SCT file looks like the screen capture below. In short, this object will execute the file by using composite moniker in the RTF document. = New monikerĪfter the file moniker CLSID, there is a length field followed by the file path, which is going to execute the new object persisted in “%TMP%\V2BRUIICCL75CPT.sct”. The byte sequences shown in the Fig 5 are the binary representation of following CLSID. The RTF has a composite moniker, file moniker, and new moniker working together. This SCT file will be executed by a second objdata in the RTF document.įig 5 : Objdata2 “OLE2Link” leveraging composite moniker
![sct device updater malware sct device updater malware](https://jmsliu.com/wp-content/uploads/2014/07/sprite-sheet-animation-in-Android.png)
Upon executing the RTF file, the embedded SCT file is dropped in the %TEMP% directory with the name V2BRUIICCL75CPT.sct. The document has two objdata encoded and embedded in it, as shown below.įig 4: Objdata1 “Package” ActiveX controlĠ1050000 02000000 = OLE object 08000000 = Length of following string 5061636B 61676500 = ActiveX name “Package” CB060000 = Data length of following binary data The RTF document uses a Packager.dll trick to drop an SCT file into the %TEMP% directory and execute it using the escalated privilege that the vulnerability provides. A scriptlet is a XML file wrapping a script like VBScript, JavaScript, etc. It makes use of a composite moniker in the RTF file to execute a Windows Script Component (WSC) file or scriptlet on the victim’s machine. This exploit bypasses the Microsoft patch for CVE-2017-0199. The workflow of both exploits is shown in the below.įig 3: Workflow of CVE-2017-8570 and CVE-2018-0802 In case of the LokiBot spreading campaign we saw that these documents were either weaponised with CVE-2017-8570 or CVE-2018-0802 exploit paylods. These malicious documents spread by using phishing emails to trick users into opening and executing them.įig 1: Malicious documents weaponized with exploits to infect target machineĪn example of a phishing spam email with an attached malicious RTF document is shown below.įig 2: Phishing spam email with attached malicious RTF document In this blog, we'll share our analysis of a campaign leveraging these two exploits to deliver LokiBot. Zscaler ThreatLabZ has been tracking the usage of malicious RTF documents that leverage CVE-2017-8570 and more recently CVE-2018-0802 vulnerability exploits to install malicious payload on the victim machine.