NSS Labs’ CAWS has been monitoring the activity of CVE-2017-0199, which was patched by Microsoft on April 11, 2017. According to Microsoft, CVE-2017-0199 is a remote code execution vulnerability in Microsoft Office and WordPad. This vulnerability was initially exploited in a zero-day targeted attack. However, once the vulnerability was disclosed publicly, it was just a matter of days before it was utilized in a mass malware campaign. NSS Labs can confirm that it has begun to see this vulnerability being actively exploited to distribute a Dridex variant. Recently, one of NSS Labs’ CAWS customers submitted a suspicious file that was found to be leveraging CVE-2017-0199.
The exploit relies heavily on PowerShell to disable several add-on features in MS Word by deleting the key HKCU\Software\Microsoft\Office\14.0\Word\Resiliency.
The exploit also launches a decoy document to give the impression that nothing unusual has occurred. Once the vulnerability has been exploited, it connects to a remote domain to obtain the Dridex variant.
At this time, VirusTotal does not provide much information: https://virustotal.com/en/file/d1d3d00e0897bad3b57415b3a233fb328cf3d195c4406882f25436f7e14ecc9e/analysis/
The Dridex variant contacts three IP addresses over TCP port 4743.
The CAWS Cyber Threat Protection Platform continuously analyzes and validates the modus operandi of active exploits in the wild, along with the specific applications being targeted, and the effectiveness of an organization’s security controls to defend against them. The result is preemptive, contextual threat intelligence that enables organizations to stay ahead of breaches, including zero-day attacks. For more information on this threat, as well as to learn more about active exploit campaigns currently being leveraged, log on to caws.nsslabs.com
Indicators of Compromise (IOCs)
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.