Skip to main content

· 2 min read
Jose Luis Sánchez Martínez

Information

An interesting sample exploiting the CVE-2023-38831 was discovered against Russia. This vulnerability is exploited in the wild at the moment of writing this blog.

CVE-2023-38831

RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.

FieldValue
sha25674bc4c892f5590610c31057c4f60d6f7e1d7fafff4565d5726d82ef262888632
filenamePismo_ishodjashhee_61301-1_8724_ot_27_09_2023_Rassylka_Ministerstva_promyshlennosti.rar

As other samples observed exploiting this vulnerability, there are two files into the rar file. The benign file is a PDF that pretends to be from the Ministry of Industry of Russia.

pdf

The malicious file with the same name as the PDF but with .cmd extension, tries to execute the malicious payload. The malicious payload launches PowerShell to download from http://45.142.212[.]34/AIMP2.eXe the second stage.

cmd

🔗 sample: https://virustotal.com/gui/file/74bc4c892f5590610c31057c4f60d6f7e1d7fafff4565d5726d82ef262888632/

🔗 tweet: https://twitter.com/Joseliyo_Jstnk/status/1711321498705674679

Hunting

You can easily search for samples related to this vulnerability as follows in VirusTotal

entity:file tag:cve-2023-38831

Contact

Twitter: https://twitter.com/Joseliyo_Jstnk

LinkedIn: https://www.linkedin.com/in/joseluissm/

· 2 min read
Jose Luis Sánchez Martínez

Information

A file uploaded from Vietnam with name Phieu bo dung Ly lich.docx (translated to: SUPPLEMENTAL RESUME FORM) was found exploting CVE-2022-30190 and CVE-2021-40444.

CVE-2021-40444

Remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

CVE-2022-30190

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

FieldValue
sha256becb5601866206225ac8fa492b6485bddbaefa3bbeaf66748490f258eafe5589
filenamePhieu bo sung Ly lich.docx

doc

When the user opens the document, malicious content is downloaded into the system from mhtml:http://27.72.28[.]152:8080/LoadingUpdate.html!x-usc:http:/27.72.28[.]152:8080/LoadingUpdate.html.

msdt.exe is executed with a base64 to download from the same IP a svchost.exe file, which is actually a meterpreter payload.

doc

doc

doc

Finally the meterpreter establish the C2 to the same IP through the 4433 port in the IP address 27.72.28[.]152:4433.

doc

🔗 DOCx: https://www.virustotal.com/gui/file/becb5601866206225ac8fa492b6485bddbaefa3bbeaf66748490f258eafe5589

🔗 Meterpreter: https://www.virustotal.com/gui/file/bcb52e097c21ed88b39213abd3d3a834166e8c91366580b0353620c3a8d2bef3

🔗 Vietnam IP: https://www.virustotal.com/gui/ip-address/27.72.28.152

🔗 Tweet: https://twitter.com/Joseliyo_Jstnk/status/1710206354617680086

Hunting

Some interesting hunting queries related to these behaviors:

entity:file (tag:cve-2022-30190 or tag:cve-2021-40444)
type:document (behavior_processes:"davclnt.dll,DavSetCookie" and behavior_processes:"http")
type:document behavior_processes:msdt.exe behavior_processes:mpsigstub.exe behavior:"System.Convert"

Contact

Twitter: https://twitter.com/Joseliyo_Jstnk

LinkedIn: https://www.linkedin.com/in/joseluissm/

· One min read
Jose Luis Sánchez Martínez

Information

New gamaredon sample with low rate of detection discovered targeting Ukraine with the topic DEPARTMENT OF SOCIAL PROTECTION OF THE POPULATION OF THE KYIV REGIONAL STATE ADMINISTRATION OF THE KYIV REGIONAL MILITARY ADMINISTRATION.

doc

FieldValue
sha256032d134d145c3047f56e936431a0aefd89ba56ba2bd3101c27bb002298addc88
filenameUnknown

During the execution is going to load a remote template from the URL http://lucky.falling85.garibdo[.]ru. There is another subdomain probably to achieve the same goal with other documents council67.garibdo[.]ru.

doc

The URL can be found in the 1table property of the .doc file as shown.

doc

🔗 DOCx: https://www.virustotal.com/gui/file/032d134d145c3047f56e936431a0aefd89ba56ba2bd3101c27bb002298addc88

🔗 Domain: https://www.virustotal.com/gui/domain/lucky.falling85.garibdo.ru

🔗 Tweet: https://twitter.com/Joseliyo_Jstnk/status/1709488573454376975

Hunting

Some interesting hunting queries related to these behaviors:

(behavior_processes:*.ru* and behavior_processes:*DavSetCookie* and behavior_processes:*http*) and (behavior_network:*.ru* or embedded_domain:*.ru* or embedded_url:*.ru*) and (type:document)

Contact

Twitter: https://twitter.com/Joseliyo_Jstnk

LinkedIn: https://www.linkedin.com/in/joseluissm/

· 2 min read
Jose Luis Sánchez Martínez

Information

I was doing some hunting looking for documents uploaded from Azerbaijan and Armenia due to the conflict that currently exists in both countries.

Then I found a suspicious document impersonating the National Security Service of the Republic of Armenia.

FieldValue
sha256fa406c532ea3d7cae05411df0ed5a541630a07f26a247a22d907f424397c72ce
filenamehaytararutyun.doc

doc

Taking a look at the relations in that file, there is an email parent. In the information of the email looks like it was sent to an account of sns[.]am, domain related to the National Security Service mentioned above.

Besides that, the metadata information related to the office document, shows information of the victims as well.

doc

When executed, it downloads a file from https://karabakhtelekom[.]com/api/ekeng-mta.exe which tries to masquerade as explorer.exe using the same name

doc

🔗 office document: https://www.virustotal.com/gui/file/fa406c532ea3d7cae05411df0ed5a541630a07f26a247a22d907f424397c72ce

🔗 Explorer.exe downloaded: https://www.virustotal.com/gui/file/3a679cb98f88d7d6bd84dcfe9717238c08c05942055bdb798103224e7f2f2ca9

🔗 tweet: https://twitter.com/Joseliyo_Jstnk/status/1704516647468388552

Hunting

The initial VT intelligence query used was the next one, due to the conflict I was looking for documents uploaded from those countries mainly.

(submitter:AM or submitter:AZ) type:document p:1+ fs:2023-09-01+

You can adapt this query to your needs. It was useful in a specific moment, but maybe is not interesting create a livehunt or use it daily for the false positives that will generate.

Contact

Twitter: https://twitter.com/Joseliyo_Jstnk

LinkedIn: https://www.linkedin.com/in/joseluissm/