Knock Knock Knocking on EhDoor (The Curious Case of an EPS file)
INTRODUCTIONThis all started with the great analysis and blog done by RSA in August 2017 about a phishing wave targeting Russian Banks. This was followed by another great blog by McAfee on the same subject but my focus will be on a specific aspect mentioned in the RSA blog which is the exploit used.“FireEye discovered a malicious docx exploiting a zero day vulnerability in Microsoft’s Encapsulated Postscript (EPS) filter, in the summer of 2015. This EPS exploit was assigned CVE-2015-2545. In March 2017, FireEye observed both nation state and financially motivated actors using EPS zero day exploits assigned as CVE-2017-0261 and CVE-2017-0262, prior to Microsoft disabling EPS rendering in its Office products with an update in April 2017.”
PART 1 - ADDITIONAL SAMPLE RELATED TO THE PHISHING CAMPAIGN.One thing I took from the analysis done on the samples from the RSA blog was the name of the EPS file which was “image1.eps”. If you take that and search it, one of the results have the MD5 “667c7f50177a64b4cb30aad8d4d0360e”.
Looking at the document “выписка по счету клиента.docx” which translates to “statement of the customer account.docx” in more detail reveals similarities regarding to the use of XOR obfuscation techniques mentioned in the RSA blog, look at the snippet below
PART 2 - FROM AN EPS FILE TO THE EHDOOR BACKDOOR
In the RSA blog it was mentioned that different actors are borrowing the exploits above and in most cases are using it as is, so continuing from PART 1 and the EPS file name, I wanted to try and see if I can find some interesting samples – I know it is a bit crazy and might return all kind of results but sometimes that by itself is interesting.
In doing so, I came across this sample titled “peace-along-the-border-is-not-a-one-process-says-Lt-gen-ds-hooda.doc”. Looking up the name Lt. Gen. DS Hooda returns a news article of an Indian news outlet with the same name of the sample.
The article itself talks about a strategic geographical conflict area of the Kashmir zone and the General name is referencing “Lieutenant General Deependra Singh Hooda who has had a unique ringside view of Kashmir affairs in recent times, both as chief of the Udhampur-based Northern Army Command and prior to that as General Officer Commanding of the Nagrota-based 16 Corps.”
When I came across the sample I did not make much of it other than it looks interesting with the naming convention of the lure and I put it on the side burner to analyze further later since I was more focused on the RSA blog.
That all changed when Reuters released a story on August 28, 2017 about India & Pakistan hit by spy malware. In the article, there is a description about the potential lure documents used: “To install the malware, Symantec found, the attackers used decoy documents related to security issues in South Asia. The documents included reports from Reuters, Zee News, and the Hindu, and were related to military issues, Kashmir, and an Indian secessionist movement.”
Based on the article and the sample I came across from earlier, I wanted to see if they are indeed connected and if I had stumbled upon one of these lure documents.
In the Reuters article, Symantec dubbed the final payload as Ehdoor and a quick google search for that name brings up the Symantec technical details for the backdoor.
Looking further into the backdoor details and researching a bit, I was able to find a couple of samples of the backdoor in Open source.
Looking at some interesting PDB strings from the sample above – notice the EH reference relating to EHDoor - I tried to see if I can find additional details and information about this malware
I was able to come across this blog in Chinese which the title translate to “An Analysis of APT Events in Pakistan” which is a great write up and fantastic analysis of the campaign. The blog is actually referencing the work of the Chinese 360 team and this analysis from back in June.
Lo and behold, they analyzed the same sample “peace-along-the-border-is-not-a-one-process-says-Lt-gen-ds-hooda.doc” showing that this lure document ended up delivering the EHDoor backdoor described in the Reuters article. Additional IoCs are also available in the Chinese link but I am also including them at the bottom of the blog.
Looking further into this, I was able to find a nicely written report by Bitdefender regarding the same malware which they dub “EHDevel”.
BUT WAIT, THERE IS MORE
While analyzing and researching the samples, I noticed the re-occurrence of the “FLTLDR.exe” process being invoked/run as part of the exploit chain. This got me interested to find out more and it was easily cleared out by the FireEye Blog where they state
“Upon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in “restore” operand.”
This is interesting as to now we can do some unique searches to find out samples that have that EXE invoked and that can point us to samples related to EPS exploits.
Using the Advanced Searching functionality within Hybrid Analysis and under the Sample Context field, I was able to find many samples that have the above mentioned EXE and below are some interesting ones.
0b0635b6ba23f1ab5aed4111c0af1fbb - Shelter for Rohingyas temporary
I was able to find this sample on the QuickSand sandboxing site as well tagged with CVE-2017-0261. It was also tagged with executable_win which indicates that it has an embedded EXE in it. Some of the extracted strings are really interesting as shown below.
Searching for other samples with some of these strings doesn't return a lot of results. As a matter of fact it comes back with one main sample which seems to communicate to 84.200.2[.]12. This IP seems to be associated with NETWIRE malware but I can not confirm the final payload for the above sample or the upcoming one.
8ad3a448ce47c6c723e5843bef885313 - 3/58 detection on VT as of the writing of this blog and is also available on Quick Sand and contains the strings as shown above.
Another way that can yield similar results would be searching for this
“cmd /C ooxWord://”
This analysis continues to show that certain tools/exploits can be used by multiple different adversary groups with different motivations. From financially motivated attackers with the phishing campaigns against Russia and Ukraine to the more strategic geopolitical lures that might indicate an advanced adversary with potential espionage motivation.
IoCs FROM THE 360 CHINESE REPORT
Name of Facilitators revealed.scr
Pakistan army officers cover blown.pdf
C:\Users\Fire\Documents\Visual Studio 2015\Projects\newfiles sent\newfiles\obj\Release\Pro-Gaurd.pdb
http://185[.]109 [.]144[. ] 102/DistBuild/DefenderReference.exe
http://185[ . ] 109[.]144 [ . ]102/DO_NOT_NEED_A_URI
http://tes[. ] sessions4life[.] pw/quiz/WelcomeScrn.exe
выписка по счету клиента.docx