{"id":1959,"date":"2024-09-25T09:47:48","date_gmt":"2024-09-25T09:47:48","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1959"},"modified":"2025-07-29T03:09:01","modified_gmt":"2025-07-29T03:09:01","slug":"analysis-of-the-new-wave-of-cve-2017-0199-exploit-campaign","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-the-new-wave-of-cve-2017-0199-exploit-campaign\/","title":{"rendered":"Analysis of the new wave of CVE-2017-0199 Exploit Campaign"},"content":{"rendered":"\n<p><strong>What&#8217;s the CVE-2017-0199 Exploit?<\/strong><\/p>\n\n\n\n<p>The way Microsoft Office and WordPad parse specially crafted files results in&nbsp;a remote code execution vulnerability. An attacker who successfully exploits&nbsp;this vulnerability could gain access of highest privilege&nbsp;to&nbsp;the&nbsp;system. After that, an attacker could install additional tools to&nbsp;view, change, or delete data, or create new accounts with full administrative&nbsp;rights.<\/p>\n\n\n\n<p>To exploit this vulnerability, a user must open or preview a specially crafted file using an affected version of Microsoft Office or WordPad. An attacker could exploit the vulnerability in an email attack scenario by sending a specially crafted file to the user and then convincing the user to open the file.<\/p>\n\n\n\n<p>In this context, a remote exploit is a piece of software code that is crafted to take advantage of a memory corruption vulnerability or any other security flaws that allows an attacker to take full control of the target system. The exploit&#8217;s main functionality is to install different types of malware on the target system. This is one of the ways used by the threat actors to deliver the malware.<\/p>\n\n\n\n<p><strong>Vulnerable Versions of MS Office<\/strong>,<\/p>\n\n\n\n<p>According to Microsoft, the following MS Office products are affected by CVE-2017-0199,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microsoft Office 2007 Service Pack 3<\/li>\n\n\n\n<li>Microsoft Office 2010 Service Pack 2 (32-bit editions)<\/li>\n\n\n\n<li>Microsoft Office 2010 Service Pack 2 (64-bit editions)<\/li>\n\n\n\n<li>Microsoft Office 2013 Service Pack 1 (64-bit editions)<\/li>\n\n\n\n<li>Microsoft Office 2016 (32-bit edition)<\/li>\n\n\n\n<li>Microsoft Office 2016 (64-bit edition)<\/li>\n<\/ul>\n\n\n\n<p>&nbsp;<\/p>\n\n\n\n<p><strong>Infection Chain:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"322\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/1-32.webp\" alt=\"\" class=\"wp-image-1960\"\/><\/figure>\n\n\n\n<p>The exploit campaign arrives in the form of a spear-phishing email attachment. This kind of email contains MS Word documents (.docx) or, sometimes they are delivered as password-protected archives.<\/p>\n\n\n\n<p>In general, this kind of exploit requires the victim to enable editing the document, then it will connect to the target URL to download it\u2019s another attack vector, most likely a bunch of RTF files, then the .RTF files communicate with the C2 server to drop a payload to perform malicious actions on the target system.<\/p>\n\n\n\n<p><strong>Sample Information:<\/strong><\/p>\n\n\n\n<p>SHA256: 5d0015a9e896a7d9f61023e373cad295eb8afa9482def818e5307aa6b66d63dd<\/p>\n\n\n\n<p>Category:&nbsp; Remote Exploit<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1024\" height=\"234\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/2-31.webp\" alt=\"\" class=\"wp-image-1961\"\/><\/figure>\n\n\n\n<p><strong>Snap 1: Initial Vector &#8211; Phishing Email<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1024\" height=\"603\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/3-31.webp\" alt=\"\" class=\"wp-image-1962\"\/><\/figure>\n\n\n\n<p>Typically, cyber attackers intercept legitimate email conversations between individuals and hijack them in order to spread malware to corporate networks via highly customised&nbsp;phishing messages designed to appear as if the victim is still communicating with the person they were originally messaging.<\/p>\n\n\n\n<p><strong>Snap 2: Technical Analysis of DOCX<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"523\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/4-31.webp\" alt=\"\" class=\"wp-image-1963\"\/><\/figure>\n\n\n\n<p>Microsoft Word [DOCX] documents are essentially ZIP archives. We can extract the contents of the documents using command line tools or,&nbsp;manually&nbsp;extract them&nbsp;to see the underlying file structure. This will allow us to inspect the relationship files to determine whether any malicious links have been inserted into the document.<\/p>\n\n\n\n<p><strong>Snap 3: Structure of DOCX ( .rels section folder)<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"384\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/5-30.webp\" alt=\"\" class=\"wp-image-1964\"\/><\/figure>\n\n\n\n<p>_rels file is a metadata file stored within Microsoft Office Open XML documents, such as Word .DOCX, .XLS, .XLSX, and .PPTX files. It contains XML specifications for how &#8220;parts&#8221; within a &#8220;package&#8221; are connected to form a document. RELS files are saved in a _rels directory of an Office Open XML (OOXML) document.<\/p>\n\n\n\n<p>The main relationships within _rels files are declared by using the XML syntax<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Relationship Id=&#8221;someID&#8221; Type=&#8221;relationship Type&#8221; Target=&#8221;target-Part&#8221;\/&gt;<br><br>where, ID&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211;&nbsp; Unique user-defined string<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Type&nbsp;&nbsp;&nbsp;&nbsp; &#8211;&nbsp; Type of content<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Target&nbsp; &#8211;&nbsp; Target file used for the relationship.<\/p>\n\n\n\n<p><strong>Snap 4: Target URL<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"129\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/6-30.webp\" alt=\"\" class=\"wp-image-1965\"\/><\/figure>\n\n\n\n<p>The threat actor&#8217;s C2 URL is extremely long and contains some random numbers. Random numbers are used here for&nbsp;hiding an&nbsp;IP address. This is one of the techniques used by attackers to avoid detection. External Links are hyperlinks that point to (target C2) any domain other than the domain where the link is located (source).<\/p>\n\n\n\n<p><strong>Snap 5: IOC<\/strong><\/p>\n\n\n\n<p><strong>a)&nbsp; Malicious IP is hidden<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"225\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/7-30.webp\" alt=\"\" class=\"wp-image-1966\"\/><\/figure>\n\n\n\n<p><strong>b)&nbsp; Malicious IP is visible<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"225\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/8-26.webp\" alt=\"\" class=\"wp-image-1967\"\/><\/figure>\n\n\n\n<p>Here the .DOCX contains the target URL to download another infection vector, such as a RTF file.<\/p>\n\n\n\n<p><strong>Snap 6: Dropped file [ RTF ]<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"390\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/9-23.webp\" alt=\"\" class=\"wp-image-1968\"\/><\/figure>\n\n\n\n<p>RTF exploit campaigns do not support macros but allow other files to be embedded within the file and they&nbsp;are frequently used by attackers to embed malware. Another technique used by threat actors is&nbsp;loading multiple OLE controls allowing&nbsp;exploit mitigations to be bypassed and, exploiting&nbsp;memory corruption vulnerabilities by loading vulnerable OLE controls. It usually denotes a nested control word such as &#8220;objocx&#8221; or &#8220;objemb&#8221; followed by &#8220;objclass&#8221; with the argument as the name of the OLE control to render the object.<\/p>\n\n\n\n<p>Mainly, this exploit campaign has \u201c\\objupdate\u201d function which triggers internally calls link object\u2019s <strong>IOleObject::Update<\/strong> method to update the link\u2019s source.<\/p>\n\n\n\n<p><strong>Snap 7: Dropped file of [ MSIL ]<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"360\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/10-22.webp\" alt=\"\" class=\"wp-image-1969\"\/><\/figure>\n\n\n\n<p>Based on LMNTRIX CDC&#8217;s technical analysis, this exploit has Snake Keylogger malware as part of the payload.<\/p>\n\n\n\n<p>Snake Keylogger is a credential stealing malware developed using .NET framework. The primary function of Snake Keylogger is to record current user&#8217;s keystrokes on computers or, mobile devices and exfiltrate the collected data to servers designated by the threat actors.<\/p>\n\n\n\n<p><strong>Snap 8: Entry point of the sample<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"599\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/11-14.webp\" alt=\"\" class=\"wp-image-1970\"\/><\/figure>\n\n\n\n<p>The malware sample is overloaded with five different overloads &#8211; Where it has the same method name used multiple times but with a different set of parameters.<\/p>\n\n\n\n<p><strong>Snap 9:&nbsp; Initialize Component<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"465\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/12-11.webp\" alt=\"\" class=\"wp-image-1971\"\/><\/figure>\n\n\n\n<p>Initialize Component is a .net method which allows us to run our form at run time. It resides in Form Constructor and can be used to run any form.<\/p>\n\n\n\n<p><strong>Snap 10: Malware Loaded<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"589\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/13-8.webp\" alt=\"\" class=\"wp-image-1972\"\/><\/figure>\n\n\n\n<p>Here aforementioned screenshot depicts how the malware is loaded. These kind of keyloggers use a lot of obfuscation and the threat actor adds more layers of exceptions, in-order to avoid reversing the sample easily.<\/p>\n\n\n\n<p><strong>Conclusion<\/strong><\/p>\n\n\n\n<p>CVE-2017-0199 has been tracked continuously by LMNTRIX CDC for over 4 years now. This vulnerability in Microsoft Word that allows an attacker to execute a malicious Visual Basic script has been leveraged by threat actors behind the Thread Kit &amp; Microsoft Intruder Exploit kits. The CVE-2017-0199 vulnerability is a logical flaw that can circumvent most preventive and mitigation mechanisms. Although the malicious document only contained a link to the threat actor&#8217;s C2 server, an XDR platform such as LMNTRIX can be extremely useful in detecting multi-stage attacks from the initial infection stage to post exploitation\/lateral movement. Further campaigns leveraging this exploit have been observed in recent months by LMNTRIX, so we strongly advise users to apply the most recent security updates released by Microsoft for Windows and MS Office packages.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What&rsquo;s the CVE-2017-0199 Exploit? The way Microsoft Office and WordPad parse specially crafted files results in&nbsp;a remote code execution vulnerability. An attacker who successfully exploits&nbsp;this vulnerability could gain access of highest privilege&nbsp;to&nbsp;the&nbsp;system. After that, an attacker could install additional tools to&nbsp;view, change, or delete data, or create new accounts with full administrative&nbsp;rights. To exploit this [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1973,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1959","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1959"}],"version-history":[{"count":2,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1959\/revisions"}],"predecessor-version":[{"id":4174,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1959\/revisions\/4174"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1973"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}