Gamaredon targets Ukraine using CVE-2017-0199
From September 2019 to November 2019, there has been a significant uptick in Gamaredon attributed activity. A series of Word documents taking advantage of CVE-2017-0199 have been uploaded to VirusTotal, mostly by submitters in Ukraine. The initial dropper documents do not make use of malicious macros or OLE objects, but rather reference external Document Template (.dot) files in XML elements.
The lack of OLE objects and macros is important as the detection rate for the dropper document is extremely low.
The external resource is downloaded as the document loads, and therefore does not require additional user interaction.
The downloaded .dot file contains a macro that runs when the document is opened; which is immediate in this case because it is being loaded by the dropper document. A decoy document is displayed as the macro runs in the background.
The macros main function is to write a self-contained visual basic script to disk. The macro modifies the following registry keys, enabling trust for Visual Basic Objects and allowing VBA macros to execute without warning:
HKEY_CURRENT_USER\Software\Microsoft\Office\<Application.Version>\Word\Security\AccessVBOM
HKEY_CURRENT_USER\Software\Microsoft\Office\<Application.Version>\Word\Security\VBAWarnings
The macro then builds the C2 URL, which consists of a unique identifier based on the victim’s ComputerName and the hex value of the serial number for the hard drive on which the operating system resides.
http:\\networks-crash.ddns.net/<ComputerName>_<serialNumHex>/autoindex.php
The self-contained visual basic script is then written to the ‘Startup’ folder under the name ‘template.vbs.
C:\Users\\AppData\Roaming\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\template.vbs
The visual basic script dropped by the macro acts as a downloader. It attempts to download data from the C2 and write it to an executable file in the ‘Startup’ directory.
Unfortunately the executable file was not available for analysis at the time of writing.
The resolved IP address for the C2 (2.59.41.5) has been reused for several months, hosting several domains used to target other entities.
2019-11-11 unhcr.ddns.net 2019-11-11 shell-sertificates.ddns.net 2019-11-11 network-crash.ddns.net 2019-11-11 message-office.ddns.net 2019-11-11 list-sert.ddns.net 2019-11-11 libresoft.ddns.net 2019-11-11 kristo-ua.ddns.net 2019-11-11 kornet-ua.ddns.net 2019-11-11 bitread.ddns.net 2019-11-09 micro-office.ddns.net 2019-11-09 get-icons.ddns.net 2019-11-08 checkhurl.space 2019-11-08 checkhurl.info 2019-11-08 checkhurl.fun 2019-11-07 checkhurl.site 2019-11-05 underlord.site 2019-11-01 underlord.fun 2019-10-18 bitvers.ddns.net 2019-10-17 sv-menedgment.ddns.net 2019-10-17 lookups.ddns.net 2019-10-17 document-write.ddns.net 2019-10-14 suipost.ddns.net 2019-10-13 document-listing.ddns.net 2019-10-12 military-ua.ddns.net 2019-10-12 rnbo-ua.ddns.net 2019-10-11 const-gov.ddns.net 2019-10-10 my-certificates.ddns.net 2019-10-05 libre-boot.ddns.net 2019-10-02 underlord.space 2019-09-28 templates.hopto.org 2019-09-26 checkhurl.website 2019-09-25 constructor-word.ddns.net 2019-09-23 creative-office.ddns.net 2019-09-20 duktas-dde.ddns.net
Associated IOCs:
Domains:
http://network-crash.ddns.net/
http://word-gread.ddns.net/
IPs:
2.59.41.5
141.8.195.60
MD5:
75ad80c780417092a27fa7af45638810