| by Cows

Gamaredon targets Ukraine using CVE-2017-0199

From September 2019 to November 2019, there has been a significant uptick in Gamaredon attributed activity. A series of Word documents taking advantage of CVE-2017-0199 have been uploaded to VirusTotal, mostly by submitters in Ukraine. The initial dropper documents do not make use of malicious macros or OLE objects, but rather reference external Document Template (.dot) files in XML elements.

External .dot resource hidden in XML element

The lack of OLE objects and macros is important as the detection rate for the dropper document is extremely low.

VirusTotal detections for the dropper document

The external resource is downloaded as the document loads, and therefore does not require additional user interaction.

Dropper document downloading external resource as it opens

The downloaded .dot file contains a macro that runs when the document is opened; which is immediate in this case because it is being loaded by the dropper document. A decoy document is displayed as the macro runs in the background.

Malicious VBA macro used to drop visual basic script to disk

The macros main function is to write a self-contained visual basic script to disk. The macro modifies the following registry keys, enabling trust for Visual Basic Objects and allowing VBA macros to execute without warning: 

HKEY_CURRENT_USER\Software\Microsoft\Office\<Application.Version>\Word\Security\AccessVBOM 

HKEY_CURRENT_USER\Software\Microsoft\Office\<Application.Version>\Word\Security\VBAWarnings

The macro then builds the C2 URL, which consists of a unique identifier based on the victim’s ComputerName and the hex value of the serial number for the hard drive on which the operating system resides.

http:\\networks-crash.ddns.net/<ComputerName>_<serialNumHex>/autoindex.php

The self-contained visual basic script is then written to the ‘Startup’ folder under the name ‘template.vbs. 

C:\Users\\AppData\Roaming\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\template.vbs

The visual basic script dropped by the macro acts as a downloader. It attempts to download data from the C2 and write it to an executable file in the ‘Startup’ directory.

Visual basic script downloader

Unfortunately the executable file was not available for analysis at the time of writing.

The resolved IP address for the C2 (2.59.41.5) has been reused for several months, hosting several domains used to target other entities.

2019-11-11 unhcr.ddns.net
2019-11-11 shell-sertificates.ddns.net
2019-11-11 network-crash.ddns.net
2019-11-11 message-office.ddns.net
2019-11-11 list-sert.ddns.net
2019-11-11 libresoft.ddns.net
2019-11-11 kristo-ua.ddns.net
2019-11-11 kornet-ua.ddns.net
2019-11-11 bitread.ddns.net
2019-11-09 micro-office.ddns.net
2019-11-09 get-icons.ddns.net
2019-11-08 checkhurl.space
2019-11-08 checkhurl.info
2019-11-08 checkhurl.fun
2019-11-07 checkhurl.site
2019-11-05 underlord.site
2019-11-01 underlord.fun
2019-10-18 bitvers.ddns.net
2019-10-17 sv-menedgment.ddns.net
2019-10-17 lookups.ddns.net
2019-10-17 document-write.ddns.net
2019-10-14 suipost.ddns.net
2019-10-13 document-listing.ddns.net
2019-10-12 military-ua.ddns.net
2019-10-12 rnbo-ua.ddns.net
2019-10-11 const-gov.ddns.net
2019-10-10 my-certificates.ddns.net
2019-10-05 libre-boot.ddns.net
2019-10-02 underlord.space
2019-09-28 templates.hopto.org
2019-09-26 checkhurl.website
2019-09-25 constructor-word.ddns.net
2019-09-23 creative-office.ddns.net
2019-09-20 duktas-dde.ddns.net

Associated IOCs:

Domains:
http://network-crash.ddns.net/
http://word-gread.ddns.net/

IPs:
2.59.41.5
141.8.195.60

MD5:
75ad80c780417092a27fa7af45638810