Office Vulnerabilities Chained to Deliver Backdoor

Discussion in '0-day Release' started by silversurfer, Jul 30, 2018.

  1. silversurfer

    silversurfer Malware Tester Silver Member

    A recently observed malicious campaign is abusing two chained Office documents, each exploiting a different vulnerability, to deliver the FELIXROOT Backdoor, FireEye reports.

    The attack starts with a lure RTF document claiming to contain seminar information on environmental protection. When opened, it attempts to exploit CVE-2017-0199 to download a second stage payload, which is a file weaponized with CVE-2017-11882 (the Equation Editor vulnerability).

    Upon successful infection, the FELIXROOT loader component is dropped onto the victim’s machine, along with an LNK file that points to %system32%\rundll32.exe. The LNK file, which contains the command to execute the loader component of FELIXROOT, is moved to the startup directory.

    The embedded backdoor component, which is encrypted using custom encryption, is decrypted and loaded directly in memory. The malware has a single exported function.

    Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If so, it performs an initial system triage before launching command and control (C&C) network communications.

    Full Article: https://www.securityweek.com/office-vulnerabilities-chained-deliver-backdoor
     
    RGiskardR likes this.
  2. Google Adsense

Share This Page