A backdoor malware campaign targeting Russian-speaking businesses is employing a unique attack chain that abuses multiple Windows components and features during the infection process.
A backdoor malware campaign targeting Russian-speaking businesses is employing a unique attack chain that abuses multiple Windows components and features during the infection process.

What appears to be an ongoing spear phishing campaign has been targeting Russian-speaking businesses, including banks and mining firms, with a newly discovered backdoor malware program since late June, according to researchers at Trend Micro.

The backdoor, whose final payload is a malicious XML file by the name of JS_GETFO.ZHEG-A, is capable of downloading and executing PE files, deleting files, downloading and running scripts, and running shell commands, Trend Micro explained in a Monday blog post. So far, researchers have identified five separate waves of phishing emails between June 23 and July 27, each one using a different email lure to trick recipients into infecting themselves.

Designed to look like they originated from sales and bill departments, the deceptive phishing emails seemingly include a DOC attachment featuring instructions for connecting clients or payment applications. However, in reality, these so-called Word documents are actually malformed RTF files that exploit CVE-2017-0199, a well-known vulnerability in Microsoft Office's Windows Object linking and Embedding interface.

CVE-2017-0199 is a remote code execution bug affecting the way that Windows and WordPad software programs parse specially crafted files. Microsoft fixed the bug in April 2017, six months after it was discovered. According to a Reuters report, hackers, including the Iran government-linked OilRig threat, have been regularly exploiting this flaw -- in some cases to spy on targeted users, implant malware, and steal banking credentials.

In this latest campaign that targets Russian businesses, the initial infection catalyzes a rather complex attack chain that abuses a combination of legitimate Windows components and features, which helps it elude detection by bypassing restrictions on running scripts and evading whitelist protections.

Specifically, the abused components and features consist of: mshta.exe, an executable file responsible for opening HTA and HTML files; odbcconf.exea command-line tool that configures ODBC drivers and data source names; and Regsvr32, the Microsoft Register Server command-line utility, used for registering DLLs and ActiveX controls in the Windows Registry.

"What is interesting about this malware is the methods it has chained together in order to provide that backdoor. It leverages several legitimate Windows techniques in order to open up the victim's systems... These tools have legitimate uses on the system and disabling them will impact the productivity of the system," said Mark Nunnikhoven, VP of Cloud Research for Trend Micro, in an email interview with SC Media.

"This is a trend we're seeing more and more this year: several less critical issues being linked together like stepping stones used to reach a more important goal."

The abuse of Regsvr32 is an attack method known as Squiblydoo. According to Trend Micro, this is the first time a malware attack chain has leveraged both Squiblydoo and odbcconf.exe.

In the early stages of infection, the CVE-2017-0199 exploit downloads a fake Excel spreadsheet file, which is embedded with malicious JavaScript, from an attacker-controlled domain. The malicious file abuses mshta.exe, which opens the fake XLS file as an HTML application, the blog post explains. This process enables two PowerShell scripts, one of which downloads a decoy document to keep up appearances, while the other downloads a DLL file.

Executed via odbcconf.exe, the DLL in turn abuses Regsvr32 in order to execute a SCT (Windows Scriptlet) file containing a malicious, obfuscated JavaScript. Finally this JS file downloads and executes the final XML payload. 

To protect oneself against this campaign, Trend Micro has recommended vigilant patching and updates, firewalls, intrusion detection and prevention, virtual patching, and URL categorization. "Apart from enforcing the principle of least privilege, system administrators should also consider disabling system components that aren't necessary to the user's tasks," the blog post states. "Another option is to blacklist possible command interpreters and rarely used applications, even if they are Windows components themselves," even though this could disable certain legitimate system functions.