search
    search
      8 Sep, 2017

      On September 6th, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a remote code execution (RCE) Vulnerability in the Windows API, CVE-2017-0199 [1][2]. This document has been spotted in-the-wild travelling as an email attachment with different names; one of which is “Remittance details.doc” (VirusTotal analysis).  

      docfileVT.PNG

      docfilevtSub.PNG

      Opening the document in a vulnerable Microsoft Word application led to the following network events:

      nwactivity.png

      Below is a breakdown of the network activity.  First "blabla.hta" (VirusTotal and Hybrid-Analysis) was downloaded; this file contains an obfuscated script with a powershell command.  

      nwhtapacket.PNGnwFile.PNG

        

      Next the powershell command runs and downloaded an executable, “halizeuskins.exe” (VirusTotal and Hybrid-Analysis). 

      nwpacketexe.PNG

      fileexenw.PNG

       

      Once the download is complete, the binary is executed and post-infection traffic started.

      zbot-post-infection-1.png

      zbot-post-infection-2.png

      Current RSA NetWitness detection populates following meta for the download sessions:

      nwMeta.PNG

      nw2Meta.PNG

      For communication with the C2 domain, the following meta was populated for those sessions in NetWitness Packets:

      reedlingNwMeta.PNG

      reedlingNwMeta2.PNG

      Pivoting off the registration information of the C2 domain "reedling.com[.]ng", FirstWatch found a group of domains registered using the same e-mail address (see appendix).

      zbot-graphic2.png

      Some of those domains are associated with different malware samples (see appendix). The post-infection network behavior of one of them (SHA256:e078e842c1006c972a65dcb71cf6ae5b38ba5074ea19f999f9879e8ec73a65f2) is similar to the one under our investigation. VirusTotal analysis results for that sample suggest it is a Zbot variant.

       

      zbot-similar-traffic.png

        

      More information about Zbot variants and their detection using RSA NetWitness Suite:

       

      You can also check FirstWatch recent threat advisory on the recent uptick in malspam attempting to exploit CVE-2017-0199,
      https://community.rsa.com/community/products/netwitness/blog/2017/08/31/malspam-and-cve-2017-0199 

       

      Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

      FirstWatch_banner.png

      References:
      Topic:
      0 Comment
        CATEGORIES
        RECENT POST
        Amazon Cloudwatch Event Source Log Configuration Guide
        3 Dec, 2025
        F5 Source Code Breach: Hunting UNC5221's BRICKSTORM with NetWitness
        31 Oct, 2025
        MSAzureGraph Universal Plugin for Microsoft Graph API
        17 Oct, 2025