Introduction
On 12th December 2017, Netskope Threat Research Labs identified a very interesting file named “New Order.docx”. Analysis of the file determined that it was not a regular malware which are usually distributed via spam campaigns. Based on the the nature of the attack, the vulnerabilities being exploited by the attackers and the other TTPs used, we suspect this to be a very targeted attack and are calling it BadWolf-1. The Word document, disguised as an important company update, used two recently reported Microsoft Office vulnerabilities (CVE-2017-0199 & CVE-2017-11882) with multi-level payload downloads upon exploitation. At this moment, the intent of the attack seems to be for exfiltrating data from the victim. Interestingly, this data was being emailed out to a specific Google Gmail account by directly connecting from the victim’s machine to Google SMTP server. The credentials of the attackers Google Gmail account were exposed during the analysis, but the attackers had 2-step verification turned on to access their Gmail account which requires both the credentials and also a unique code sent as a text message to a mobile device. Netskope Threat Protection detects the weaponized document as Trojan.Doc.Downloader.AGE.
Attack Kill Chain
The following figure depicts the attack kill chain.
Analysis of documents
Attackers used a crafted document disguised as an important company update that exploits a vulnerability in Microsoft Office and Wordpad. It was assigned the reference as CVE-2017-0199 a