Rajas Save

Winds of Winter - MalSpam Delivers Adwind RAT 2-1-2018

Blog Post created by Rajas Save Employee on Feb 5, 2018

On February 1st 2018, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a Buffer Overflow Vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library, CVE-2012-0158. The malicious code can be triggered by a specially crafted DOC or RTF file for un-patched MS Office products.

 

 

 

VirusTotal Analysis of delivery document paymentorder.doc confirms presence of RTF exploit.

 

 

After opening the document in a vulnerable Microsoft Word application, a connection is established to “pgamix[.]com” to download a malicious executable payload, using shell code present in RTF file,  which kicks off the following network events.

 

 

VirusTotal Analysis of final payload “babawire.jar” confirms that it’s Adwind, a Java based Remote Access Trojan (RAT). Adwind RAT is a multifunctional malware program and it is distributed through a single malware-as-a-service platform.

 

This file is a compressed stream containing 168 files. It imports multiple java packages required for execution of the Trojan.

 

 

 

Current RSA NetWitness detection populates following meta for the download sessions:

 


 

Although we didn't achieve a full detonation in our own sandbox, post-infection traffic from  Malware-Traffic-Analysis.net populates following meta for the download sessions with Current RSA NetWitness detection:

 

 

 

More detailed information about CVE-2012-0158 can be found here:

Triaging Malicious Microsoft Office documents CVE-2012-0158 

 

Thanks go to Kevin Stear and Ahmed Sonbol for contributing to this threat advisory.

 

 

 

References:

Outcomes