The use of ACE files is not uncommon in malware campaigns. A combination of machine learning, advanced heuristics, behavior-based detections, and detonation enables Office 365 Advanced Threat Protection<\/a> (ATP) to regularly detect and block a variety of threats that are packed in ACE files, including common malware like Fareit, Agent Tesla, NanoCore, LokiBot and some ransomware families.<\/p>\n The same capabilities in Office 365 ATP detected malicious ACE files carrying the CVE-2018-20250 exploit. We spotted one of these ACE files in the sophisticated targeted attack that we describe in this blog and that stood out because of unusual, interesting techniques. Notably, the attack used techniques that are similar to campaigns carried out by the activity group known as MuddyWater<\/a>, as observed by other security vendors like Trend Micro<\/a>.<\/p>\n Figure 1. Attack chain that delivered the CVE-2018-20250 exploit<\/em><\/p>\n A spear-phishing email purporting to be from the Ministry of Foreign Affairs (MFA) of the Islamic Republic of Afghanistan was sent to very specific targets and asked for \u201cresources, telecommunication services and satellite maps\u201d. The email came with a Word document attachment.<\/p>\n Figure 2. Spear phishing email containing lure Word Document<\/em><\/p>\n When opened, the document asks the recipient to download another document from a now-inactive OneDrive link. While the URL was down during our analysis, we still reported the case to the OneDrive team.<\/p>\n The use of a document with just a link\u2014no malicious macro or embedded object\u2014was likely meant to evade conventional email security protection. This didn\u2019t work against Office 365 ATP, which has the capability to scan emails and Office documents for URLs and analyze links for malicious behavior.<\/p>\n Figure 3. Word document lure containing OneDrive link<\/em><\/p>\n Clicking the link downloads an archive file containing a second Word document, which has malicious macro. Microsoft Word opens the document with security warning. Enabling the macro starts a series of malicious actions that leads to the download of the malware payload.<\/p>\n Figure 4. Downloaded document with malicious macro<\/em><\/p>\n Interestingly, the document has a \u201cNext Page\u201d button. Clicking that button displays a fake message signifying that a certain DLL file is missing, and that the computer needs to restart. This is a social engineering technique that ensures the computer is restarted, which is needed for the payload to run. (More on this later.)<\/p>\n Figure 5. Fake message instructing user to restart the computer<\/em><\/p>\n Meanwhile, with the macro enabled, the malicious code performs the following in the background:<\/p>\n The second-stage PowerShell script collects system information, generates unique computer ID, and sends these to remote location. It acts as a backdoor and can accept commands, including:<\/p>\n The PowerShell script\u2019s ability to accept commands and download programs provided a way for a remote attacker to deliver the malicious ACE file containing CVE-2018-20250 exploit. When triggered, the exploit then drops the payload dropbox.exe<\/em>. The highly obfuscated malicious macro code used in this attack has a unique way of running malicious code by chaining several programs. It first extracts an encoded data taken from UserForm.TextBox<\/em>, before decoding and saving it as C:\\Windows\\Temp\\id.png<\/em>. This file contains an encoded PowerShell command that is executed later by the first-stage PowerShell script.<\/p>\n Figure 6. Obfuscated macro code<\/em><\/p>\n The malicious macro code then creates an Excel.Application<\/em> object to write the VBScript code.<\/p>\n Figure 7. VBScript code created by the malicious macro<\/em><\/p>\n It then runs wscript.exe<\/em> to launch the PowerShell script at runtime. The PowerShell script itself does not touch the disc, making it a fileless<\/a> component of the attack chain. Living-off-the-land<\/a>, the technique of using resources that are already available on the system (e.g., wscript.exe<\/em>) to run malicious code directly in memory, is another way that this attack tries to evade detection.<\/p>\n The first-stage PowerShell script contains multiple layers of obfuscation. When run, it decodes the file id.png<\/em> to produce another PowerShell script that\u2019s responsible for the rest of the actions.<\/p>\n Figure 8. Obfuscated first-stage PowerShell code<\/em><\/p>\n Figure 9. De-obfuscated first-stage PowerShell script<\/em><\/p>\n The decrypted PowerShell script is also highly obfuscated. Fully de-obfuscating the malicious script requires over 40 layers of script blocks.<\/p>\n The second-stage PowerShell script collects system information, such as operating system, OS architecture, username, domain name, disk information, enabled-only IP addresses, and gateway IP address. It computes the MD5 hash of collected system information. The computed hash is used as the BotID (some researchers also refer to this as SYSID).<\/p>\n It then concatenates the hash and system information in a string that looks like the following:<\/p>\n <BotID>**<OS>|Disk information**<IP Address List>**<OS Architecture>**<Hostname>**<Domain>**<Username>**<Gateway IP><\/em><\/p>\n For example:<\/p>\n 6e6bdbd3d8b102305f016b06e995a384**Microsoft Windows 10 Enterprise|C:\\WINDOWS|\\Device\\Harddisk0\\Partition3**192[.]168[.]61[.]1-192[.]168[.]32[.]1-157[.]59[.]24[.]113**64-bit**<Hostname>**<Domain>**<Username>**131[.]107[.]160[.]113<\/em><\/p>\n It then encodes each character of the collected system information in decimal value by applying simple custom algorithm with hardcoded key (public key): 959,713. The result is formatted as XML-like data:<\/p>\n {\u201cdata\u201d:\u201d665 545 145 145 222 545 222 145 73 367 665 438 438 438 598 616 145 518 616 566 438 [REDACTED] 616 73 145 145 665 518 365 438 316 665 513 513 432 261 181 344}<\/em><\/p>\n It sends the encoded data to a hardcoded remote command-and-control (C&C), likely to check and register the infected computer: hxxp:\/\/162[.]223[.]<\/span>89[.]<\/span>53\/oa\/.<\/p>\n It continuously waits until the remote attacker sends back \u201cdone\u201d. Then, it sends an HTTP request to the same C&C address passing the BotID, likely to wait for command: hxxp:\/\/162[.]<\/span>223[.]<\/span>89[.]<\/span>53\/oc\/api\/?t=<BOTID>.<\/p>\n It can accept command to download and execute command and sends back the output, encoded in Base64 format, to the remote C2 server using HTTP POST: hxxp:\/\/162[.]<\/span>223[.]<\/span>89[.]<\/span>53\/or\/?t=<BOTID>.<\/p>\n In their analysis<\/a> of the CVE-2018-20250 vulnerability, Check Point researchers found that when parsing ACE files, WinRAR used an old DLL named unacev2.dll that was vulnerable to directory traversal.<\/p>\n Malicious ACE files that carry the CVE-2018-20250 exploit can be spotted through:<\/p>\n Figure 10. ACE file with CVE-2018-20250 exploit<\/em><\/p>\n The ACE file contains three JPEG files that may look related to the email and Word document lures. When the user attempts to extract any of them, the exploit triggers and drops the payload, dropbox.exe<\/em>, to the Startup folder.<\/p>\n Figure 11. Contents of the malicious ACE file<\/em><\/p>\n Going back to the fake error message about a missing DLL and asking the user to restart the computer: The CVE-2018-20250 vulnerability only allows file write to specified folder but has no capability to run the file immediately. Since the payload was dropped in the Startup folder, it is launched when the computer restarts.<\/p>\n The payload dropbox.exe<\/em> performs the same actions as the malicious macro component, which helps ensure that the PowerShell backdoor is running. The PowerShell backdoor could allow a remote attacker to take full control of the compromised machine and make it a launchpad for more malicious actions. Exposing and stopping the attacks at the early stages is critical in preventing additional, typically more damaging impact of undetected malware implants.<\/p>\n The targeted attack we discussed in this blog and other attacks that use the CVE-2018-20250 exploit show how quickly attackers can take advantage of known vulnerabilities. Attackers are always in search of new vectors to reach more victims. In this attack, they also used some sophisticated code injection techniques. Protections against cyberattacks should be advanced, real-time, and comprehensive.<\/p>\n The URL detonation capabilities in Office 365 ATP<\/a> was instrumental in detecting and blocking the malicious behaviors across the multiple stages of this sophisticated attack, protecting customers from potentially damaging outcomes. URL detonation, coupled with heuristics, behavior-based detections, and machine learning, allow Office 365 ATP to protect customers not only from targeted attacks, but also well-crafted spear phishing attacks\u2014in real time.<\/p>\n These advanced defenses from Office 365 ATP are shared with other services in Microsoft Threat Protection<\/a>, which provides seamless, integrated, and comprehensive protection against multiple attack vectors. Through signal-sharing, Microsoft threat Protection orchestrates threat remediation.<\/p>\n For endpoints that are not protected by Office 365 ATP, Microsoft Defender ATP<\/a> detects the attacker techniques used in this targeted attack. Microsoft Defender ATP is a unified endpoint protection platform for attack surface reduction, next generation protection, endpoint detection & response (EDR), auto investigation & remediation, as well as recently announced managed threat hunting<\/a> and threat & vulnerability management<\/a>.<\/p>\n Microsoft Defender ATP uses machine learning, behavior monitoring, and heuristics to detect sophisticated threats. Its industry-leading optics<\/a>, integration with Office 365 ATP and other Microsoft Threat Protection services, and use of AMSI<\/a> give it unique capabilities to detect attacker techniques, including the exploit, obfuscation, detection evasion, and fileless techniques observed in this attack.<\/p>\n The attacks that immediately exploited the WinRAR vulnerability demonstrate the importance of threat & vulnerability management in reducing organizational risk. Even if your organization was not affected by this attack against specific organizations in the satellite and communications industry, there are other malware campaigns that used the exploits.<\/p>\n Microsoft Defender ATP\u2019s threat & vulnerability management<\/a> capability uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities. As a component of a unified endpoint protection platform, threat & hunting vulnerability management in Microsoft Defender ATP provides these unique benefits:<\/p>\n Figure 12. Sample Threat & Vulnerability Management dashboard showing WinRAR vulnerabilities on managed endpoints<\/em><\/p>\n The complex attack chain that incorporated sophisticated techniques observed in this targeted attack highlights the benefits of a comprehensive protection enriched by telemetry collected across the entire attack chain. Microsoft Threat Protection continues to evolve<\/a> to provide integrated threat protection solution for the modern workplace.<\/p>\n Rex Plantado<\/em><\/strong> Files (SHA-256):<\/p>\n![\"Attack](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig1-cve-2018-20250-attack-chain.png\")
<\/p>\nAttack chain overview<\/h3>\n
![\"Spear](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig2-cve-2018-20250-email.png\")
<\/p>\n![](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig3-cve-2018-20250-original-document.png\")
<\/p>\n![\"Screenshot](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig4-cve-2018-2025-Document-With-Malicious-Macro.png\")
<\/p>\n![\"Document](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig5-cve-2018-20250-Document-With-Malicious-Macro-with-Dialog-Box.png\")
<\/p>\n\n
\n
The next sections discuss in detail the key components of this attack chain.<\/p>\nMalicious macro<\/h3>\n
![\"Obfuscated](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig6-obfuscated-macro-code.png\")
<\/p>\n![\"VBScript](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig7.vbscript-created-by-macro.png\")
<\/p>\nPowerShell<\/h3>\n
![\"Obfuscated](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig8-obfuscated-first-stage-PowerShell-code.jpg\")
<\/p>\n![\"De-obfuscated](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig9-de-obfuscated-first-scate-PowerShell-script.png\")
<\/p>\nCVE-2018-20250 exploit<\/h3>\n
\n
![\"ACE](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig10-ACE-file-with-CVE-2018-20250-exploit.jpg\")
<\/p>\n![\"Contents](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig11-contents-of-the-malicious-ACE-file.jpg\")
<\/p>\nStopping attacks at the entry point with Office 365 ATP<\/h3>\n
Unified protection across multiple attack vectors with Microsoft Threat Protection<\/h3>\n
\n
![\"Threat](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/04\/fig12-threat-and-vulnerability-management.png\")
<\/p>\n
Office 365 ATP Research Team<\/em><\/p>\nIndicators of compromise<\/h3>\n