AKBuilder, Microsoft Word Intruder exploiting Office RTF vulnerability

Thanks to Gabor Szapannos of SophosLabs for providing the research for this article.

Last October, Microsoft released Security Bulletin MS16-121, patching an Office vulnerability attackers could exploit to run malware on infected computers. Those who have yet to apply it should do so immediately: SophosLabs researchers have discovered fresh cases of AKBuilder and Microsoft Word Intruder (MWI) exploiting the flaw.

Specifically, copies of AKBuilder are being sold on an underground forum, and MWI’s authors are now using it to concoct new exploits against the RTF flaw. SophosLabs principal researcher Gábor Szappanos said:

This vulnerability is already under fire by two major exploit builders. It all happened within a couple of weeks, with the help of an underground forum.

A tale of two exploit builders

AKBuilder generates malicious Word documents, all in Rich Text. Once purchased, malicious actors use it to package malware samples into booby-trapped documents they can then spam out. It uses exploits to deliberately corrupt files that automatically trigger bugs in Office and underlying bugs in Windows itself. SophosLabs has seen several cases of this builder in action recently.

MWI is one of the best known Office exploit builders and certainly one of the most popular in cybercrime groups. Though SophosLabs recently discovered new versions that include non-Office exploits, the one targeting the Office RTF flaw goes on the attack the old-fashioned way.

Targets the CVE-2016-7193 vulnerability

The samples analyzed by the lab exploit the vulnerabilities outlined in Common Vulnerabilities and Exposures bulletin CVE-2016-7193. This is a memory corruption bug that causes Office software to mishandle rich text format (RTF) files.

The bad guys can exploit this by creating a tainted RTF document that, once downloaded, infects the victim’s computer. If the user is logged on with administrative user rights, an attacker could, as Microsoft says in its bulletin, “take control of the affected system and install programs, view, change, or delete data; or create new accounts with full user rights”.

Latest MWI files

SophosLabs intercepted and analyzed two corrupted files designed to exploit the vulnerability. The lab reached out to Microsoft, which confirmed the exploit.

The first file – SIMON WERNER GMBH – RFQ.doc – was first submitted to the VirusTotal malware scanner March 20 from sources in Hong Kong and the UK. The file drops a Dofoil downloader to %PROFILE%\AppData\Local\Temp\msvc.exe, which then downloads AMcr35.exe from a remote site.

The second file – “security instructions” from Visa.doc,  выписка.doc, 2017april.doc – was submitted to VirusTotal on March 28 from sources in Kazakhstan, Ukraine and Russia. Malware from that file is downloaded to %PROFILE%\AppData\Local\Temp\msvc.exe. It opens a Metasploit-generated reverse shell at 92.63.111.201:443/ZVHd.

If opened, the viewer will see the following decoy content:

SophosLabs followed the trail further back to March 8 and discovered AKBuilder samples that are the same as the first MWI sample described above. The conclusion is that an actual copy of AKBuilder was sold on the underground forum and used by the MWI author.

Characteristics

Both files contain the CVE-2016-7193 exploit. The shellcode used in both samples is very similar to the dropper code used in Microsoft Word Intruder-generated samples. SophosLabs suspects they were generated by a new version of MWI.

Both documents use the same algorithm to decrypt the payload – a one-byte XOR with the key incremented in each step and the first few hundred bytes swapped, and shellcode that uses Windows Management Instrumentation functions to execute the payload.

The builder from the original author was distributed as a Python script that worked very much like AKBuilder, based on comments made in an online forum.

Despite the similarities to AKBuilder, this one used different encryption keys and a different embedded exploit block.

The following image is the final RTF exploit generated by the builder which, in the case of first file, is very similar to the RTF files generated by recent AKBuilder versions:

We suspect the author of MWI purchased the script, then released a first version based on it. It was only later fitted to be more in the MWI-style.

One week after the initial public announcement on the underground forum, SophosLabs saw the first sample in the wild, followed by a larger deployment of the exploit.

Defensive measures

As noted, Microsoft released a patch for the vulnerability in MS16-121. In that bulletin, Microsoft also noted that users whose accounts are configured to have fewer user rights on the system are less vulnerable than users who operate with administrative rights.

Meanwhile, users should be careful to only download files from trusted sources.