Analysis: RTF exploit drops a Python keylogger
RTF document exploits an old MS Office vulnerability to drop a Python keylogger.
We recently came across an RTF (Rich Text Format) document that turned out to be quite malicious – it resulted in the installation of a keylogger. At the time of writing, AV detections on VirusTotal were 31 out of 56 .
AV vendors name this threat generically for the most part, referencing the CVE vulnerability CVE-2012-0158 this malware took advantage of (Kaspersky: Exploit.Win32.CVE-2012-0158.j, Bitdefender: Exploit.RTF-ObfsStrm.Gen for example).
It’s worth noting that the vulnerability was first disclosed almost 4 years ago yet the malware authors felt confident there were enough unpatched systems out there to make it worth their while to use this.
For our analysis in VMRay Analyzer, it was opened with MS Word 2007 in a Windows 7 system.
Looking at the overview of monitored processes, we can see that the RTF file is likely malicious as document viewing does not usually involve spawning lots of processes, much less process injection.
A view of the Severity tab confirms this suspicion. Here we can see that, aside from spawning new processes and injecting into existing ones, the sample connects to a remote host and drops packed PE files. It also registers a startup application to remain persistent across reboots.
The analysis report can display additional information for each detected malicious behavior. From this we can infer that the sample connected to update.serviceupports.com, that the dropped executables are packed with UPX, and that the registered startup application downloaded from this website is called csrsss.exe. Choosing domain and file names that look legitimate or similar to legitimate system components, as well as packing malicious binaries, are typical anti-detection techniques employed by malware.
High-level Process Information
The overview of monitored processes includes not only the process graph, but also a table listing high-level information for each
This helps a lot with getting an overview of the sample’s behavior. For example, the table shows that process #3 deletes the registry key HKCUSoftwareMicrosoftOffice14.0WordResiliency and then exits. This registry key is used to disable add-ins for Microsoft Word. By deleting it, the malware clears the way for the later installation of malicious Word plugins. Similarly, we can see that most processes running cmd.exe are only concerned with executing a single task each, which we can easily infer from the corresponding command line. Apart from deleting registry keys, these processes:
- populate and hide the malware’s directory C:SystemVolumeProgram
- register csrsss.exe as a startup application and for daily execution
- retrieve system, volume, and directory information
Hence, from looking at the high-level process information alone, we already know that the malware drops its files into a hidden directory called C:SystemVolumeProgram and how it ensures persistency.
However, some monitored processes – notably those running winword.exe, svchost.exe, csrsss.exe, and spools.exe still need to be investigated.
The Behavior tab allows us to take a closer look at those still unexplored processes. After the RTF file was loaded by MS Word, it achieves code execution by exploiting a vulnerability in Office 2007. It then drops the hidden file svchost.exe and executes it.
By inspecting the function log, we can extract the VBScript from the argument to the ParseScriptText invocation.
The VBScript downloads csrsss.exe from http://update.serviceupports.com, stores the executable in C:SystemVolumeProgram, executes it, and sets up the persistency measures mentioned above.
csrsss.exe begins by retrieving the addresses of multiple Windows API functions.
This indicates a common obfuscation technique. The malware retrieves pointers to all imported functions dynamically at runtime, allowing it to strip the references to those functions from its IAT (Import Address Table). This method renders static analyzers that try to infer a binary’s maliciousness from its IAT entries useless.
The malware then drops a number of DLLs, including one called python27.dll as well as several .pyd files (DLLs created from Python code), to a temporary folder. This indicates that the sample prepares the execution of Python code.
Apart from that, the executables csrsss.exe, svchost.exe, and spools.exe are dropped, together with three VBScript files. VMRay Analyzer automatically extracts all dropped files, which makes it easy for us to see that the sole purpose of the VBScript files is to invoke the previously dropped executables.
Of the three executables, spools.exe is the most interesting one as it executes the Python payload. While we can extract the Python script for static analysis, this is actually not necessary. The Python code registers hooks for both keyboard and mouse. We can see this in the report:
The Python keylogger uses those hooks to determine the names of focused windows and to log any keyboard input. This data is then sent to the remote host update.serviceupports.com. At the same time, csrsss.exe and svchost.exe gather additional information about the system and the running processes to complement the keylogging data.
Hence, we can infer from the VMRay report that the analyzed sample is a malicious RTF file that exploits a vulnerability in MS Office to install a Python-based keylogger. Even though it employs a number of evasion techniques, the malware was not able to impede analysis.
- Filename: 46f4aa7e10ce42e780f4dd8e8c2908c20c48033aef99020327ccd75d909ed64b
- File Type: RTF Document
- MD5: b11e4f05b80ac98a441c381d0eaba9f3
- SHA1: 106461e02979703e53ed4a37e88f7d71442a52c5
- SHA256: 46f4aa7e10ce42e780f4dd8e8c2908c20c48033aef99020327ccd75d909ed64b
- CVE-2012-0158: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158