There’s been some buzz around the high-to-critical vulnerability CVE-2017-8759. Recorded Future is ranking it with a risk score of 99 out of 100. It’s a pretty big deal, so one of our researchers did some digging. We can confidently confirm to our customers that you are protected against malware utilizing the exploit CVE-2017-8759.
CVE-2017-8759 is a good illustration of the behavior-based detection of the malware payloads themselves as opposed to the specific vulnerability. The Cybereason platform protects against the malware itself, and is certain to detect most malicious payloads that could be used in conjunction with these exploits. In other words, while we may not necessarily catch the exploitation of a vulnerability in and of itself (such as a heap spray/buffer overflow technique), the purpose of such attacks is nearly always to download or execute malware on the compromised machine, an activity that the Cybereason platform will detect.
This specific CVE exploits a document parsing vulnerability allowing an attacker to create a specially crafted .doc file that will manipulate the document parser of MS Word into running malicious code. The way that this exploit is currently being used in the wild has been well illustrated by other vendors. CVE-2017-8759 has primarily been observed up to this point delivering the Finspy malware using a behavior pattern which the Cybereason platform catches.
Once this particular exploit has taken control of the Microsoft Word process (winword.exe) it launches an mshta.exe process to pull down the primary malware executable from a malicious website. In some cases, rather than using mshta.exe, it uses VBScript or PowerShell to download and execute the primary malware executable. The Cybereason platform consistently catches this type of execution pattern (Microsoft Word launching an isolated mshta, VBScript, or PowerShell interpreter) to connect to a malicious website and download executable code.
Our analysts do see mshta.exe fairly often, and our behavior rules surrounding its usage are highly sensitive. We are quick to trigger Malops™ for mshta.exe related behaviors, which could be considered just a suspicious event and not necessarily malicious, but since over the last year or so mshta.exe has become such a popular mechanism for malware persistence, our analysts want to investigate every occurrence.
As malware authors have migrated towards the fileless malware paradigm, many have discovered that Microsoft bundled into its operating system a browser-equivalent facility (mshta.exe) which is far more trusted than Internet Explorer. This facility allows attackers to deliver attacker-controlled code (VBScript, JScript, Javascript) to the victim, as well as a method of pulling malware out of the registry upon startup which allows their malware to survive reboots. This hunting technique looks for malicious invocations of the MSHTA binary which can be abused to run attacker-controlled code on the victim machine.
It’s important to note that mshta.exe itself is not a malicious program. It has many legitimate uses, parts of the Windows OS utilize mshta.exe, as does Amazon and HP software (Amazon toolbar and standard HP printer utility). The legitimate uses of mshta.exe are too numerous to begin to list here, but it should suffice to say that simply searching for usage of mshta.exe in your environment will yield far too many results (99% being false positive) to easily sort through. During our hunts we routinely sort through every use of mshta.exe in an environment to ensure it is benign. If there are any malicious uses of this program, we investigate and verify any use of this privileged and signed Microsoft process.
If you believe that your organization is being targeted by this specific exploit, please contact us or call +1-855-695-8200. We’ll happily help you investigate any active intrusion.
