Rewterz Threat Advisory – CVE-2020-1455 – Microsoft SQL Server Management Studio Vulnerability
August 13, 2020Rewterz Threat Advisory – CVE-2020-1591 – Microsoft Dynamics 365 cross-site scripting Vulnerability
August 13, 2020Rewterz Threat Advisory – CVE-2020-1455 – Microsoft SQL Server Management Studio Vulnerability
August 13, 2020Rewterz Threat Advisory – CVE-2020-1591 – Microsoft Dynamics 365 cross-site scripting Vulnerability
August 13, 2020Severity
Medium
Analysis Summary
MassLogger is a spyware/stealer delivered via a malicious Word Document which exploits vulnerabilities (CVE-2017-11882 and CVE-2018-0802) in the equation editor allowing for takeover of control flow. Once one or both of these are exploited, a second stage payload is downloaded from a URL and stored locally in %appData% and subsequently executed. This payload is obfuscated with a packer and injects a newly created instance of Notepad.exe. This code establishes persistence via a VBS script in the Windows startup directory. It is at this point where the MassLogger malware actions become visible.
the malware collects information about the host machine using WMI queries and other techniques. Data collected includes OS, processor, video controller, and antivirus software. The next step involves keylogging in an attempts to steal information from web browsers, FTP clients, and email clients. This information is stored in a log file, bundled with a screenshot, zipped into an archive and sent via a URL. Though obfuscated, the behavior of MassLogger is distinctive enough to allow for recognition.
Impact
Information theft
Indicators of Compromise
MD5
- d40863c1d11d96d51e09252558e09946
- 93432a3dd327449aad876325370d6daa
SHA-256
- cc4e6e42f73500c72d0d0820b4a3c131e2f8fce4d7d730eb8f9fc1b5cc3e882e
- 5caf50c8907738643bd5648927c52306bf9177cb178065d1ee08590a0d37f0c9
SHA1
- f4a52b0eccaaebfeb65ee380be4c10c114d0fcfb
- 643c0f418f5c5e53e079a710518814acc7e911c9
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Search for IOCs in your environment.