Recently, a proof-of-conceptemerged on how the filetype SettingContent can be abused when getting embedded in Microsoft Office Documents. SettingContent is a feature in Windows 10 which acts as a shortcut to different system settings. Legitimate examples of this can be found in %windir%\ImmersiveControlPanel\Settings (e.g. %windir%\ImmersiveControlPanel\Settings\CortanaSettings.settingcontent-ms will launch Microsoft's Cortana when double clicked). In response, Microsoft updated the Packager Activation listso that Office 365 can now block SettingContent within an OLE package.
As expected, malware authors found another way to utilize the same technique of delivering malicious files through the filetype SettingContent. However this time, they have it embedded in PDF files.
We recently came across PDF samples with embedded .SettingContent-ms getting spammed in the wild. Although the email body does contain any deceptive or luring pretext, the cleverly named attachment can mislead curious users to click on it thinking that the attachment is a legitimate invoice pdf.
Figure 1: Email sample containing a malicious PDF attachment
Malware Analysis:
Upon execution of the PDF attachment "INV 60542183.pdf", an embedded javascript object will run. Acrobat will prompt the user with a security warning regarding another object "downl.SettingContent-ms" that is about to be opened. Once the user agrees, it will be saved at the %temp% folder and executed. Afterwards, this will be deleted by Acrobat from the system.
Figure 2: Security warning triggered when PDF attachment is opened
Figure 3: The javascript object uses exportDataObject to launch "downl.SettingContent-ms"
The object "downl.SettingContent-ms" is an XML file recognized in the system as filetype SettingContent. It contains a DeepLink element which will execute any code within the <DeepLink/> tag. In this case, the code invokes PowerShell to download a binary silently into the system, then execute as "%temp%\update12.exe".
Figure 4: The embedded object "downl.SettingContent-ms" extracted by SEG
The downloaded binary "%temp%\update12.exe" will connect to hxxp://169.239.128.164/sd87f67ds5gs7d5fs7df to fetch an encrypted blob and decrypt it as "%programdata%\Microsoft Help\wsus.exe". This is the final payload known as FlawedAmmyy version 3.
Figure 5: FlawedAmmy version 3
FlawedAmmyy is a remote access trojan that has the following features:
- View screen
- Remote control
- File manager
- Audio chat
- RDP sessions
It can also retrieve system information and send them to the C&C.
Figure 6: Screenshot of the parameters being sent to the FlawedAmmyy C&C
Conclusion:
The exploitable component of SettingContent is its DeepLink element since any code in it will be executed without any warning to the user. As the misuse of SettingContent has been addressed by Microsoft, malware authors looked for another way to deliver their malicious intent using this filetype. Now, it's via PDF.
IOCs:
|
Filename
|
Size
(bytes)
|
Sha256
|
Codename
|
Download URL
|
|
INV 60542183.pdf
|
2,345
|
0A4F3F9ACC61B85183108A31A306115FE34B571240DA70920F0A1425FC32C3DE
|
PDF Attachment
|
-
|
|
%temp%\update12.exe
|
172,032
|
7db2e889b3156f3ebaea1340a129845b4935361e8cdcf92b430d64c96ac26014
|
Downloader
|
hxxp://169.239.128.164/tov
|
|
-
|
665032
|
618A1942370F4F0725FB2A28D85B7ACA828051F50079D51364A9B8AA19108F8
|
Encrypted blob
|
hxxp://169.239.128.164/sd87f67ds5gs7d5fs7df
|
|
%programdata%\Microsoft Help\wsus.exe
|
665032
|
56f1ab4b108cafcbada89f5ca52ed7cdaf51c6da0368a08830ca8e590d793498
|
FlawedAmmyy RAT
|
-
|
