A campaign targeting government organizations in Central Asia was discovered delivering a backdoor named HAWKBALL. This backdoor can collect information from the victim’s system and it can also deliver various payloads. It offers an attacker a range of malicious capabilities including examining the host, executing native Windows commands, terminating processes, creating, deleting files, uploading files, searching for files, and enumerating drives.
The campaign uses well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to infect its targets with the malware. Once infected, the main payload’s shell-code is dropped, decrypted, and executed on the victim system. The payload also includes an encrypted configuration file that defines the C2 IP address to communicate with. After establishing the connection with C2 server, HAWKBALL’s actions will be defined by the commands received from C2 server.
Various commands supported by HAWKBALL include :
HAWKBALL also includes anti-debugging techniques like,
- Querying the value for the flag ‘BeingDebugged’ from PEB to check whether the process is being debugged.
- Using NtQueryInformationProcess API to detect if the process is being debugged.
Microsoft Spam Campaign Warning:
On 7th June 2019, Microsoft issued a warning about an active malware campaign using emails in European languages. The emails contain RTF files that carry the CVE-2017-11882 exploit and allows attackers to automatically run malicious code without user interaction.
The vulnerability can simply be exploited by simply enticing users to opening the attached document. When the attachment is opened, it executes multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. Microsoft added that the final payload executable is a backdoor waiting to connect to its C2 server.
Microsoft Office 2007
Microsoft Office 2010
Microsoft Office 2013
Microsoft Office 2016
Successful exploitation of these vulnerabilities could allow an attacker to run arbitrary code in the context of the current user, taking complete control of an affected system.
Please refer to this KB article.