Hussarini backdoor exploits Microsoft Office vulnerability in APT attack targeting Philippines

Security researchers have discovered a malicious, politically-themed document that exploits a Microsoft Office remote code execution vulnerability to drop the Hussarini malware. According to Fortinet researchers, Hussarini - also known as Sarhust - belongs to a backdoor family that has been leveraged in APT attacks targeting ASEAN countries since 2014.

Attackers are now leveraging the malware in attacks targeting the Philippines, said to be one of the most exposed and prone ASEAN countries to APT attacks.

Old exploit, new attack

The malicious document is named "Draft PH-US Dialogue on Cyber Security.doc" that takes advantage of the Microsoft Office vulnerability CVE-2017-11882 - a 17-year-old remote code execution bug found in its Microsoft Equation Editor component that was patched in November 2017. If successfully exploited, it could allow attackers to run arbitrary code and take complete control of the affected system.

The memory corruption bug has already been leveraged in multiple in-the-wild attacks to deliver malware such as Loki, Cobalt, FormBook, POWRUNER, ZBOT, Ursnif and more.

Modus Operandi

In the new Hussarini campaign, the exploit document takes advantage of this vulnerability to drop two files - Outllib.dll and OutExtra.exe.

The latter is a signed legitimate application from Microsoft used to find keywords within Outlook files. However, the attackers use it to load the Hussarini backdoor via DLL hijacking.

"DLL hijacking is a technique used by some APT malware in which instead of the legitimate application (.exe) loading the benign DLL, the application is tricked into loading a DLL containing malicious code," researchers said. "Using this technique, a malware can evade the Host Intrusion Prevention System (HIPS) of security programs that monitor the behaviors of executed files."

To avoid raising any red flags with the victim, the exploit downloads a decoy document from a legitimate-looking "philip.varilla" download link. The names used are specially crafted to make it seem like the document came from the Philippines' Department of Information and Communications Technology (DICT) - the agency responsible for the nation's planning, development and promotion of information and communications technology, including cybersecurity.

Researchers believe this specific lure implies that Department of Foreign Affairs employees are likely being targeted. However, it is still unclear how this document and encompassing malware are being spread.

Hussarini - not your usual backdoor

The second Outllib.dll file is actually the Hussarini backdoor - a Dynamic Link Library (DLL) that exports functions containing the malicious code. Once the OutExtra.exe file is executed, some of these functions are called and executed.

However, the Hussarini backdoor was found with much more export functions than any regular backdoor DLL.

Before the malware connects with its command and control (C&C) server, it saves a "ServerID" in the registry with a randomly generated value as an ID to identify the bot in the overall botnet. To communicate with the C&C, Hussarini uses its own customer protocol encoded with base64 sent over HTTP. The malware first sends initial data - ServerID, dize and checksum of the message - to the C&C as a check. After receiving a response, it sends over some sensitive system information of the infected machine such as user name, OS, and CPU information.

'Limited' capabilities

While other APT backdoors usually come with a slew of nefarious capabilities such as keylogging and taking screenshots, Hussarini has a few including the ability to create, read and write files, download and execute files/components and launch remote cmd shell. Researchers believe that that its functionality could be extended.

Hussarini was first mentioned in APT campaigns targeting the Philippines and Thailand in 2014," researchers said. "Today, this malware is still actively being used against the Philippines. The Department of Information and Communications Technology was only formed in 2016 and has acknowledged that the Philippines’ state of cybersecurity is still in infancy.

"In general, this contributes to the Philippines continuing to be a target for cybercrime/cyberespionage or even state-sponsored attacks. Because of this, we expect that attacks targeting that region will continue to evolve in both quantity and quality."