Date: 01/10/2025
Severity: High
Summary
For years, cybercriminals have been creating malicious Microsoft Office documents to exploit CVE-2017-0199. While this vulnerability primarily affects outdated systems, new exploited samples continue to emerge almost daily. One particular campaign, active since at least 2023, frequently distributes DBatLoader/GuiLoader. This loader, a .NET DLL, is delivered through steganography, embedded as reversed Base64 text within an image.In recent months, DBatLoader/GuiLoader from this campaign has been used to deploy malware like AgentTesla-style variants, LokiBot, or Remcos RAT.
Indicators of Compromise (IOC) List
Domains\Urls : | https://s.deemos.com/6ruXkfgh?&sherry=strange&octagon=fragile&initiative=rough&corsage http://192.3.27.144/xampp/mpa/seemebestthingsevermeetgivenbestthingsfornewways.hta http://107.172.31.5/comonstraints.vbs https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg http://107.172.31.5/foeMMBIG.txt ftp.horeca-bucuresti.ro |
IP Address : | 89.39.83.184 |
Hash : |
2b14225a0e97081a7142e16423136b06c17cea24ed34b9e696864823468d7dfc
519cda9511738dfa6ad57a5716bd217d9c44af7023907711ddc76c4511f24d60
6071e54c8bad5762b8e10753fac7ea636970e2ab7fbe7f4c56b9f1b38fdcdbb4
4b668425ec80d4ac34429924e11f7936deaf11289c24107dcf1e9c04c259f775
379fe2ae5a34b2349fe492b4318c589416c5cc8f1e54eb1502455863da17395e
2b14225a0e97081a7142e16423136b06c17cea24ed34b9e696864823468d7dfc
df215a01f6a83014a148c6e407cdc8422e9119a88b4220a1321b2986ea9aef63
a666a99f2056082802f459f7180f891582a527324a16d34b4755ed63e5467882
31f30a8b7270e00247b64c28cab661f23660c398d0da80b953e6587d58e4a429
fb5116f93365182f235b12d780e03bb8a2a98f389f81cf0d5832dbdc722b346d
018648727f760e361eb4efa7f955a7815a197224c23016b321ab954767b45b82 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | userdomainname like "http://192.3.27.144/xampp/mpa/seemebestthingsevermeetgivenbestthingsfornewways.hta" or url like "http://192.3.27.144/xampp/mpa/seemebestthingsevermeetgivenbestthingsfornewways.hta" or userdomainname like "ftp.horeca-bucuresti.ro" or url like "ftp.horeca-bucuresti.ro" or userdomainname like "http://107.172.31.5/comonstraints.vbs" or url like "http://107.172.31.5/comonstraints.vbs" or userdomainname like "https://s.deemos.com/6ruXkfgh?&sherry=strange&octagon=fragile&initiative=rough&corsage" or url like "https://s.deemos.com/6ruXkfgh?&sherry=strange&octagon=fragile&initiative=rough&corsage" or userdomainname like "https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg" or url like "https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg" or userdomainname like "http://107.172.31.5/foeMMBIG.txt" or url like "http://107.172.31.5/foeMMBIG.txt" |
IP Address : | dstipaddress IN ("89.39.83.184") or ipaddress IN ("89.39.83.184") or publicipaddress IN ("89.39.83.184") or srcipaddress IN ("89.39.83.184") |
Hash : |
sha256hash IN ("519cda9511738dfa6ad57a5716bd217d9c44af7023907711ddc76c4511f24d60","a666a99f2056082802f459f7180f891582a527324a16d34b4755ed63e5467882","31f30a8b7270e00247b64c28cab661f23660c398d0da80b953e6587d58e4a429","2b14225a0e97081a7142e16423136b06c17cea24ed34b9e696864823468d7dfc","018648727f760e361eb4efa7f955a7815a197224c23016b321ab954767b45b82","6071e54c8bad5762b8e10753fac7ea636970e2ab7fbe7f4c56b9f1b38fdcdbb4","fb5116f93365182f235b12d780e03bb8a2a98f389f81cf0d5832dbdc722b346d","4b668425ec80d4ac34429924e11f7936deaf11289c24107dcf1e9c04c259f775","379fe2ae5a34b2349fe492b4318c589416c5cc8f1e54eb1502455863da17395e","2b14225a0e97081a7142e16423136b06c17cea24ed34b9e696864823468d7dfc","df215a01f6a83014a148c6e407cdc8422e9119a88b4220a1321b2986ea9aef63") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-10-IOCs-for-CVE-2017-0199-XLS-infection-chain.txt