Spear-phishing campaign leveraging on MSXSL

We have identified an ongoing spear-phishing campaign targeting a variety of entities with malicious RTF documents exploiting three different vulnerabilities: CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802 and taking advantage of a misplaced trust binary, Microsoft’s msxsl, to run a JScript backdoor. The whole attack chain leverages on system’s signed components to remain under the radar as much as possible and it shares many similarities with previous campaigns from the Cobalt Group.

Attack Vector

The spear-phishing campaign makes use of a malicious RTF document:

Malicious Document

that in turn opens a decoy document if the exploitation of one of the targeted vulnerabilities is successful:

Decoy Document

A quick look at the OLE objects found in the document shows some interesting properties that we will analyze in the next section.

Malicious document OLE objects

What happens after opening the document is slightly convoluted and can be summarized in:

  1. The malicious RTF exploit on of three vulnerabilities (CVE-2017-8570, CVE-2017-11882 or CVE-2018-0802)
  2. eqnedt32.exe (Microsoft Equation Editor) is ran and two instances of cmd.exe are executed in a chain
  3. The last cmd.exe instance starts regsrv32.exe with a DLL (dll.txt) then a decoy document is dropped
  4. The loaded DLL performs the following actions:
    1. Creates a XML file
    2. Creates a XSL file
    3. Delete itself from disk
    4. Create a JScript file (for persistence)
    5. Drops a legitimate MSXSL.exe copy
      1. MSXSL runs the final backdoor taken from the newly created XML and XSL files
Attack Life Cycle
Attack Life Cycle


First Stage

After the vulnerability has been exploited, cmd.exe runs Task.bat:

set tp="%temp%\block.txt"
IF EXIST %tp% (exit) ELSE (set tp="%temp%\block.txt" & copy NUL %tp% & start /b %temp%\2nd.bat)
del "%~f0"

Equation Editor

After the environment variable is set, a second batch file is launched whose task is to launch regsrv32.exe to load dll.txt,  to cleanup the temp directory and restart winword showing the decoy document.

DLL loading
DLL loading

The main task of setting up the correct environment for the backdoor to run and remain persistent is left to dll.txt that performs the following operations:

  • Create c:\users\user\appdata\roaming\microsoft\f4b3a452b6ea052d286.txt
  • Create c:\users\user\appdata\roaming\microsoft\7009b05a8c4dc1b.txt
  • Create c:\users\user\appdata\roaming\microsoft\12a0c3af5a631493445f1d42.js
  • Drop c:\users\user\appdata\roaming\microsoft\msxsl.exe executable, a Microsoft legitimate executable
  • Create a registry key value in HKCU\Environment with value `UserInitMprLogonScript` and data `Cmd.Exe /C “%Appdata%\Microsoft\12A0C3AF5A631493445F1D42.Js”` (logon persistence script. ATT&CK TID: T1037)
DLL Activity
DLL Activity
DLL's Filesystem and Registry Activity
DLL’s Filesystem and Registry Activity

Immediately after an instance of cmd.exe is spawned to remove the dll.txt and msxsl.exe is launched, taking as argument the dropped XML file and the XSL file (containing the backdoor’s code).

DLL removal
DLL removal
Logon Script Persistence

It’s notable the use of msxsl.exe which is the real commandline utility used to perform Extensible Stylesheet Language (XSL) transformations using Microsoft’s XSL processor. This executable can be abused to run JScript code:

C:\Users\User\AppData\Roaming\Microsoft\msxsl.exe "C:\Users\User\AppData\Roaming\Microsoft\F4B3A452B6EA052D286.txt" "C:\Users\User\AppData\Roaming\Microsoft\7009B05A8C4DC1B.txt"

Backdoor start


The backdoor is written in JScript and it’s capable of performing the following operations:

  • reconnaissance via wmi and other windows tools
  • run executables using cmd.exe
  • load dll files using regsvr32.exe
  • download and run new scripts
  • remove itself
  • check for AntiVirus software
  • c2 communication using a js implementation of RC4
Backdoor deobfuscated
Backdoor deobfuscated

Any kind of script can be run by the backdoor so its capabilities are potentially unlimited. Different antivirus software are checked, this is apparently not done to prevent the backdoor from running, instead the information is sent back to the C2 possibly to provide the operators with knowledge about their victims before deploying more sophisticated scripts that might raise alarms.

The C2 address we found in this campaign is: https://mail[.]hotmail[.]org[.]kz/owalanding/ajax[.]php which appears to be a hostname registered in Kazakhstan registered back in 1994 so most likely it was compromised by the attackers and used as C2.

The second stage of the attack chain appears to be the same of a campaign identified back in November and possibly attributed to Cobalt Group, the first stage of the attack is instead completely different, pointing to what it might be a new exploit kit (Threadkit?). The backdoor’s code appears to be very much the same (if not for a few changes) to the one analyzed back in August 2017 by TrendMicro. The shared commands between this March 2018 version and the August 2017 one are the following:

  • more_eggs: used to download new scripts
  • d&exec: used to run executable files
  • gtfo: used to terminate the instance and perform cleanups
  • more_onion: used to run a new script

ReaQta-Hive customers are protected out-of-the-box from this threat and no updates are required. Fully patched systems are not vulnerable to this attack as all the vulnerabilities have been reported and fixed. Legacy systems should monitor for one of the IOCs published below and for abnormal behaviors, like msxsl running from temporary folders or regsvr32.exe loading unknown modules.


  • malicious RTF (DOC00201875891.doc): db5a46b9d8419079ea8431c9d6f6f55e4f7d36f22eee409bd62d72ea79fb8e72
  • msxsl.exe (legitimate, dropped): 35ba7624f586086f32a01459fcc0ab755b01b49d571618af456aa49e593734c7
  • JS persistence: 710eb7d7d94aa5e0932fab1805d5b74add158999e5d90a7b09e8bd7187bf4957
  • XSL JS backdoor: 6a3f5bc5885fea8b63b80cd6ca5a7990a49818eda5de59eeebc0a9b228b5d277
  • XML: dbe0081d0c56e0b0d7dbf7318a4e296776bdd76ca7955db93e1a188ab78de66c
  • task.bat: 731abba49e150da730d1b94879ce42b7f89f2a16c2b3d6f1e8d4c7d31546d35d
  • 2nd.bat: 33c362351554193afd6267c067b8aa78b12b7a8a8c72c4c47f2c62c5073afdce
  • decoy document: 1ab201c1e95fc205f5445acfae6016679387bffa79903b07194270e9191837d8
  • regsvr32 DLL: 0adc165e274540c69985ea2f8ba41908d9e69c14ba7a795c9f548f90f79b7574
  • inteldriverupd1.sct: 002394c515bc0df787f99f565b6c032bef239a5e40a33ac710395bf264520df7
  • C2: mail[.]hotmail[.]org[.]kz/owalanding/ajax.php\
  • IP (at the time of writing):