Security Alert
Jonathan Crowe
Jul 2018

Massive RAT Campaign Uses Brand-New Trick to Weaponize PDFs

malicious-settingcontent-ms-embedded-pdf

Hundreds of thousands of emails are hitting inboxes carrying uniquely weaponized PDFs.

Key Details

  • What's happening?

    Well-established criminal group TA505 has launched a widespread spam campaign designed to infect victims with the FlawedAmmyy RAT. What makes the campaign notable is that it makes use of a brand-new technique: weaponizing PDF files by embedding malicious .SettingContent-ms files inside.

  • What are .SettingContent-ms files? Simple XML files that allow users to create shortcuts to Windows 10 setting pages. Example: A user can create a shortcut to open the Control Panel. The problem is attackers can abuse these files to open programs like cmd.exe and PowerShell.exe, instead, providing them with shell command execution (more details here). 
  • What do the spam emails look like? According to researchers at Proofpoint, the emails are extremely simple with subject lines such as "Request [REF:XXXXXX]" and body text directing recipients to review the attached PDF (screenshots below). Upon opening the PDF the user is presented with a warning prompt with "Open this file" as the default option. Once opened, the .SettingContent-ms file launches PowerShell to download and execute the FlawedAmmyy RAT payload. 
  • What is FlawedAmmyy? FlawedAmmyy is built on the leaked source code for the remote desktop software Ammyy Admin, and it gives attackers many of the capabilities the legitimate tool provides (essentially granting them complete access to infected machines). 
  • What can I do now?

    Alert users to be wary of PDF attachments from senders they don't know, and consider showing them what the warning prompt triggered in these cases looks like. Advise them on what to do if they see it. In addition (or alternatively), consider adjusting Windows settings or using a Group Policy Object (GPO) to force .SettingContent-ms files to always open in NotePad (the same approach some admins take with .js files).

    You can also create your own .SettingContent-ms file embedded inside a PDF to test your current security on Windows 10 machines (details below). 

  • empty
  • empty
  • empty

Barkly blocks these attacks at the outset — before the payload can even be downloaded.
See it in action

Last week, researchers at Proofpoint observed a massive new malspam campaign consisting of hundreds of thousands of emails distributed by the criminal group TA505. The size of the campaign isn't particularly out-of-the-ordinary for TA505, which is well-established and tends to operate on a very large scale. What is noteworthy, however, is the type of attachment included in the emails — weaponized PDF files with malicious .SettingContent-ms files embedded inside. 

If .SettingContent-ms files sound familiar that's because they've been a topic of conversation in security circles since Matt Nelson disclosed a method for abusing them in early June. For a more thorough recap of that disclosure and what happened next, you can read our blog post, "Windows .SettingContent-ms Files Weaponized to Bypass Security, Deliver Malware." In a nutshell:

  • .SettingContent-ms files are simple XML documents used to create shortcuts to Windows 10 setting pages (ex: opening the Control Panel).
  • The key to abusing these involves modifying their <DeepLink> element, which is responsible for specifying the Windows 10 settings binary that will open when a user clicks the shortcut.
  • By pointing the <DeepLink> element to open cmd.exe or PowerShell.exe, for example, attackers can use these files to run malicious commands, such as downloading and executing malicious payloads. 
  • Nelson's primary focus was to show how embedding .SettingContent-ms files inside Word documents could be used to bypass Microsoft's Object Linking and Embedding (OLE) restrictions.
  • After attackers began actively experimenting with the technique to distribute malware, Microsoft responded by adding .SettingContent-ms files to its list of "dangerous" file formats it prevents from being activated via OLE. 
  • That took care of attackers attempting to hide .SettingContent-ms files in Office documents, but it unfortunately still didn't address attackers attaching them to emails directly or embedding them inside other file formats like archive files and [...dramatic pause...] PDFs. 

Just three days after Microsoft updated its OLE restrictions to include .SettingContent-ms files, researcher @c0d3inj3cT spotted attackers embedded them inside PDFs to deliver FlawedAmmyy on July 12. 

This may very well have been a test run for the large spam campaign launched by TA505, spotted by Proofpoint on July 16

What this attack campaign looks like

settingcontent-ms-pdf-spam-july-2018

Spam email used to deliver malicious PDF. Source: Proofpoint

As you can see, the emails in this campaign are incredibly basic and will hopefully raise suspicion from alert users. 

  • Subject line: REQUEST [REF-XXXXXX]
  • Body text: lease [sic] find the attached file.

This may very well be another test blast, and it's easy to imagine attackers refining and applying more convincing themes to them should the initial results be remotely promising.  

Once the PDF is opened Adobe Reader displays a warning prompt asking the user to confirm they want to open the .SettingContent-ms file contained inside. Unfortunately, the default option is "Open this file," with the other two options being "Always allow opening files of this type" and "Never allow opening files of this type." It's easy to imagine a user being hesitant to select one of those latter two options, and they may not intuitively realize clicking "cancel" and closing out the doc is an unspoken fourth option. 

settingcontent-ms-file-embedded-in-pdf

Warning prompt issued upon opening the PDF. Source: Proofpoint

If a user does click "OK" Windows runs the embedded .SettingContent-ms file, which has been modified to launch a PowerShell command to download and execute the FlawedAmmyy payload. 

settingcontent-ms-deeplink-powershell-script

SettingContent-ms file modified to launch PowerShell command and download FlawedAmmyy payload. Source: Proofpoint

How to protect your organization from malicious .SettingContent-ms files embedded in PDFs

Barkly-blocks-SettingContent-ms-files-embedded-PDF

FYI: Barkly blocks this technique

Barkly customers are protected from this campaign and others attempting to utilize this new attack technique. That's because Barkly is able to see when programs like cmd.exe and PowerShell.exe are attempting to launch from PDFs downloaded from the Internet, and block that suspicious behavior in realtime, before any malicious commands are executed. 

Learn more about how Barkly works and the importance of using behavior-based protection to block today's modern attacks here

Don't have Barkly? Test your current security

Thanks to researcher @DidierStevens, there's a python script available on GitHub you can use to create your own test PDFs with custom .SettingContent-ms files embedded inside. Give it a whirl and see if any of your current security solutions block it. Here's how.

First, create your own SettingContent-ms file designed to open calc.exe. You can do that by dumping the following into NotePad and saving it as a .SettingContent-ms file (reminder: these files only work on Windows 10 systems):

<?xml version="1.0" encoding="UTF-8"?>
<PCSettings>
  <SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
    <ApplicationInformation>
      <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
      <DeepLink>%windir%\system32\cmd.exe /c calc.exe</DeepLink>
      <Icon>%windir%\system32\control.exe</Icon>
    </ApplicationInformation>
    <SettingIdentity>
      <PageID></PageID>
      <HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}</HostID>
    </SettingIdentity>
    <SettingInformation>
      <Description>@shell32.dll,-4161</Description>
      <Keywords>@shell32.dll,-4161</Keywords>
    </SettingInformation>
  </SearchableContent>
</PCSettings>

Next, embed that file inside a PDF by doing the following:

  1. Make sure you have Python installed
  2. Download Didier Stevens's GitHub repo here (it contains the python script you'll need to create your PDF): https://github.com/DidierStevens/DidierStevensSuite
  3. Open cmd.exe
  4. Run a command to create a PDF with your .SettingContent-ms file embedded by typing "python" and then dragging over the make-pdf-embedded.py file from the downloaded directory
  5. Add "-n invoice.SettingContent-ms -a /full path to the test.SettingContent-ms file you created"
  6. Add "example.pdf"

The full command should look like this:

python C:\Users\Username\Desktop\DidierStevensSuite-master\make-pdf-embedded.py -n invoice.SettingContent-ms -a C:\Users\Username\Desktop\test.SettingContent-ms example.pdf

Your PDF file will be created in the current working directory of cmd.exe.

Easiest solution: Force .SettingContent-ms files to always open in NotePad

As long as your organization isn't rife with legitimate .SettingContent-ms file use, another precaution you can take to neutralize this specific threat is to adjust Windows settings to force .SettingContent-ms files to always open in NotePad. Here's how to do that via Group Policy (I've adapted the instructions provided by Montour.co to force .js files to open in NotePad): 

  1. Open the Group Policy Management Console 
  2. Create a new Group Policy and name it something like "Block SettingContent-ms Execution"
  3. Apply the policy to the appropriate OUs and security groups, or apply to the entire domain. Next, right-click on the policy and click Edit
  4. Navigate to User Configuration/Preferences/Control Panel Settings/Folder Options
  5. Right-click in the blank area and click on Open With
  6. In the box that pops up, choose Update for the Action, enter SettingContent-ms for the file extension, make sure Set as default is checked, then lastly for the Associated Program field type in %windir%\System32\notepad.exe

It's not exactly an elegant solution, but it's a simple one you can implement relatively quickly and easily. That's important because...

We can expect more of these attacks in the near future

As Proofpoint researchers point out, TA505 often serves as a trendsetter whose campaigns and tactics influence other criminal groups and threat actors. They are currently an early adopter of the .SettingContent-ms file technique, and that's a major sign this novel technique is about to go mainstream. 

Take steps to protect yourself now and spread the word so others can, too. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

lock-white.png

Stay up-to-date on the latest threats

Join a group of 7,000 IT and security pros who get clear, actionable takes on malware and infosec news.

Subscribe

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.