CVE-2017-0199 is a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office. This flaw is currently being exploited by the notorious DRIDEX banking trojan.
Below are the information that can help in preventing this zero-day threat:
The table below shows the files dropped when a machine has been affected by CVE-2017-0199:
File Name | Source | SHA256 | Detection Name / Status |
---|---|---|---|
template.doc | - | 11a183f9b8b834b6c959402cb83af59aa38d50d7 | TROJ_ARTIEF.JEJOTQ |
7500.exe | hxxp://btt5sxcx90.com/7500.exe | 5e9c76ef1c8c09d9c60ed61ce7998a16afef7c7b | TSPY_DRIDEX.SLP |
sample.doc | hxxp://btt5sxcx90.com/sample.doc | d298e996d094640c87618d15c44b57d8391a357 | non-malicious word document |
template.doc | - | dd1328da51b4cc4db1bb0bc65523e46cdf759a4a | TROJ_ARTIEF.JEJOTQ |
last.exe | hxxp://95.46.99.199/last.exe | - | already inaccessible |
q.doc | hxxp://95.46.99.199/q.doc | - | already inaccessible |
File Layer
The table below shows the information about the detections done by VSAPI:
SHA256 | Detection Name |
---|---|
13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575 | TROJ_CVE20170199.A |
3c0a93d05b3d0a9564df63ed6178d54d467263ad6e3a76a9083a43a7e4a9cca5 | TROJ_CVE20170199.A |
b3b3cac20d93f097b20731511a3adec923f5e806e1987c5713d840e335e55b66 | TROJ_CVE20170199.B/C |
d3cba5dcdd6eca4ab2507c2fc1f1f524205d15fd06230163beac3154785c4055 | TROJ_CVE20170199.B/C |
b9147ca1380a5e4adcb835c256a9b05dfe44a3ff3d5950bc1822ce8961a191a1 | TROJ_CVE20170199.B/C |
4453739d7b524d17e4542c8ecfce65d1104b442b1be734ae665ad6d2215662fd | TROJ_CVE20170199.A |
b9b92307d9fffff9f63c76541c9f2b7447731a289d34b58d762d4e28cb571fbd | TROJ_CVE20170199.B/C |
Network Layer
The table below shows the products that can stop the threat on the Network Layer:
Product | Details |
---|---|
WRS Blocking | Known related C&C has been blocked |
Deep Security | Security Update 17-015 – Includes coverage for CVE-2017-0199 and some specific protection for MS Word in addition to some other non-related vulnerabilities |
Deep Discovery Inspector | Rule 18 - DNS response of a queried malware Command and Control domain |
TippingPoint |
|