Adversaries are using a phishing campaign with an RTF document that exploits CVE 2017-0199 to redirect users to the domain 2bunnyDOTcom. SOC teams should proactively hunt for this behavior to identify and mitigate potential compromise attempts leveraging a known vulnerability in Microsoft Office.
YARA Rule
rule FE_LEGALSTRIKE_RTF {
meta:
version=".1"
filetype="MACRO"
author="joshua.kim@FireEye.com"
date="2017-06-02"
description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
strings:
$header = "{\\rt"
$lnkinfo = "4c0069006e006b0049006e0066006f"
$encoded1 = "4f4c45324c696e6b"
$encoded2 = "52006f006f007400200045006e007400720079"
$encoded3 = "4f0062006a0049006e0066006f"
$encoded4 = "4f006c0065"
$http1 = "68{"
$http2 = "74{"
$http3 = "07{"
// 2bunny.com
$domain1 = "32{\\"
$domain2 = "62{\\"
$domain3 = "75{\\"
$domain4 = "6e{\\"
$domain5 = "79{\\"
$domain6 = "2e{\\"
$domain7 = "63{\\"
$domain8 = "6f{\\"
$domain9 = "6d{\\"
$datastore = "\\*\\datastore"
condition:
$header at 0 and all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 19 string patterns in its detection logic.
Scenario: Legitimate RTF Document Generation by a Marketing Team
Description: A marketing team uses Microsoft Word to create RTF documents for a campaign, which are then emailed to clients. The document contains a macro that is benign but triggers the rule due to the presence of the domain 2bunnyDOTcom in the document’s metadata.
Filter/Exclusion: Exclude documents created by the “Marketing Team” group or filter by sender email addresses associated with the marketing department.
Scenario: Scheduled System Maintenance Job Using RTF Reports
Description: A system administrator schedules a daily job to generate RTF reports using a script that includes a reference to 2bunnyDOTcom in the report template for logging purposes.
Filter/Exclusion: Exclude files generated by scheduled tasks with specific names or paths, such as C:\ScheduledTasks\GenerateReports.ps1.
Scenario: Admin Task Involving RTF File Conversion
Description: An admin uses a tool like PSTOHTML or Outlook to RTF converter to convert email attachments to RTF format. The conversion process inadvertently includes a reference to 2bunnyDOTcom in the output file.
Filter/Exclusion: Exclude files generated by known conversion tools or filter based on file creation time and source application.
Scenario: Internal Training Material with Embedded URLs
Description: A security training team creates RTF files with embedded URLs for phishing simulations, including a placeholder URL 2bunnyDOTcom for testing purposes.
Filter/Exclusion: Exclude files created by the “Security Training” team or filter based on file content keywords like “training” or “simulated”.
Scenario: Legacy Application Generating RTF Output with Hardcoded URLs
Description: An outdated application (e.g., a legacy ERP system) generates RTF