Cyren Security Blog

Fake Invoice Carries “Rescoms” Malware

by Maharlito Aquino and Kervin Alintanahin

Emails containing malicious attachments equipped with keyloggers and screen capture capabilities are targeting businesses worldwide, with noted attacks in Asia, Russia, and the Middle East. The campaign is designed to look like it comes from real affiliates and employees working for a well-known pharmaceutical distributor in order to make the emails more convincing and lure the recipients into opening the attached document.

The malware exploits two known Microsoft vulnerabilities—CVE-2017-0199 and CVE-2017-8759 and includes obfuscation tools, such as sandbox detection.

Cyren detects and blocks this threat as XML/CVE170199, CVE-2017-8759!Camelot,W32/TinyDL.A and W32/Rescoms.G.

How It Works

An email arrives from what appears to be a reputable person and company in the pharmaceutical industry containing an attachment that looks like an invoice or statement.

Figure 1 : Email Sample

To initiate the installation of the main malware, this attack first exploits the Microsoft vulnerability CVE-2017-0199 to automatically update the document with malicious content—in this case, a file named “free.doc” accessed directly from the threat actor’s server.

Figure 2: CVE-2017-0199 exploit automatically updates using “free.doc” directly from the threat actor’s server.

Figure 3 : MS Word prompts user to update document from linked files.

The downloaded document contains a linked document object (with hidden text) that when executed exploits a second vulnerability known as CVE-2017-8759, which takes advantage of a vulnerability in MS Office’s SOAP WSDL Parser.

Figure 4 : Hidden linked document object

Figure 5:  CVE-2017-8759 Exploit

The CVE-2017-8759 exploit runs .Net code, which drops and installs an executable binary in the Windows temporary directory. This file (which Cyren detects as W32/TinyDL.A) downloads the main malware component and saves it in %LOCALAPPDATA%\avast.exe. Cyren detects the main malware component as W32/Rescoms.G.

Analysis—Payload W32/Rescoms.G

The Backdoor payload dump strings suggest that it is a variant of Remcos RAT. Checking the latest free version of the Remote Access Trojan reveals the different capabilities it can do on an infected system.

Figure 6: Builder Options

Figure 7: Installation Options

Figure 8: Process Injection and Sandbox Detection Options

Figure 9: Keylogging Options

Figure 10: Screen Capture Options

Figure 11: Remote Options

Digging deeper on the backdoor payload, we can find the settings in the resource section of the file.

Figure 11: 1st byte is the size of the RC4 key and the actual key next to it


This version still uses the RC4 encryption and with the settings decrypted, it reveals that it will try to connect to the following remote host and use “pass” as the password.

C&C :
port : 2404
password: pass


With malware exploding around the globe, it is critical that companies put essential steps in place to protect from new and existing threats.

Cloud-based Email and Web Security

Email and web security gateways instantly filters and block malicious or unwanted email and malware threats for all users on your network, regardless of user location or device type.


It is common for threat actors to use recently disclosed/patched vulnerabilities since they know that companies are sometimes notoriously bad at updating and applying patches to their networks.

The attack takes advantage of two known exploits that Microsoft has identified and provided fixes for. Updating software and applying patches is a critical step to safeguarding your networks.

Disabling Links

In addition to cloud-based security and system patches, another option in this kind of threat scenario is to disable the “automatic links at open” function, also used successfully with the recent DDE vulnerability. (Please note that we only tested it on Microsoft Word 2016.)

File->Options->Advanced->General->Uncheck Update automatic links at open.

Indicators of Compromise



Case 1:



E-mail, Subject: Payment confirmation attached.


E-mail, Subject: Payment confirmation attached


Filename: Nov Payment.docx, XML/CVE170199


Link to CVE-2017-8759 exploit




Link to CVE-2017-8759 payload


Filename: xin.png, XML/DropExe.A


Filename: TMP<random>.exe, W32/TinyDL.A


Filename: avast.exe, W32/Rescoms.G




Case 2:



Download link


Filename: whmpqn.doc, CVE-2017-8759!Camelot


Filename: epraeb, CVE178759


Filename: usa.exe, W32/Injector.GAV


Additional IOC’s:













Go back