Privileges and Credentials: Phished at the Request of Counsel


In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government.

APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents. At least one observed phishing lure delivered a Cobalt Strike payload.

As of the writing of this blog post, FireEye had not observed post-exploitation activity by the threat actors, so we cannot assess the goal of the campaign. We have previously observed APT19 steal data from law and investment firms for competitive economic purposes.

This purpose of this blog post is to inform law firms and investment firms of this phishing campaign and provide technical indicators that their IT personnel can use for proactive hunting and detection.

The Emails

APT19 phishing emails from this campaign originated from sender email accounts from the "@cloudsend[.]net" domain and used a variety of subjects and attachment names. Refer to the Indicators of Compromise section for more details.

The Attachments

APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel (XLSM) files to deliver their initial exploits. The following sections describe the two methods in further detail.

RTF Attachments

Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099, the observed RTF attachments download hxxp://tk-in-f156.2bunny[.]com/Agreement.doc. Unfortunately, this file was no longer hosted at tk-in-f156.2bunny[.]com for further analysis. Figure 1 is a screenshot of a packet capture showing one of the RTF files reaching out to hxxp://tk-in-f156.2bunny[.]com/Agreement.doc.

Figure 1: RTF PCAP

XLSM Attachments

The XLSM attachments contained multiple worksheets with content that reflected the attachment name. The attachments also contained an image that requested the user to “Enable Content”, which would enable macro support if it was disabled. Figure 2 provides a screenshot of one of the XLSM files (MD5:30f149479c02b741e897cdb9ecd22da7).

Figure 2: Enable macros

One of the malicious XLSM attachments that we observed contained a macro that:

  1. Determined the system architecture to select the correct path for PowerShell
  2. Launched a ZLIB compressed and Base64 encoded command with PowerShell. This is a typical technique used by Meterpreter stagers.

Figure 3 depicts the macro embedded within the XLSM file (MD5: 38125a991efc6ab02f7134db0ebe21b6).

Figure 3: XLSX Macro

Figure 4 contains the decoded output of the encoded text.

Figure 4: Decoded ZLIB + Base64 payload

The shellcode invokes PowerShell to issue a HTTP GET request for a random four (4) character URI on the root of autodiscovery[.]2bunny[.]com. The requests contain minimal HTTP headers since the PowerShell command is executed with mostly default parameters. Figure 5 depicts an HTTP GET request generated by the payload, with minimal HTTP headers.

Figure 5: GET Request with minimal HTTP headers

Converting the shellcode to ASCII and removing the non-printable characters provides a quick way to pull out network-based indicators (NBI) from the shellcode. Figure 6 shows the extracted NBIs.

Figure 6: Decoded shellcode

FireEye also identified an alternate macro in some of the XLSM documents, displayed in Figure 7.

Figure 7: Alternate macro

This macro uses Casey Smith’s “Squiblydoo” Application Whitelisting bypass technique to run the command in Figure 8.

Figure 8: Application Whitelisting Bypass

The command in Figure 8 downloads and launches code within an SCT file. The SCT file in the payload (MD5: 1554d6fe12830ae57284b389a1132d65) contained the code shown in Figure 9.

Figure 9: SCT contents

Figure 10 provides the decoded script. Notice the “$DoIt” string, which is usually indicative of a Cobalt Strike payload.

Figure 10: Decoded SCT contents

A quick conversion of the contents of the variable “$var_code” from Base64 to ASCII shows some familiar network indicators, shown in Figure 11.

Figure 11: $var_code to ASCII

Second Stage Payload

Once the XLSM launches its PowerShell command, it downloads a typical Cobalt Strike BEACON payload, configured with the following parameters:

  • Process Inject Targets:
    • %windir%\syswow64\rundll32.exe
    • %windir%\sysnative\rundll32.exe
  • c2_user_agents
    • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB)
  • Named Pipes
    • \\%s\pipe\msagent_%x
  • beacon_interval
    • 60
  • C2
    • autodiscover.2bunny[.]com/submit.php
    • autodiscover.2bunny[.]com/IE9CompatViewList.xml
    • sfo02s01-in-f2.cloudsend[.]net/submit.php
    • sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml
  • C2 Port
    • TCP/80

Figure 12 depicts an example of a BEACON C2 attempt from this payload.

Figure 12: Cobalt Strike BEACON C2

FireEye Product Detections

The following FireEye products currently detect and block the methods described above. Table 1 lists the current detection and blocking capabilities by product.

Detection Name







XSLM Macro launch




XSLM Macro launch

Malware Object



BEACON written to disk




BEACON Callback

















Table 1: Detection review

*Appliances must be configured for block mode.


FireEye recommends organizations perform the following steps to mitigate the risk of this campaign:

  1. Microsoft Office users should apply the patch from Microsoft as soon as possible, if they have not already installed it.
  2. Search historic and future emails that match the included indicators of compromise.
  3. Review web proxy logs for connections to the included network based indicators of compromise.
  4. Block connections to the included fully qualified domain names.
  5. Review endpoints for the included host based indicators of compromise.

Indicators of Compromise

The following section provides the IOCs for the variants of the phishing emails and malicious payloads that FireEye has observed during this campaign.

Email Senders
  • PressReader <infodept@cloudsend[.]net>
  • Angela Suh <angela.suh@cloudsend[.]net>
  • Ashley Safronoff <ashley.safronoff@cloudsend[.]net>
  • Lindsey Hersh <lindsey.hersh@cloudsend[.]net>
  • Sarah Roberto sarah.roberto@cloudsend[.]net
  • noreply@cloudsend[.]net
Email Subject Lines
  • Macron Denies Authenticity Of Leak, French Prosecutors Open Probe
  • Macron Document Leaker Releases New Images, Promises More Information
  • Are Emmanuel Macron's Tax Evasion Documents Real?
  • Time Allocation
  • Vacancy Report
  • china paper table and graph
  • results with zeros – some ready not all finished
  • Macron Leaks contain secret plans for the islamisation of France and Europe
Attachment Names
  • Macron_Authenticity.doc.rtf
  • Macron_Information.doc.rtf
  • US and EU Trade with China and China CA.xlsm
  • Tables 4 5 7 Appendix with zeros.xlsm
  • Project Codes - 05.30.17.xlsm
  • Weekly Vacancy Status Report 5-30-15.xlsm
  • Macron_Tax_Evasion.doc.rtf
  • Macron_secret_plans.doc.rtf
Network Based Indicators (NBI)
  • lyncdiscover.2bunny[.]com
  • autodiscover.2bunny[.]com
  • lyncdiscover.2bunny[.]com:443/Autodiscover/AutodiscoverService/
  • lyncdiscover.2bunny[.]com/Autodiscover
  • autodiscover.2bunny[.]com/K5om
  • sfo02s01-in-f2.cloudsend[.]net/submit.php
  • sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml
  • tk-in-f156.2bunny[.]com
  • tk-in-f156.2bunny[.]com/Agreement.doc
  • 104.236.77[.]169
  • 138.68.45[.]9
  • 162.243.143[.]145
  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB)
  • tf-in-f167.2bunny[.]com:443 (*Only seen in VT not ITW)
Host Based Indicators (HBI)

RTF MD5 hash values

  • 0bef39d0e10b1edfe77617f494d733a8
  • 0e6da59f10e1c4685bb5b35a30fc8fb6
  • cebd0e9e05749665d893e78c452607e2

XLSX MD5 hash values

  • 38125a991efc6ab02f7134db0ebe21b6
  • 3a1dca21bfe72368f2dd46eb4d9b48c4
  • 30f149479c02b741e897cdb9ecd22da7

BEACON and Meterpreter payload MD5 hash values

  • bae0b39197a1ac9e24bdf9a9483b18ea
  • 1151619d06a461456b310096db6bc548

Process arguments, named pipes, and file paths

  • powershell.exe -NoP -NonI -W Hidden -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("<base64 blob>")
  • regsvr32.exe /s /n /u /i:hxxps:// scrobj.dll
  • \\<ip>\pipe\msagent_<4 digits>
  • C:\Documents and Settings\<user>\Local Settings\Temp\K5om.dll (4 character DLL based on URI of original GET request)
Yara Rules

       author=" @TekDefense"
       description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
       $ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
       $ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide
       $ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide
       $ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide
       $ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide
       $ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide
       $ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide
       $ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide
       $obreg1 = /(\w{5}\s&\s){7}\w{5}/
       $obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/
       // wscript
       $wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
       $wsobj2 = "Obj.Run " ascii wide

                      (uint16(0) != 0x5A4D)
                      all of ($wsobj*) and 3 of ($ob*)
                      all of ($wsobj*) and all of ($obreg*)


       author=" @TekDefense"
       description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4."
       // Setting the environment
       $env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide
       $env2 = "windir = Environ(\"windir\")" ascii wide
       $env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide
       // powershell command fragments
       $ps1 = "-NoP" ascii wide
       $ps2 = "-NonI" ascii wide
       $ps3 = "-W Hidden" ascii wide
       $ps4 = "-Command" ascii wide
       $ps5 = "New-Object IO.StreamReader" ascii wide
       $ps6 = "IO.Compression.DeflateStream" ascii wide
       $ps7 = "IO.MemoryStream" ascii wide
       $ps8 = ",$([Convert]::FromBase64String" ascii wide
       $ps9 = "ReadToEnd();" ascii wide
       $psregex1 = /\W\w+\s+\s\".+\"/
                      (uint16(0) != 0x5A4D)
                      all of ($env*) and 6 of ($ps*)
                      all of ($env*) and 4 of ($ps*) and all of ($psregex*)


        description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"

        $header = "{\\rt"

        $lnkinfo = "4c0069006e006b0049006e0066006f"

        $encoded1 = "4f4c45324c696e6b"
        $encoded2 = "52006f006f007400200045006e007400720079"
        $encoded3 = "4f0062006a0049006e0066006f"
        $encoded4 = "4f006c0065"

        $http1 = "68{"
        $http2 = "74{"
        $http3 = "07{"

        $domain1 = "32{\\"
        $domain2 = "62{\\"
        $domain3 = "75{\\"
        $domain4 = "6e{\\"
        $domain5 = "79{\\"
        $domain6 = "2e{\\"
        $domain7 = "63{\\"
        $domain8 = "6f{\\"
        $domain9 = "6d{\\"

        $datastore = "\\*\\datastore"

        $header at 0 and all of them


Joshua Kim, Nick Carr, Gerry Stellatos, Charles Carmakal, TJ Dahms, Nick Richard, Barry Vengerik, Justin Prosco, Christopher Glyer