The attacker asked for a quotation of the entire spare part list available on the spreadsheet. In such a way the victim needed to open-up the included Microsoft spreadsheet in order to enumerate the “fake customer” needs. Opening up The Excel File it gets infected.
|Stage1: Encrypted Content|
|Stage2: OleOBj inclusion (click to expand it)|
|Stage2: extracted Payload|
|Stage3: Equation Editor Spawned and connecting to Dropping URL|
|Introducing Stage4. PE file dropped and executed|
|Stage4: According to Virus Total|
Looking into GEqy87 is quite clear that the sample was hiding an additional windows PE. On one, hand it builds up the new PE directly on memory by running decryption loops (not reversed here). On the other, hand it fires up 0xEIP to pre-allocated memory section in order to reach new available code section.
|Stage5: Windows PE hidden into GEqy87.exe|
The name MartyMcFly comes pretty naturally here since the “interesting date-back from Virus Total”. I am not confident about that date, but I can only assume VirusTotal is Right.
For IoC please visit the analysis from here.
About the author: Marco Ramilli, Founder of Yoroi
I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.
I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans