As usual, the malware looks like a legitimate e-mail attachment, named as “invoice.doc”. Today, weaponized Microsoft office documents with macros, are one of the most common and more effective methods to deliver malware, because they also rely on simple social engineering tricks to lure users to enable them.
The following figure shown a workflow of the infection chain:
Table 1 – Dropper information
Table 2 – Fake PNG, powershell script information
Once opened, the document kindly asks to the users to enable the macro scripts, heavily obfuscated to avoid static detection.
The macro code downloads a text string through a WebClient object invoked from the powershell console, then it saves it with .png file extension and run it through the “iex” primitive.
This script contains different base64 encoded chunks of data, as show in the following figure.
The deobfuscation of the first chunk reveals the ip of the C2. This address is the same used to download the whole script.
The second piece of script labeled with “$jdH9C” is a compressed GzipStream object. After its decoding we noticed an executable file is stored within the memory stream:
The analysis of this binary is reported in the next paragraph (see “DLL Analysis”).
The latest base64 chunk is directly executed through “iex” primitive. It’s interesting to notice it calls some “non-library” functions; functions loaded from the previously referenced dll file.
Within this script, we noticed a routine named “nvtTvqn” able to gather information about victim machine.
Other interesting function is “j2aYhH”:
This function searches for all email accounts registered on victim machine. Inside its code another routine named “CR1Z” is references, this one is able to verify the presence of Outlook client installed.
As described in the previous paragraph, the powershell script uses exported function from the executable.
|Threat||Malware payload containing some malicious function invoked by Powershell script|
|Brief||*.dll file (Payload)|
Table 3 – DLL information
The file is a dynamic linked library not already known to major security platforms.
The library embeds MSIL code running on top of the .NET framework, so it is quite straightforward to recover its source code.
The extracted code contains utility functions used for many purposes: for instance to generate pseudo-random installation path.
Instead, the “kaYchi” function accepts three parameters, id, status and post, and creates files with two different extensions: “*.asp” if “post” variable is true and “*.jpg” otherwise.
The remote command and control server (126.96.36.199) was down at time of writing. After described steps, malware try to download other components from it and execute them with “iex” primitive
Last DNS activity was in December 2018. This IP is already know at scientific community and labeled as malicious. The IP is located in US how visible in the following figures.
The domain zosmogroel.com was active until 18-12-2018 we also found an associated certificate with the SHA-1 signature 98b637715fa6429a60eed9b58447e967bf7e1018
This signature was associated with more than 80 IP addresses, further analysis reveals that those ips reveal how some of them have been used as dropurls for other malware samples.
The analyzed sample is AdvisorsBot, first analyzed by Proofpoint on 23 August 2018, we also found evidence on a public sandbox that the 188.8.131.52 remote C2 on last August deliver a Ursnif/Gozi Variant 184.108.40.206/yak0810.exe with the following sha256 030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48
as also confirmed by signatures on VT. This last evidence may suggest that this infrastructure was used to deliver different malware.
Weaponized Microsoft Office documents delivered via email represent the top infection vector in today malware landscape, at the second place we found the abusing of Microsoft DDE protocol with CVE-2017-11882. One reason is that, very often, macro malware does not rely on most-expensive-to-deploy 0-day exploit and could bypass end-point security solution (macro are often whitelisted in enterprise environment) due to extensive utilization of multi-layered obfuscation mainly in powershell, broadly speaking with a very low barrier-to-entry.
Several APT’s today are using spear-phishing mail with weaponized office document as an attachment, just to name few ones OilRIG APT have used BondUpdated in a campaign discovered by Fireeye in 2017 targeted a different Middle Eastern governmental organization with a malicious VBA macro that download a 2-stage powershell.
Similar vector was used in recent APT28 campaign targeting individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) The attackers didn’t use any zero-day vulnerabilities in this campaign, instead, they relied on weaponized Office documents containing VBA scripts used to deliver a new variant of
This sample show an high level of obfuscation to defeat AV and does not use any exploit, in fact, the obfuscated DLL component was not flagged by VT(0/60) at the time of writing. Unfortunately we can not carry on the analysis because the C2 is not reachable yet, but we noticed that last DNS activity was in December 2018 with the registration of 2 distinct domains active for 1 week each one (and several domains before), assuming that, this malware was developed to be used in target-specific activities tightening the time window to a minimum each time. Further analysis on these registered domains suggest us that the whole infrastructure used is big enough (88 IP’s founded) and it may have also been used to deliver other malware.
Further details, including IoCs and Yara rules, are reported in the analysis published