Nytro Posted January 8, 2015 Report Posted January 8, 2015 MS Word and Macros… Now With Social Engineering MalwareDecember 15, 2014 By Ronnie Tokazowski On December 11, one of our employees reported a phishing email with PhishMe’s Reporter for Outlook that contained a particularly nasty Word document. The malicious payload included PowerShell, VBA, and batch code. Here’s a screenshot of the phishing email: Figure 1 — Screenshot of phishing email Once opened, the document’s contents are blurred, and it asks recipients to enable macros in order to view the document. Figure 2 — Document requesting that user enable macros Once enabled, the macro kicks off by executing a batch script via cmd.exe, which then executes visual basic script, which in turn triggers a PowerShell script. (Figure 3.) Figure 3 — Chain of execution for Word document The batch file is responsible for pinging 1.1.2.2 twice, changing the console code to the Cyrillic script (chcp 1251), and running the second file, adobeacd-update.vbs. (Figure 4.) Figure 4 — Batch file exectued by macro Next, the VBS file runs a powershell script with the command seen in Figure 5. Figure 5 — VBS file executing PowerShell script The powershell code is where the malware is finally downloaded. First, the file downloads “x.exe” from the domain highlighted, then saves it to the system as the filename “444.exe”. Figure 6 — Excerpt of PowerShell script Next, the script grabs the path name of the above scripts, saves them to a variable, sleeps for 15 seconds, and runs “444.exe”. Figure 7 — PowerShell excerpt that executes “444.exe” Once executed, the powershell script attempts to clean up by removing the other scripts used to execute it. Figure 8 — Attempted cleanup for the malware By looking in Wireshark, we can see the file being downloaded in Figure 9. Figure 9 — Malware being downloaded While the malware is packed, we can find some interesting things about the malware by analyzing the memory. First, by grepping before and after “[tab”, we can see that this malware has key logging capabilities, will more than likely beacon out to “tdglomeme[d]eu”, attempt to POST to “/log/index.php”, and feed the information back containing the string “0USER0”. (Figure 10.) Figure 10 — Memory dump of data being collected By looking at the pcap (Figure 11) and decoding the data (Figure 12) we can see that the data is presented exactly as seen in the pcap. Figure 11 — Data from pcap Figure 12 — Decoded data from pcap We can see that the malware is capable of copying contents from the clipboard as well as logging keystrokes. This data is then POSTed back to the attackers domain. For a Yara signature, the attackers included a “vbaProject.bin” file in the docx file. The following Yara rule can help to pick up variants that contain this:rule PM_docx_with_vba_bin { strings: $a1 = “PK” $a2 = “word/_rels/vbaProject.bin” condition: $a1 at 0 and $a2 }The word document has a very low detection rate (4/56) and can be found here: https://www.virustotal.com/en/file/a8ee9b6f3dfd02957d2f9f8abada269cbf7257a0d5745f2bae63c2a6892b83c5/analysis/Sursa: MS Word and Macros... Now With Social Engineering Malware - PhishMe 1 Quote
