This blog was written by Kiran Raj & Kishan N.
In the past fewer years, Microsoft Office macro malware utilizing societal engineering arsenic a means for malware corruption has been a ascendant portion of the menace landscape. Malware authors proceed to germinate their techniques to evade detection. These techniques impact utilizing macro obfuscation, DDE, surviving disconnected the onshore tools (LOLBAS), and adjacent utilizing bequest supported XLS formats.
McAfee Labs has discovered a caller method that downloads and executes malicious DLLs (Zloader) without immoderate malicious codification contiguous successful the archetypal spammed attachment macro. The nonsubjective of this blog is to screen the method facet of the recently observed technique.
- The archetypal onslaught vector is simply a phishing email with a Microsoft Word papers attachment.
- Upon opening the document, a password-protected Microsoft Excel record is downloaded from a distant server.
- The Word papers Visual Basic for Applications (VBA) reads the compartment contents of the downloaded XLS record and writes into the XLS VBA arsenic macros.
- Once the macros are written to the downloaded XLS file, the Word papers sets the argumentation successful the registry to Disable Excel Macro Warning and calls the malicious macro relation dynamically from the Excel file,
- This results successful the downloading of the Zloader payload. The Zloader payload is past executed by rundll32.exe.
The conception beneath contains the elaborate method investigation of this technique.
The malware arrives done a phishing email containing a Microsoft Word papers arsenic an attachment. When the papers is opened and macros are enabled, the Word document, successful turn, downloads and opens different password-protected Microsoft Excel document.
After downloading the XLS file, the Word VBA reads the compartment contents from XLS and creates a caller macro for the aforesaid XLS record and writes the compartment contents to XLS VBA macros arsenic functions.
Once the macros are written and ready, the Word papers sets the argumentation successful the registry to Disable Excel Macro Warning and invokes the malicious macro relation from the Excel file. The Excel record present downloads the Zloader payload. The Zloader payload is past executed utilizing rundll32.exe.
Figure-1: flowchart of the Infection concatenation
Here is however the look of the papers looks erstwhile we unfastened the papers (figure 2). Normally, the macros are disabled to tally by default by Microsoft Office. The malware authors are alert of this and hence contiguous a lure representation to instrumentality the victims guiding them into enabling the macros.
Figure-2: Image of Word Document Face
The userform combo-box components contiguous successful the Word papers stores each the contented required to link to the distant Excel papers including the Excel object, URL, and the password required to unfastened the Excel document. The URL is stored successful the Combobox successful the signifier of breached strings which volition beryllium aboriginal concatenated to signifier a implicit wide string.
Figure-3: URL components (right side) and the password to unfastened downloaded Excel papers (“i5x0wbqe81s”) contiguous successful user-form components.
VBA Macro Analysis of Word Document
Figure-4: Image of the VBA editor
In the supra representation of macros (figure 4), the codification is attempting to download and unfastened the Excel record stored successful the malicious domain. Firstly, it creates an Excel exertion entity by utilizing CreateObject() relation and speechmaking the drawstring from Combobox-1 (ref figure-2) of Userform-1 which has the drawstring “excel. Application” stored successful it. After creating the object, it uses the aforesaid entity to unfastened the Excel record straight from the malicious URL on with the password without redeeming the record connected the disk by utilizing Workbooks.Open() function.
Figure-5: Word Macro codification that reads strings contiguous successful random cells successful Excel sheet.
The supra snippet (figure 5) shows portion of the macro codification that is speechmaking the strings from the Excel cells.
Ixbq = ifk.sheets(3).Cells(44,42).Value
The codification is storing the drawstring contiguous successful expanse fig 3 and the compartment determination (44,42) into the adaptable “ixbq”. The Excel.Application entity that is assigned to adaptable “ifk” is utilized to entree sheets and cells from the Excel record that is opened from the malicious domain.
In the beneath snippet (figure 6), we tin observe the strings stored successful the variables aft being work from the cells. We tin observe that it has drawstring related to the registry introduction “HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\AccessVBOM” that is utilized to disable spot entree for VBA into Excel and the drawstring “Auto_Open3” that is going to beryllium the introduction constituent of the Excel macro execution.
We tin besides spot the strings “ThisWorkbook”, “REG_DWORD”, “Version”, “ActiveVBProject” and fewer random functions arsenic good similar “Function c4r40() c4r40=1 End Function”. These macro codes cannot beryllium detected utilizing static detection since the contented is formed dynamically connected tally time.
Figure-6: Value of variables aft speechmaking Excel cells.
After extracting the contents from the Excel cells, the genitor Word record creates a caller VBA module successful the downloaded Excel record by penning the retrieved contents. Basically, the genitor Word papers is retrieving the compartment contents and penning them to XLS macros.
Once the macro is formed and ready, it modifies the beneath RegKey to disable spot entree for VBA connected the unfortunate instrumentality to execute the relation seamlessly without immoderate Microsoft Office Warnings.
After penning macro contents to Excel record and disabling the spot access, relation ’Auto_Open3()’ from recently written excel VBA volition beryllium called which downloads zloader dll from the ‘hxxp://heavenlygem.com/22.php?5PH8Z’ with hold .cpl
Figure-7: Image of ’Auto_Open3()’ function
The downloaded dll is saved successful %temp% folder and executed by invoking rundll32.exe.
Figure-8: Image of zloader dll invoked by rundll32.exe
Rundll32.exe shell32.dll,Control_RunDLL “<path downloaded dll>”
Windows Rundll32 commands loads and runs 32-bit DLLs that tin beryllium utilized for straight invoking specified functions oregon utilized to make shortcuts. In the supra bid line, the malware uses “Rundll32.exe shell32.dll,Control_RunDLL” relation to invoke control.exe (control panel) and passes the DLL way arsenic a parameter, truthful the downloaded DLL is executed by control.exe.
Excel Document Analysis:
The beneath representation (figure 9) is the look of the password-protected Excel record that is hosted connected the server. We tin observe random cells storing chunks of strings similar “RegDelete”, “ThisWorkbook”, “DeleteLines”, etc.
These strings contiguous successful worksheet cells are formed arsenic VBA macro successful the aboriginal stage.
Figure-9: Image of Remote Excel file.
Coverage and prevention guidance:
McAfee’s Endpoint products observe this variant of malware and files dropped during the corruption process.
The main malicious papers with SHA256 (210f12d1282e90aadb532e7e891cbe4f089ef4f3ec0568dc459fb5d546c95eaf) is detected with V3 bundle mentation – 4328.0 arsenic “W97M/Downloader.djx”. The last Zloader payload with SHA-256 (c55a25514c0d860980e5f13b138ae846b36a783a0fdb52041e3a8c6a22c6f5e2)which is simply a DLL is detected by signature “Zloader-FCVP” with V3 bundle mentation – 4327.0
Additionally, with the assistance of McAfee’s Expert regularisation feature, customers tin fortify the information by adding customized Expert rules based connected the behaviour patterns of the malware. The beneath EP regularisation is circumstantial to this corruption pattern.
McAfee advises each users to debar opening immoderate email attachments oregon clicking immoderate links contiguous successful the message without verifying the individuality of the sender. Always disable the macro execution for Office files. We counsel everyone to work our blog connected this caller variant of Zloader and its corruption rhythm to recognize much astir the threat.
Different techniques & tactics are utilized by the malware to propagate and we mapped these with the MITRE ATT&CK platform.
- E-mail Spear Phishing (T1566.001): Phishing acts arsenic the main introduction constituent into the victim’s strategy wherever the papers comes arsenic an attachment and the idiosyncratic enables the papers to execute the malicious macro and origin infection. This mechanics is seen successful astir of the malware similar Emotet, Drixed, Trickbot, Agenttesla, etc.
- Execution (T1059.005): This is simply a precise communal behaviour observed erstwhile a malicious papers is opened. The papers contains embedded malicious VBA macros which execute codification erstwhile the papers is opened/closed.
- Defense Evasion (T1218.011): Execution of signed binary to maltreatment Rundll32.exe and to proxy execute the malicious codification is observed successful this Zloader variant. This maneuver is present besides portion of galore others similar Emotet, Hancitor, Icedid, etc.
- Defense Evasion (T1562.001): In this tactic, it Disables oregon Modifies information features successful Microsoft Office papers by changing the registry keys.
|Type||Value||Scanner||Detection Name||Detection Package Version (V3)|
|Main Word Document||210f12d1282e90aadb532e7e891cbe4f089ef4f3ec0568dc459fb5d546c95eaf||ENS||W97M/Downloader.djx||4328|
|URL to download XLS||hxxp://heavenlygem.com/11.php||WebAdvisor||Blocked||N/A|
|URL to download dll||hxxp://heavenlygem.com/22.php?5PH8Z||WebAdvisor||Blocked||N/A|
Malicious documents person been an introduction constituent for astir malware families and these attacks person been evolving their corruption techniques and obfuscation, not conscionable limiting to nonstop downloads of payload from VBA, but creating agents dynamically to download payload arsenic we discussed successful this blog. Usage of specified agents successful the corruption concatenation is not lone constricted to Word oregon Excel, but further threats whitethorn usage different surviving disconnected the onshore tools to download its payloads.
Due to information concerns, macros are disabled by default successful Microsoft Office applications. We suggest it is harmless to alteration them lone erstwhile the papers received is from a trusted source.