Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malicious word macro - what next?


  • Please log in to reply
14 replies to this topic

#1 dwywit

dwywit

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 17 March 2015 - 10:29 PM

I received a suspicious email about a cancelled bpay transaction. It was tied to an email address of mine that has NEVER been used in a bpay transaction, so of course I didn't open it. It had a zip file attachment containing a word document (specified in the body of the email), so I fired up a linux VM, transferred the zip file to /home, and opened it with ark.

 

As expected, there was a word document titled  BillPay cancelled payment_95073.doc, so I fired up LibreOffice Writer to take a look. Interestingly, the zip file said "bpay" while the document said "billpay" - which is a bill-paying service of Australia Post.

 

Anyway, LO Writer warned me about the (expected) macros, and disabled execution. I went to the macro editor to take a peek at the code - which was mostly beyond my skills (I haven't done any Word coding for years), but I saw some things which set the alarm bells ringing, such as the autoopen module, constructing strings of windows pathnames from parts (e.g. "\app"+"data\lo"+"cal\t"+"emp"), obviously intended to obfuscate and not trigger malware scanners.

 

I submitted it to virustotal and jotti's, but both returned negative. Then I sent it to hybrid-analysis.com and got a "malicious" flag. Here's the URL for the analysis, if anyone's interested:

 

https://www.hybrid-analysis.com/sample/323d87b72126329729a26a6d7359efcbb6ae3b881897d1cf3ced1e95af797dd7?environmentId=2#top

 

My question is "what next"? Should I submit it anywhere else, or just delete the whole thing and get on with my life? I have a Windows XP VM, but I don't particularly want to fire that up and let the macro execute just to see what sort of trouble it causes. 



BC AdBot (Login to Remove)

 


#2 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:04:03 AM

Posted 18 March 2015 - 02:39 AM

Hello dwywit:
 
Since you clearly indicated the email attachment submitted to VirusTotal/Jotti was negative, then please consider the following:
 
If you would like a place for upload submission, please read https://forums.malwarebytes.org/index.php?/topic/31067-purpose-of-this-forum/.

Then register/upload/post in compliance with what you've read above at https://forums.malwarebytes.org/index.php?/forum/51-newest-malware-threats/.

If the Malwarebytes Research Center analysts find your submission is a new and true toxic positive, they will cooperatively share with other services.
 
You would be doing a good thing.
 
Thank you.

Edited by 1PW, 18 March 2015 - 02:56 AM.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 AM

Posted 18 March 2015 - 05:07 AM

Some forms of crypto malware are spread by opening an infected word docs with embedded macro viruses.

* Please find attached INVOICE number 224244 from Power EC Ltd Word doc malware
* Humber Merchants Group Industrial Invoices Word doc malware
* K J Watking & Co Remittance Advice excel malware
* Remittance Advice from Anglia Engineering Solutions Ltd Excel xls malware

Cyber criminals are continuing to use macro embedded Excel and Word docs to spread malware. They are having a better success rate of infecting with Excel because more Excel users have macros enabled than Word users do. Cyber criminals are very good using social engineering tricks to entice users into opening email attachments as many are accustomed to receiving XLS spreadsheets and word documents by email from similarly named companies. Those using older versions of office are even more at risk.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 dwywit

dwywit
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 18 March 2015 - 05:20 AM

Thanks 1PW and quietman7. I'll follow your recommendations and upload to malwarebytes.

 

BTW, it's not the first one of those that I've received. Previously I just deleted them, but as I've had to deal with a (probably unrelated) persistent infection recently,  http://www.bleepingcomputer.com/forums/t/569109/ukash-variant-and-fake-chat-popup/?p=3650647 , I thought I'd follow up on this one.

 

cheers and thanks

 

Bernie Dwyer



#5 David H. Lipman

David H. Lipman

    Malware Researcher/Analyst


  • Security Colleague
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore USA
  • Local time:07:03 AM

Posted 18 March 2015 - 06:50 AM

Thank you for submitting the DOC Macro Downloader trojan.

 

I analyzed this DOC file.
 
The good news is MBAM already detects the payload as "Trojan.FakePDF"
 
https://www.virustotal.com/en/file/ce281faea623b4dd06d3237d0e67d676ffcc84f0848658f1c8731b8607304a1d/analysis/1426678567/

 

I note that this one is different than many others by both the obfuscated VBA script used and the payload is not Dridex.

 

While this may be considered pedant, I just want to elaborate on the concept of these files.  One should not perceive these files as "infected".  These are not the Macro Virus files of the 90's.  They actually used VBA scripting but created macros that spread from MS Office Document to MS Office Document.  Thus they were a 1virus because they autonomously spread from file to file.  A file that receives a Macro Virus becomes "infected".  That means that a legitimate MS Word or Excel file can be infected with a Macro Virus and become infected and then spread to another MS Office based computer.

 

These Macro Downloaders are trojans and are NOT "infected".  They were designed to be malicious and the malicious code does not spread to legitimate MS Office files.

 

As always, we are happy to receive malware submissions at Malwarebytes.  Just remember that Malwarebytes' Anti-Malware (MBAM) does not target scripted malware, document files or media files.  MBAM targets their PE payload.  Therefore you will never see MBAM detect these Macro Downloader trojans.

 

-----------

1.  I actually prefer the term parasite because the MS Office macro Virus only lives in the MS Office environment.


Edited by David H. Lipman, 18 March 2015 - 06:51 AM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 18 March 2015 - 04:37 PM

My question is "what next"? Should I submit it anywhere else, or just delete the whole thing and get on with my life? I have a Windows XP VM, but I don't particularly want to fire that up and let the macro execute just to see what sort of trouble it causes. 

 

I develop a tool to analyze malicious documents (maldoc) like the one you received. It's called oledump.py http://blog.didierstevens.com/programs/oledump-py/

As a Linux user, you might recognize .py for Python programs.

 

My tool allows you to extract the macros, without needing any Office application, and thus limiting the risk of infecting yourself.

 

As you noticed, the macros are very complex. That's because they are obfuscated: the code is made much more complex than necessary (and also contains superfluous lines of code) just to make it harder to analyze and understand.

I've seen this type of macros in the last week.

 

I also provide plugins with my oledump tool, to help analysts with the obfuscation.

 

Most of these maldocs do the following: download malware and execute it.

This is also the case with your sample.

It downloads this malware: https://www.virustotal.com/intelligence/search/?query=0ca790598470f6efdf9f8e3efcf6b37a

As David remarks, it is not Dridex. He makes this remark because since mid October, a lot of maldocs have been e-mailed that download Dridex.


Edited by Didier Stevens, 18 March 2015 - 04:46 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 dwywit

dwywit
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 18 March 2015 - 05:50 PM

Thanks, I'll run oledump against it and see what comes out.



#8 rp88

rp88

  • Members
  • 2,967 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:03 AM

Posted 19 March 2015 - 05:38 PM


While this may be considered pedant, I just want to elaborate on the concept of these files. One should not perceive these files as "infected". These are not the Macro Virus files of the 90's...

For clarification do you mean that these current attacks being used now are of the type which can infect other files with their macros, or that the attacks in the 1990s did this but the current ones do not. If that was the 1990s viruses you were discussing then do such things still exist or have the modern versions of word,excel,publisher,powerpoitn been changed so thye are immune to such methods of attack.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 AM

Posted 19 March 2015 - 05:50 PM

Some quotes from the links I provided above...

 

Malformed or infected word docs with embedded macro viruses...contains a macro or vba script virus...  Opening this malicious word document will infect you if Macros are enabled and simply previewing it in  windows explorer or your email client might well be enough to infect you

 

 

...a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 dwywit

dwywit
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 19 March 2015 - 08:22 PM

Thanks, I'll run oledump against it and see what comes out.

 

Oledump.py threw a syntax error when I ran it against that DOC file. I installed python 3.4.3 for Windows, and ran the install for http://www.decalage.info/python/olefileio as specified on your oledump.py instructions page, but oledump.py stopped with a syntax error on line 334 (to the best of my memory, I'm on a different computer at the moment).

 

I subsequently removed python and the other installs from that computer because immediately after the syntax error, hard drive usage went to 99-100% and I couldn't locate the cause, so I had to force a shutdown and reboot.

 

I can re-install and try the oledump again if you want to reproduce the error.



#11 dwywit

dwywit
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 19 March 2015 - 08:37 PM

As a matter of interest, I've taken to installing Cryptoprevent on all my customers' computers. It seems a simple way to prevent a great deal of these "infections", but I'm curious about the operation of the crypto-family - one item in particular. the deletion of volume shadow copies to prevent restoration of unencrypted backups (sorry if I should have started a new topic or if it's been covered, but it's sort of relevant to this topic).

 

Would it be possible to prevent the deletion of volume shadow copies by modifying permissions on the executables ? I had an idea to create a new user account, and change the permissions on the relevant executables to only allow execution by that new user (using a decent password, of course) - the default at the moment is that vsssvc.exe is a service using the local SYSTEM account. I ask because some of the code I recognised in the Word macro we're discussing here seemed to be a privilege escalation request.

 

Perhaps something along the lines of {newuser} full control or even just execute, and a specific DENY to SYSTEM? Of course there would be consequences downstream of this (such as users needing to remember another password), but is it a practical start?



#12 psloss

psloss

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 20 March 2015 - 09:26 AM

As a matter of interest, I've taken to installing Cryptoprevent on all my customers' computers. It seems a simple way to prevent a great deal of these "infections", but I'm curious about the operation of the crypto-family - one item in particular. the deletion of volume shadow copies to prevent restoration of unencrypted backups (sorry if I should have started a new topic or if it's been covered, but it's sort of relevant to this topic).

 

Would it be possible to prevent the deletion of volume shadow copies by modifying permissions on the executables ? I had an idea to create a new user account, and change the permissions on the relevant executables to only allow execution by that new user (using a decent password, of course) - the default at the moment is that vsssvc.exe is a service using the local SYSTEM account. I ask because some of the code I recognised in the Word macro we're discussing here seemed to be a privilege escalation request.

 

Perhaps something along the lines of {newuser} full control or even just execute, and a specific DENY to SYSTEM? Of course there would be consequences downstream of this (such as users needing to remember another password), but is it a practical start?

The easiest way to prevent deletion of volume shadow copies is to make your users non-admins.  This is problematic in many places, but if it is possible to implement that provides additional protection of existing system data (and many other aspects of the operating system).


Edited by psloss, 20 March 2015 - 09:26 AM.


#13 David H. Lipman

David H. Lipman

    Malware Researcher/Analyst


  • Security Colleague
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore USA
  • Local time:07:03 AM

Posted 20 March 2015 - 11:43 AM

For clarification do you mean that these current attacks being used now are of the type which can infect other files with their macros, or that the attacks in the 1990s did this but the current ones do not. If that was the 1990s viruses you were discussing then do such things still exist or have the modern versions of word,excel,publisher,powerpoitn been changed so thye are immune to such methods of attack.


In the 90's they were "Macro Viruses".  if you opened an infected MS Office Document, MS Office would infect subsequently opened MS Office documents that were clean.  Once these previous clean documents became infected they have the ability to infect MS Office documents on another person's computer.
 
As quietman7 pointed out, the ability to get infected was based upon Macro Security settings in MS Office.  As far as a I know, the only change since Office 95/97 was to change the default of the Macro Security settings.
 
The Macro Viruses period has passed.  No new ones are created and the traditional Anti Virus applications do well in detecting latent, infected, documents.
 
The main intent was elucidate that the currently received MS DOC, XLS and XML document files are not "infected", they are trojans and they do not create a condition where they can pass malicious code to other MS Office documents.  However since they are also using Macros ( 1albeit PSloss and I have been discussing a variant of malicious MS Office documents that are not using macros but are instead using an embedded VBS script ) they are also dependent upon the Macro Security settings in MS Office.
 
EDIT:
1.    Didier Stevens  has updated his Python scripts,  oledump V0.0.13, for the malicious MS Office Documents I mentioned on 3/20/'15 using OLE embedded VBS scripts.
RE: oledump And XML With Embedded OLE Object


Edited by David H. Lipman, 27 March 2015 - 10:38 AM.


#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 21 March 2015 - 05:28 PM

 

Thanks, I'll run oledump against it and see what comes out.

 

Oledump.py threw a syntax error when I ran it against that DOC file. I installed python 3.4.3 for Windows, and ran the install for http://www.decalage.info/python/olefileio as specified on your oledump.py instructions page, but oledump.py stopped with a syntax error on line 334 (to the best of my memory, I'm on a different computer at the moment).

 

I subsequently removed python and the other installs from that computer because immediately after the syntax error, hard drive usage went to 99-100% and I couldn't locate the cause, so I had to force a shutdown and reboot.

 

I can re-install and try the oledump again if you want to reproduce the error.

 

 

Most of my Python tools are written for Python 2, oledump too, so you should install Python 2.7.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 dwywit

dwywit
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 21 March 2015 - 08:46 PM

OK will do, thanks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users